101
0/273
Loading content...
There's a deep irony in load balancing: the very component designed to eliminate single points of failure can itself become the single point of failure.
Consider a system with 100 highly available backend servers, each with 99.9% uptime. Together, they could theoretically achieve astronomical availability. But if all their traffic flows through a single load balancer with 99.9% uptime, the entire system's availability is capped at that 99.9%—roughly 8.76 hours of downtime per year.
The math is unforgiving:
This means that investing in backend redundancy while neglecting load balancer high availability is architectural waste. The load balancer's reliability must match or exceed the availability targets of the entire system.
Many system designs implicitly assume load balancers are infinitely reliable. This assumption is false. Load balancers are software running on hardware, subject to the same failures as any other component. This page teaches you to design for their failure.
By the end of this page, you will understand how load balancers fail, strategies for making them highly available, the role of redundancy patterns like active-passive and active-active, DNS-based failover, and how cloud providers solve this problem at scale.
To design for high availability, we must first understand the failure modes of load balancers. These failures fall into several categories:
| Failure Type | Typical Frequency | Detection Time | Recovery Time |
|---|---|---|---|
| Hardware failure | 1-5% per year | Seconds (heartbeat) | Minutes (failover) to hours (replace) |
| Software crash | Rare (mature software) | Seconds | Seconds (auto-restart) |
| Resource exhaustion | Varies (load-dependent) | Seconds to minutes | Seconds (scale) to minutes (debug) |
| Configuration error | Depends on processes | Immediate to hours | Seconds (rollback) to hours (investigate) |
| Network failure | Rare but impactful | Seconds | Seconds to hours (network repair) |
| Overload cascade | Rare but catastrophic | Seconds | Minutes (traffic shed or scale) |
The Cascading Failure Problem:
The most dangerous failure mode is the cascade. Consider:
This is why high-availability load balancing isn't just about having a spare—it's about having capacity headroom across all instances to absorb failures.
For highly available load balancing, follow the N+1 principle: provision N+1 instances where N is sufficient for peak load. If you need 2 load balancers for capacity, run 3 so that any single failure leaves 2 running—still sufficient for full load.
The active-passive (also called hot standby) pattern is the simplest approach to load balancer high availability. One load balancer actively handles all traffic while another stands by, ready to take over if the primary fails.
How Active-Passive Works:
Virtual IP (VIP): A floating IP address that clients connect to. This IP is currently bound to the active load balancer.
Heartbeat Monitoring: The passive load balancer continuously monitors the active one through heartbeat messages, typically using protocols like VRRP (Virtual Router Redundancy Protocol) or keepalived.
Failover: When the passive detects the active has failed (missed heartbeats, health check failures), it takes over the VIP. Network switches learn the new MAC-to-IP mapping, and traffic flows to the new active.
Recovery: When the original primary recovers, it can either stay passive (non-preemptive) or reclaim the active role (preemptive).
| Technology | Platform | How It Works |
|---|---|---|
| VRRP (keepalived) | Linux | Standard protocol for VIP sharing; widely used with HAProxy/NGINX |
| Pacemaker/Corosync | Linux | Full cluster resource manager; handles complex failover scenarios |
| Windows NLB | Windows | Built-in Windows Server feature for IP failover |
| Cloud Floating IPs | Cloud providers | AWS Elastic IP, GCP External IP reassignment via API |
Active-passive is appropriate when: (1) traffic volume fits on a single load balancer, (2) simplicity is prioritized, (3) brief failover disruption (seconds) is acceptable, (4) cost of idle standby is acceptable. It's common for internal load balancers and smaller deployments.
The active-active pattern runs multiple load balancers simultaneously, all handling traffic. This eliminates the wasted capacity of active-passive while also enabling horizontal scaling.
How Active-Active Works:
The challenge of active-active is: how do clients find the load balancers? There are several approaches:
Approach 1: DNS Round-Robin
DNS returns multiple A records (IP addresses) for the load balancer hostname. Clients choose one (usually randomly or round-robin). If that load balancer fails, clients eventually retry with another IP.
Approach 2: BGP Anycast
All load balancers advertise the same IP address via BGP routing. Network routers automatically send traffic to the 'nearest' load balancer. If one fails, BGP reconverges.
Approach 3: External Load Balancer Layer
A higher-tier load balancer (like a cloud provider's NLB or GLB) distributes traffic across your load balancer pool.
Approach 4: Client-Side Load Balancing
Clients are given a list of load balancer IPs and implement their own load balancing logic, including failover.
| Approach | Failover Time | Geographic Routing | Complexity |
|---|---|---|---|
| DNS Round-Robin | Minutes (TTL-dependent) | No (random) | Low |
| BGP Anycast | Seconds | Yes (network-based) | High |
| External LB Layer | Seconds | Yes (if GSLB) | Medium |
| Client-Side | Milliseconds | Depends on client | Medium (client) |
State Synchronization Challenge:
Active-active creates a challenge: if a client's request goes to LB1 first and then LB2, will LB2 have the session state?
Solutions:
Stateless load balancing: Design so session state isn't needed at the LB. Use sticky sessions at the application layer or externalize session state to Redis.
State replication: Load balancers synchronize state between themselves (HAProxy supports this, as do some commercial solutions). Adds complexity and latency.
