If you’re preparing for the AWS Certified Advanced Networking Specialty exam, load balancing is one of those topics you can’t afford to gloss over. The ANS-C01 doesn’t just ask you to name the three load balancer types it puts you in real architectural scenarios and asks you to justify your choice. Get it wrong, and you’re looking at failed health checks, broken integrations, or a security gap that shouldn’t exist.
This guide covers Application Load Balancer (ALB), Network Load Balancer (NLB), and Gateway Load Balancer (GWLB) what each one does, where it fits, and how it shows up in ANS-C01 exam questions. By the end, you’ll have a clear mental model you can apply under exam pressure.
Why This Topic Keeps Appearing on ANS-C01
Load balancers touch almost every domain in the exam blueprint network design, high availability, security, and hybrid connectivity. The reason the exam leans on them so heavily is that choosing the wrong one in production has real consequences. So, AWS wants to know that you understand not just feature lists, but the reasoning behind the choice.
Application Load Balancer (ALB) When the Request Content Matters
ALB operates at Layer 7, which means it can actually read HTTP and HTTPS requests before deciding where to send them. That makes it the right tool whenever your routing logic depends on what’s inside the request — not just where it’s coming from.
You’d reach for ALB when you need path-based routing (sending /api/ traffic to one target group and /images/ to another), host-based routing across multiple subdomains, or user authentication through Amazon Cognito or an OIDC provider. ALB also handles HTTP/2, gRPC, and WebSocket’s natively, and it integrates directly with AWS WAF for application-layer protection.
Where it falls short: ALB doesn’t preserve the original client IP by default — you get it through the X-Forwarded-For header. It also doesn’t support static IP addresses, which matters when a downstream system needs to whitelist a fixed IP. And if your traffic isn’t HTTP-based at all, ALB simply isn’t the right tool.
On the exam, ALB questions usually involve microservices, blue/green deployments, or anything requiring weighted target groups for canary releases. If the scenario mentions content-based routing and the protocol is HTTP or HTTPS, ALB is almost always the answer.
Network Load Balancer (NLB) Speed, Static IPs, and Private Link
NLB works at Layer 4. It doesn’t inspect what’s inside a request — it just routes TCP, UDP, and TLS connections as fast as possible. That makes it capable of handling millions of requests per second with single-digit millisecond latency, which matters for real-time applications, gaming backends, and financial systems.
What sets NLB apart from ALB in the exam context is a short list of capabilities that only NLB has. It preserves the original client source IP natively at the TCP level. It supports static Elastic IP addresses per availability zone. And it’s the only load balancer that supports AWS Private Link — the service that lets you expose your application to other VPCs or AWS accounts over a private connection without touching the public internet.
If you see a scenario where a SaaS provider needs to let customer accounts connect privately using a fixed endpoint, or where an application backend must log real client IPs for compliance, NLB is the answer. The Private Link question pattern in particular is a staple of ANS-C01 exam questions, so it’s worth drilling until it’s automatic.
The trade-off: NLB has no understanding of application data. You can’t route based on URL paths or headers, and you can’t run WAF on it directly. It’s pure transport-layer throughput.
Gateway Load Balancer (GWLB) Transparent Security Insertion
GWLB is the most specialized of the three, and it solves a specific problem: how do you route all your network traffic through a fleet of third-party security appliances — firewalls, IDS/IPS tools, packet inspection engines — without re-architecting your entire network?
GWLB operates at Layer 3/4 and uses the GENEVE encapsulation protocol to forward traffic to appliance targets, then return it to its original destination. From the perspective of the source and destination, the inspection never happened. That transparent, “bump in the wire” behavior is exactly what enterprises need when they want centralized inspection without touching every application’s routing configuration.
It integrates with VPC Ingress Routing, which lets you intercept traffic entering or leaving a VPC and send it through GWLB before it reaches its destination. For centralized inspection architectures — especially those involving Transit Gateway — GWLB is the standard pattern.
On the exam, GWLB questions are usually about security appliance insertion, east-west traffic inspection between VPCs, or scenarios where the word “transparent” appears alongside firewall or IDS. It’s tested less frequently than ALB or NLB, but when it shows up, the question is usually very specific about the GENEVE protocol or Gateway Load Balancer Endpoints.
How to Choose on the Exam
When a scenario question appears, run through this logic quickly:
Does the routing depend on HTTP content, headers, or paths? Use ALB. Is there a static IP requirement, a Private Link scenario, or a non-HTTP protocol? Use NLB. Does traffic need to pass through a security appliance without the application knowing? Use GWLB. That’s the core of it. The exam rewards candidates who can pattern-match scenarios to solutions fast, without second-guessing. If you want to sharpen your judgment on Amazon Exam Certifications at the specialty level, working through realistic ANS-C01 exam questions before test day is the most efficient way to close the gap.
Final Takeaway
ALB, NLB, and GWLB each solve a distinct problem. ALB is your Layer 7 intelligent router. NLB is your Layer 4 high-performance workhorse with static IPs and Private Link support. GWLB is your transparent security insertion fabric. The ANS-C01 exam will test whether you truly understand the difference — not just as a list of features, but as architectural judgment under real-world constraints. Load balancers aren’t complicated once you know what problem each one was built to solve. ALB solves content routing. NLB solves transport-layer performance and private connectivity. GWLB solves transparent security insertion. Know the distinctions cold, and this section of ANS-C01 becomes one of the easier ones to own.