AWS ELB Monitoring

• Elastic Load Balancing publishes data points to Amazon CloudWatch about the load balancers and targets (or back-end instances for Classic Load Balancer).
• Elastic Load Balancing reports metrics to CloudWatch only when requests are flowing through the load balancer.
  • If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in 60-second intervals.
  • If there are no requests flowing through the load balancer or no data for a metric, the metric is not reported.
• AWS provides four types of load balancers, each with its own monitoring capabilities:
  • Application Load Balancer (ALB) – Layer 7, HTTP/HTTPS/gRPC
  • Network Load Balancer (NLB) – Layer 4, TCP/UDP/TLS
  • Gateway Load Balancer (GWLB) – Layer 3, transparent network gateway
  • Classic Load Balancer (CLB) – Previous generation (Layer 4/7)
• ELB monitoring options include CloudWatch metrics, access logs, connection logs, health check logs, CloudTrail logs, and CloudWatch Internet Monitor.

CloudWatch Metrics

Classic Load Balancer (CLB) Metrics

• CLB metrics use the AWS/ELB namespace.
• HealthyHostCount, UnHealthyHostCount
  • Number of healthy and unhealthy instances registered with the load balancer.
  • Most useful statistics are Average, Min, and Max.
• RequestCount
  • Number of requests completed or connections made during the specified interval (1 or 5 minutes).
  • Most useful statistic is Sum.
• Latency
  • Time elapsed, in seconds, after the request leaves the load balancer until the headers of the response are received.
  • Most useful statistic is Average.
• SurgeQueueLength
  • Total number of requests that are pending routing.
  • Load balancer queues a request if it is unable to establish a connection with a healthy instance in order to route the request.
  • Maximum size of the queue is 1,024. Additional requests are rejected when the queue is full.
  • Most useful statistic is Max, because it represents the peak of queued requests.
• SpilloverCount
  • The total number of requests that were rejected because the surge queue is full. Should ideally be 0.
  • Most useful statistic is Sum.
• HTTPCode_ELB_4XX, HTTPCode_ELB_5XX
  • Client and server error codes generated by the load balancer.
  • Most useful statistic is Sum.
• HTTPCode_Backend_2XX, HTTPCode_Backend_3XX, HTTPCode_Backend_4XX, HTTPCode_Backend_5XX
  • Number of HTTP response codes generated by registered instances.
  • Most useful statistic is Sum.

Application Load Balancer (ALB) Metrics

• ALB metrics use the AWS/ApplicationELB namespace.
• ActiveConnectionCount – Total concurrent TCP connections active from clients to the load balancer and from the load balancer to targets. Useful statistic: Sum.
• NewConnectionCount – Total new TCP connections established from clients to the load balancer and from the load balancer to targets. Useful statistic: Sum.
• RejectedConnectionCount – Number of connections rejected because the load balancer reached its maximum number of connections. Useful statistic: Sum.
• RequestCount – Number of requests processed over IPv4 and IPv6. Useful statistic: Sum.
• TargetResponseTime – Time elapsed after the request leaves the load balancer until the target starts to send response headers. Useful statistics: Average, pNN.NN (percentiles).
• HealthyHostCount, UnHealthyHostCount – Number of healthy/unhealthy targets. Useful statistics: Average, Min, Max.
• HTTPCode_Target_2XX_Count through 5XX_Count – HTTP response codes generated by targets. Useful statistic: Sum.
• HTTPCode_ELB_4XX_Count, HTTPCode_ELB_5XX_Count – HTTP error codes generated by the load balancer itself. Useful statistic: Sum.
• ClientTLSNegotiationErrorCount – TLS connections initiated by clients that did not establish a session with the load balancer. Useful statistic: Sum.
• TargetConnectionErrorCount – Connections that were not successfully established between the load balancer and target. Useful statistic: Sum.
• ProcessedBytes – Total bytes processed by the load balancer over IPv4 and IPv6. Useful statistic: Sum.
• ConsumedLCUs – Number of Load Balancer Capacity Units (LCU) consumed. Used for billing calculations.
• RuleEvaluations – Number of rules evaluated while processing requests.
• AnomalousHostCount – Number of targets detected with anomalies (used with Automatic Target Weights). Useful statistics: Min, Max.