Consistent hashing/affinity: Use client IP or other attributes to consistently route the same client to the same load balancer. Only failed LB's sessions disrupt.
The simplest active-active architecture is one where load balancers are completely stateless. Design your application so that any request can be handled by any load balancer → any backend server. This maximizes flexibility and minimizes complexity.
DNS-based failover uses the Domain Name System to direct traffic away from failed load balancers (or entire regions). While DNS isn't traditionally thought of as a load balancing layer, modern DNS services provide sophisticated health checking and traffic management.
How DNS-Based Failover Works:
DNS Failover Limitations:
1. TTL Caching Delays Failover
DNS responses are cached by resolvers, browsers, and operating systems. Even with a 60-second TTL:
2. No Connection-Level Awareness
DNS only affects new connections. Existing TCP connections to a failed load balancer will hang until timeout. Applications must implement connection-level failover.
3. No Load Awareness
DNS failover typically only knows healthy/unhealthy, not 'overloaded.' A load balancer at 99% CPU is still 'healthy' from DNS perspective.
Mitigation Strategies:
Think of DNS failover as the 'coarse-grained' layer of failover—it handles regional outages and major failures. For fast, fine-grained failover between individual load balancer instances, use active-active with a load balancer layer or BGP anycast.
Cloud providers have essentially 'solved' the load balancer SPOF problem with managed services. Understanding how they achieve this helps you design better, whether you use their services or build your own.
| Provider | Service | HA Approach | SLA |
|---|---|---|---|
| AWS | Application LB (ALB) | Automatically distributed across AZs; no single nodes exposed | 99.99% |
| AWS | Network LB (NLB) | Flow-based distribution; static IPs for failover | 99.99% |
| Google Cloud | Cloud Load Balancing | Anycast-based global distribution; no regional failover needed | 99.99% |
| Azure | Load Balancer / App Gateway | Zone-redundant deployment; automatic failover | 99.99% |
| Cloudflare | Load Balancing | Anycast across 300+ PoPs; health-aware steering | 100% (with caveats) |
How Cloud Load Balancers Achieve HA:
AWS ALB/NLB Architecture:
Google Cloud Load Balancing:
Key Insight: The Load Balancer Is a Fleet, Not a Box
Cloud load balancers aren't single machines—they're fleets of machines behind a managed abstraction. This is why they achieve 99.99% SLAs: any individual machine failure is invisible.
Many organizations use a hybrid: cloud load balancers at the edge (where HA is most critical and hardest to achieve) and self-managed internal load balancers (NGINX, Envoy) where they need more control and costs are lower.
High availability isn't just about having backups—it's about ensuring those backups have sufficient capacity to handle failure scenarios. This requires careful capacity planning.
Capacity Calculation Example:
Scenario: You handle 100K requests/second at peak.
Single load balancer capacity: 60K requests/second (fully utilized)
Option 1: Active-Passive (N+1)
Option 2: Active-Active (2N)
Option 3: N+1 with larger instances
Recommendation: N+2 or 2N for critical systems.
| Criticality | Redundancy Level | Typical Headroom | Failure Tolerance |
|---|---|---|---|
| Non-critical internal | N+1 | 30-40% | 1 failure |
| Business-critical | N+2 or 2N | 40-50% | 2+ failures |
| Life-safety / Financial | 2N + geographic | 50%+ | Full AZ/region loss |
Capacity planning for HA must account for traffic spikes, not just steady-state load. If your peak is 2x your average, ensure your post-failure capacity handles that peak. Many outages occur when a failure coincides with a traffic spike.
Technical architecture is only half the battle. Operational practices determine whether your HA design actually delivers its promised reliability.
Common Operational Failure Patterns:
| Pattern | Consequence | Prevention |
|---|---|---|
| All-at-once config push | Total outage from config error | Staged rollouts |
| Untested failover | Failover doesn't work when needed | Regular testing |
| Expired certificates | Sudden TLS failures | Certificate monitoring |
| Filled logs crashing disk | LB becomes unresponsive | Log rotation, disk monitoring |
| Runaway health checks | Overwhelm backends | Rate limit health checks |
| DNS TTL too long | Slow failover | Aggressive TTLs for LB records |
| Missing alerts | Failures detected by users | Comprehensive monitoring |
Before deploying HA load balancing, run a 'pre-mortem': imagine it's 6 months from now and there was a major outage. What went wrong? This exercise surfaces risks before they become incidents.
Let's consolidate the key concepts from this page and the module as a whole:
Module 1 Summary: What Is Load Balancing?
Over these four pages, we've established a comprehensive understanding of load balancing:
Definition and Purpose — Load balancing distributes traffic across resources to optimize utilization, maximize throughput, minimize latency, and avoid overload.
Benefits — Availability (through redundancy and failover), performance (through distribution and optimization), and flexibility (through abstraction and operational agility).
Placement — Load balancing occurs at multiple tiers: edge (external traffic), middle (service-to-service), and data (database/cache access).
High Availability — The load balancer itself must be made highly available through redundancy patterns, careful capacity planning, and operational discipline.
You now have a thorough understanding of load balancing fundamentals. You can explain what load balancing is, why it matters, where to place it, and how to make it highly available. This foundation prepares you for the next modules, where we'll dive into Layer 4 vs Layer 7 load balancing, specific algorithms, session persistence, health checks, and load balancer technology comparisons.