4.42 The classic load balancer CLB (V1)

In this lab we create our first Classic Load Balancer (CLB v1). It supports TCP, HTTP and HTTPS at layers 4 and 7, with TCP or HTTP-based health checks. The CLB exposes a public DNS name. The client talks to the CLB on port 80 (HTTP), and the CLB forwards requests internally to our EC2 instances on port 80 as well. We start from an existing instance running a working web server, then move to the console to create the load balancer.

Steps in the console

  • In the EC2 console, open Load Balancers and click Create; choose Classic Load Balancer.
  • Pick a name (e.g. my-first-clb), the default VPC, and uncheck Internal so it is public.
  • Configure the HTTP listener: port 80 in, port 80 out to the instances.
  • Create a security group my-first-clb-sg opening port 80 to 0.0.0.0/0.
  • Configure the health check: HTTP probe on port 80, path /index.html, 5 s timeout, 30 s interval, threshold 2/10.
  • Register one EC2 instance as initial target, then create the CLB.

Once the CLB is provisioned, copy the public DNS name and open it in a browser: the load balancer forwards to the instance and the page loads. To prevent users from hitting the instance directly, modify the EC2 instance's security group so port 80 only accepts traffic from the CLB security group — direct access then fails, while the CLB still works. This is the standard pattern: only the load balancer is publicly exposed.

To finish the lab we add more targets. Using the Launch more like this shortcut, we create two more instances on different AZs, each with the same restricted security group. Back in the CLB, we register all three instances; they show as InService after a few seconds. Refreshing the public DNS now returns different IPs as the CLB dispatches traffic round-robin across the three downstream EC2 servers — proving that load balancing works.

Summary

This lesson demonstrates how to create and configure an AWS Classic Load Balancer (CLB/ELB) Version 1 for distributing traffic across multiple EC2 instances. The tutorial covers listener configuration on port 80 (HTTP), health check setup, and security group configuration to ensure users access instances only through the load balancer. Multiple EC2 instances are deployed across availability zones and added to the load balancer for redundancy.

Key points

  • Classic Load Balancer (CLB) operates at Layer 7 and supports HTTP, HTTPS, TCP, and UDP protocols
  • Listeners direct traffic from port 80 to backend instances on ports 80, 8080, 8081, or 8082
  • Health checks are configured to verify instance availability via HTTP on port 80, with 5-second timeout and 10-second intervals
  • Security groups must be modified to restrict direct instance access—only the CLB can connect to instances, forcing all traffic through the load balancer
  • Multiple EC2 instances across different availability zones are added to the load balancer pool for high availability
  • Load balancer distributes requests across instances, verifiable by observing changing IP addresses on each page refresh

FAQ

What are the key features of the Classic Load Balancer (CLB)?

The Classic Load Balancer is a Layer 7 load balancer that supports HTTP, HTTPS, TCP, and UDP protocols. It can distribute traffic across multiple EC2 instances and includes health check capabilities to automatically remove unhealthy instances from the pool.

Why is it important to restrict security group access to instances?

Restricting security groups ensures that users cannot access EC2 instances directly; they must go through the load balancer. This enforces the load balancing architecture and prevents bypassing the load distribution logic.

How do health checks work in a Classic Load Balancer?

The CLB periodically tests instance health by making HTTP requests to port 80 and checking the index.html page. If an instance fails the health check twice within the configured interval (10 seconds), it is removed from the load balancer pool.