Network Load Balancer (NLB) Metrics

• NLB metrics use the AWS/NetworkELB namespace.
• ActiveFlowCount – Total number of concurrent flows (connections) from clients to targets. Useful statistic: Average.
• NewFlowCount – Total number of new flows established from clients to targets. Useful statistic: Sum.
• ProcessedBytes – Total bytes processed by the load balancer (TCP/TLS, UDP). Useful statistic: Sum.
• TCP_Client_Reset_Count, TCP_Target_Reset_Count, TCP_ELB_Reset_Count – Number of reset (RST) packets sent from client, target, or the load balancer.
• HealthyHostCount, UnHealthyHostCount – Number of healthy/unhealthy targets.
• ConsumedLCUs – Number of Network Load Balancer Capacity Units consumed.
• PeakBytesPerSecond – Highest average bytes per second for the load balancer during a period.

Gateway Load Balancer (GWLB) Metrics

• GWLB metrics use the AWS/GatewayELB namespace.
• ActiveFlowCount, NewFlowCount – Concurrent and new flows from clients to targets.
• ProcessedBytes – Total bytes processed by the GWLB.
• HealthyHostCount, UnHealthyHostCount – Number of healthy/unhealthy targets.
• GWLB does NOT generate access logs since it is a transparent Layer 3 load balancer that does not terminate flows.

Elastic Load Balancer Access Logs

• Elastic Load Balancing provides access logs that capture detailed information about all requests sent to the load balancer.
• Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses.
• Access logging is disabled by default and can be enabled without any additional charge. You are only charged for S3 storage.
• Access logs are supported for ALB, NLB, and CLB. GWLB does not generate access logs.

ALB Access Logs

• ALB publishes a log file for each load balancer node every 5 minutes to Amazon S3.
• Log entries include: request type, timestamp, ELB name, client:port, target:port, request processing time, target processing time, response processing time, ELB/target status codes, received/sent bytes, request details, user agent, SSL cipher/protocol, target group ARN, trace ID, and more.

NLB Access Logs

• NLB access logs capture information about TLS requests sent to the load balancer.
• Logs can be stored in Amazon S3.
• New (Nov 2025): NLB access logs now support delivery as CloudWatch Vended Logs, enabling direct delivery to CloudWatch Logs, Amazon Data Firehose, and Amazon S3 with Apache Parquet format support. This allows real-time log analysis using CloudWatch Logs Insights and Live Tail.

ALB Connection Logs

• Connection logs capture detailed information about TLS connections established between clients and the ALB.
• Useful for troubleshooting TLS client connection issues (e.g., mTLS failures, cipher mismatches).
• Connection logs are stored in Amazon S3, with a log file published every 5 minutes.
• This is an optional feature, disabled by default.
• Log entries include: timestamp, client IP:port, listener port, TLS protocol/cipher, connection status, client certificate details (for mTLS), and more.

ALB Health Check Logs

• New (Nov 2025): ALB now supports Health Check Logs that send detailed target health check data directly to a designated Amazon S3 bucket.
• This optional feature captures:
  • Health check status (healthy/unhealthy)
  • Timestamps
  • Target identification data
  • Failure reasons for unhealthy targets
• Health check logs are published every 5 minutes per load balancer node.
• Helps troubleshoot intermittent target health check failures without needing to rely solely on CloudWatch metrics.
• No additional charge; you pay only for S3 storage.

CloudWatch Internet Monitor

• Amazon CloudWatch Internet Monitor provides internet performance and availability measurements for user traffic to load balancers.
• Monitors internet traffic patterns and identifies issues that affect internet connectivity between users and AWS.
• Supported for both ALB and NLB.
• NLB integration (Sep 2024): You can create or associate a monitor for an NLB directly when creating it in the AWS Management Console.
• Provides city-level visibility into performance impairments and their geographic scope.

CloudWatch Network Flow Monitor

• New (Dec 2024, re:Invent): CloudWatch Network Flow Monitor offers network performance monitoring across AWS managed services.
• Provides near real-time visibility into network performance for traffic between compute resources (EC2, EKS), to AWS services (S3, DynamoDB), and to other AWS Regions.
• Uses lightweight agents to gather TCP connection performance statistics (packet loss, latency).
• Can determine if AWS is the cause of a detected network issue for monitored flows.

