nginx, HAProxy, Envoy — which should I pick?

For traditional web stacks, nginx is the workhorse — battle-tested, fast, ubiquitous. For complex routing and high feature ceiling, Envoy is the modern choice (default in service meshes). For ultra-high-throughput TCP/HTTP load balancing where stability matters more than features, HAProxy. They overlap heavily; choose for ecosystem fit (cert-manager + nginx-ingress, Istio + Envoy) rather than pure technical merit.

When does a WAF help, and when does it just create false positives?

A WAF helps against opportunistic attacks (mass exploitation of CVEs, automated SQLi probes) and as a quick patch for newly-disclosed vulnerabilities. It rarely stops a determined targeted attacker. Run in monitor-only for 30-60 days, tune false-positives, then enforce; treat WAF as defence-in-depth, not the primary control.

Should I terminate TLS at LB or pass through to the backend?

Terminate at LB unless you need backend-controlled cert (some compliance regimes, or backends that need to read TLS-extracted client identity directly). Termination unlocks every L7 capability — without it the LB is a fancy L4. The trust boundary moves to the LB-to-backend hop, which should be on a trusted segment or re-encrypted.

How do I avoid LB single-point-of-failure?

Active-active LB pair with anycast or DNS-based failover; or cloud LB (which is internally HA). For self-hosted: keepalived + VRRP for VIP failover; HAProxy in pairs; or DNS-based load balancing across multiple LBs. Test failover quarterly — the time to discover the failover is broken is not during an incident.

Are LBs the right place to do authentication?

For TLS client cert validation, yes — terminate TLS at LB and pass authenticated identity to backends via header (with backends validating the LB chain). For OAuth/SSO, increasingly yes — LB-fronted auth proxies (oauth2-proxy, AWS ALB native OIDC, Cloudflare Access) offload auth from apps. For per-request authz with rich policy, no — that belongs at app/service level.

Should I use a service mesh from day one?

No. Start with Kubernetes Services + cert-manager + Ingress + NetworkPolicy. Add service mesh when you have specific needs that those primitives do not solve — usually around east-west mTLS, traffic shaping, or fine-grained authz. Premature mesh adoption adds operational burden without proportional benefit.

What is the difference between an Ingress and an API Gateway?

Ingress (Kubernetes term): L7 routing into the cluster — host/path to service. API Gateway: more featureful — auth, rate limiting, transformations, schema validation, monetisation. Modern projects (Kong, Ambassador, Traefik) often combine both. For internal cluster-only routing, Ingress; for external API surface, API Gateway.

Load Balancers Explained — L4 vs L7, NGINX, HAProxy, AWS ALB

Read as

Last updated: May 1, 2026

A load balancer distributes traffic across backend servers. A reverse proxy sits in front of backend servers, terminating client connections, often inspecting and rewriting traffic. In modern architectures, the line is blurred: nginx, HAProxy, Envoy, AWS ALB, Cloudflare all do both. This module covers L4 vs L7 load balancing, health checks, sticky sessions, the L7 inspection capabilities (header rewriting, path routing, WAF), TLS termination patterns, and the security implications of operating one of the most-attacked components in any production stack.

Every production web service in 2026 has at least one load balancer in front of it. The load balancer is also: the TLS terminator, the WAF, the rate limiter, the bot mitigation, the health checker, and the source IP from the application’s perspective. Misconfigure it and you have a single point of failure, a privacy hole, or a bypass for everything that came before. This module is the working introduction to load balancers, reverse proxies, and the L7 stack with security front-of-mind.

L4 vs L7 — the fundamental choice

Layer 4 load balancing routes by IP and TCP/UDP port; the LB does not inspect application bytes. Fast (line-rate possible), simple, and protocol-agnostic. The original LVS, AWS NLB, GCP TCP/UDP LB. Layer 7 load balancing understands HTTP (or other application protocols): can route by URL path, host header, cookies; can rewrite headers; can terminate TLS; can apply rate limits per user; can run a WAF. nginx, HAProxy, Envoy, AWS ALB, Azure Application Gateway, Cloudflare.

The choiceL7 for HTTP/HTTPS workloads (almost everything in 2026); L4 for non-HTTP (databases, gRPC sometimes, custom TCP protocols), for ultra-high-throughput (>10M PPS), or where end-to-end TLS without termination is required. Modern stacks often combine: L4 LB at the edge for DDoS, L7 LB inside the perimeter for routing.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

Load Balancers, Reverse Proxies, and the L7 Stack

L4 vs L7 — the fundamental choice

Custom team training + practitioner advisory

Other modules in this track

Networking Fundamentals — OSI, TCP/IP, and Why Layers Actually Matter

Packet Analysis with Wireshark — From “Open the PCAP” to Diagnosing Real Incidents

Network Protocols Deep Dive — ARP, DHCP, ICMP, DNS, HTTP and the Trust They Assume