AWS Security ChangesHomeSearch

AWS elasticloadbalancing documentation change

Service: elasticloadbalancing · 2025-05-22 · Documentation low

File: elasticloadbalancing/latest/network/load-balancer-troubleshooting.md

Summary

Added new section 'Traffic is distributed unevenly between targets' explaining flow hash algorithm behavior and troubleshooting scenarios for uneven traffic distribution

Security assessment

The change adds operational guidance about traffic distribution patterns but does not address security vulnerabilities or introduce security features. It focuses on load balancing behavior and troubleshooting performance issues.

Diff

diff --git a/elasticloadbalancing/latest/network/load-balancer-troubleshooting.md b/elasticloadbalancing/latest/network/load-balancer-troubleshooting.md
index 44a4b0d46..446414e83 100644
--- a//elasticloadbalancing/latest/network/load-balancer-troubleshooting.md
+++ b//elasticloadbalancing/latest/network/load-balancer-troubleshooting.md
@@ -5 +5 @@
-A registered target is not in serviceRequests are not routed to targetsTargets receive more health check requests than expectedTargets receive fewer health check requests than expectedUnhealthy targets receive requests from the load balancerTarget fails HTTP or HTTPS health checks due to host header mismatchUnable to associate a security group with a load balancerUnable to remove all security groupsIncrease in TCP_ELB_Reset_Count metricConnections time out for requests from a target to its load balancerPerformance decreases when moving targets to a Network Load BalancerPort allocation errors connecting through AWS PrivateLinkIntermittent TCP connection establishment failure or TCP connection establishment delaysPotential failure when the load balancer is being provisionedDNS name resolution contains fewer IP addresses than enabled Availability ZonesTroubleshoot unhealthy targets using the resource map
+A registered target is not in serviceRequests are not routed to targetsTargets receive more health check requests than expectedTargets receive fewer health check requests than expectedUnhealthy targets receive requests from the load balancerTarget fails HTTP or HTTPS health checks due to host header mismatchUnable to associate a security group with a load balancerUnable to remove all security groupsIncrease in TCP_ELB_Reset_Count metricConnections time out for requests from a target to its load balancerPerformance decreases when moving targets to a Network Load BalancerPort allocation errors connecting through AWS PrivateLinkIntermittent TCP connection establishment failure or TCP connection establishment delaysPotential failure when the load balancer is being provisionedTraffic is distributed unevenly between targetsDNS name resolution contains fewer IP addresses than enabled Availability ZonesTroubleshoot unhealthy targets using the resource map
@@ -115,0 +116,17 @@ One of the reasons a Network Load Balancer could fail when it is being provision
+## Traffic is distributed unevenly between targets
+
+TCP and TLS listeners route TCP connections and UDP listeners route UDP streams. The load balancer selects targets using a flow hash algorithm. A single connection from a client is inherently sticky.
+
+If you notice that some targets appear to receive more traffic than others, we recommend that you review the VPC flow logs. Compare the number of unique connections for each target IP address. Keep the time window as short as possible, as target registration, deregistration, and unhealthy targets influence these connection numbers.
+
+The following are possible scenarios where connections can be distributed unevenly:
+
+  * If you start with a small number of targets and then register additional targets later on, the original targets still have connections with clients. With an HTTP workload, keepalives ensure that clients reuse connections. If you lower the max keepalives on your web application, clients would open new connections more often.
+
+  * If target group stickiness is enabled, there is a small number of clients, and the clients communicate through a NAT device with a single source IP address, connections from these clients are routed to the same target.
+
+  * If cross-zone load balancing is disabled and clients prefer the load balancer IP address from one of the load balancer zones, connections would be distributed unevenly between the load balancer zones.
+
+
+
+