ALB Automatic Target Weights (ATW)

• New (Nov 2023): ALB supports Automatic Target Weights (ATW), which uses anomaly detection to optimize traffic routing.
• ATW detects and mitigates gray failures — situations where a target passes health checks but still returns elevated errors.
• Anomaly detection is automatically enabled on HTTP/HTTPS target groups with at least three healthy targets.
• ATW analyzes HTTP return status codes and TCP/TLS errors to identify anomalous targets and reduces traffic to them.
• Provides the AnomalousHostCount CloudWatch metric to monitor detected anomalies.

CloudWatch Anomaly Detection Alarms

• CloudWatch anomaly detection uses machine learning to model expected metric behavior and automatically creates upper and lower bounds.
• Can be used with ELB metrics like TargetResponseTime, RequestCount, HTTPCode_ELB_5XX to detect unusual patterns.
• Recommended approach for monitoring ELB performance without manually setting static thresholds.
• Works with ALB, NLB, CLB, and GWLB metrics.

CloudTrail Logs

• AWS CloudTrail captures all API calls to the Elastic Load Balancing API made by or on behalf of your AWS account.
• API calls can be made directly, or indirectly through the AWS Management Console, AWS CLI, or SDKs.
• CloudTrail stores the information as log files in an Amazon S3 bucket.
• Logs can be used to monitor load balancer activity and determine what API call was made, what source IP address was used, who made the call, when it was made, and so on.
• Applies to all ELB types (ALB, NLB, GWLB, CLB).

Classic Load Balancer – Migration Recommendation

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. An admin is planning to monitor the ELB. Which of the below mentioned services does not help the admin capture the monitoring information about the ELB activity?
   1. ELB Access logs
   2. ELB health check
   3. CloudWatch metrics
   4. ELB API calls with CloudTrail
2. A customer needs to capture all client connection information from their load balancer every five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their applications. Which of the following options meets the customer requirements?
   1. Enable AWS CloudTrail for the load balancer.
   2. Enable access logs on the load balancer.
   3. Install the Amazon CloudWatch Logs agent on the load balancer.
   4. Enable Amazon CloudWatch metrics on the load balancer.
3. Your supervisor has requested a way to analyze traffic patterns for your application. You need to capture all connection information from your load balancer every 10 minutes. Pick a solution from below. Choose the correct answer:
   1. Enable access logs on the load balancer.
   2. Create a custom metric CloudWatch filter on your load balancer.
   3. Use a CloudWatch Logs Agent.
   4. Use AWS CloudTrail with your load balancer.
4. A company runs a web application behind an Application Load Balancer. Some users are experiencing intermittent 5XX errors but health checks show all targets as healthy. Which ALB feature can automatically detect and mitigate this issue?
   1. Cross-Zone Load Balancing
   2. Automatic Target Weights (ATW)
   3. Connection Draining
   4. Sticky Sessions
5. A DevOps engineer needs to troubleshoot why targets behind an ALB are intermittently failing health checks. Which recently introduced feature provides detailed health check failure reasons stored in S3?
   1. ALB Access Logs
   2. CloudWatch HealthyHostCount metric
   3. ALB Health Check Logs
   4. AWS CloudTrail
6. A solutions architect wants to analyze NLB access logs in near real-time using CloudWatch Logs Insights. Which delivery option should they configure?
   1. Enable NLB access logs to S3 and create Athena queries
   2. Configure NLB access logs as CloudWatch Vended Logs
   3. Enable VPC Flow Logs on the NLB
   4. Install CloudWatch Agent on NLB nodes
7. Which of the following is a metric specific to Classic Load Balancer that indicates the load balancer cannot route requests because the queue is full?
   1. RejectedConnectionCount
   2. TargetConnectionErrorCount
   3. SpilloverCount
   4. HTTPCode_ELB_503
8. A company wants to identify if AWS infrastructure is causing latency issues for users connecting to their Network Load Balancer from different geographic locations. Which service should they use?
   1. AWS X-Ray
   2. CloudWatch Metrics
   3. Amazon CloudWatch Internet Monitor
   4. VPC Flow Logs

References

• CloudWatch metrics for Application Load Balancer
• CloudWatch metrics for Network Load Balancer
• CloudWatch metrics for Gateway Load Balancer
• CloudWatch metrics for Classic Load Balancer
• ALB Access Logs
• ALB Connection Logs
• ALB Health Check Logs
• NLB CloudWatch Logs (Vended Logs)
• ALB Health Check Logs Announcement (Nov 2025)
• NLB CloudWatch Vended Logs Announcement (Nov 2025)