Manoj Savukar for CareerByteCode

Posted on Nov 13

Mastering Cross-Region Loadbalancer Configuration

#aws #architecture #interview #career

💡 Problem Statement

An enterprise needs to deploy a multi-region load balancing setup between East US 1 and West US 2 to ensure high availability, fault tolerance, and low latency for critical applications.

The goal is to create a private-to-private region connection, where an Application Load Balancer (ALB) in one region serves backend VMs hosted in another region, while a Network Load Balancer (NLB) handles public traffic and routes requests to the ALB.

⚙️ Prerequisites

Before you start, make sure you know these basic AWS topics:

☁️ Basic understanding of AWS Cloud and regions
🧩 How to create a VPC and subnets (public & private)
🌍 Basics of VPC Peering for cross-region communication
⚖️ How to create and use Load Balancers (ALB & NLB)
🔒 Understanding of Security Groups and IAM roles
💻 How to launch and connect to an EC2 instance
🧠 Basic Linux commands (ping, curl) to test connections

🧰 Tools & Services Used

☁️ AWS VPC, Subnets, Route Tables, Peering
⚖️ Elastic Load Balancer (ALB + NLB)
💻 EC2 Instances
🔐 Security Groups & NACLs
📊 CloudWatch for Monitoring
🧩 IAM for Access Control

🏗️ Implementation Steps

Phase-1: VPC, Subnet, Route Table, Nat gateway, Internet Gateway Creation

Note: Here we creating 2 vpc in different regions.

VPC Creation in us-east-1 (N.virginia)

Login to AWS Account.
Search vpc in search box.
Click on create vpc option
Once vpc configuration page open select below opetions.
- Resource to Create: VPC and more
- Name tag auto-generation: demo-project-1
- IPv4 CIDR block: 10.0.0.0/16
- Number of Availability Zones (AZs): 2
- Number of public subnets: 2
- Number of private subnets: 2
- NAT gateways: In 1 AZ
Click on Create VPC option.

VPC Creation in us-west-2 (Oregon)

Search vpc in search box.
Click on Create vpc option
Once vpc configuration page open select below opetions.
- Resource to Create: VPC and more
- Name tag auto-generation: demo-project-2
- IPv4 CIDR block: 10.1.0.0/16
- Number of Availability Zones (AZs): 2
- Number of public subnets: 2
- Number of private subnets: 2
- NAT gateways: In 1 AZ
Click on Create VPC

Phase-2: VPC Peering

Click on peering connection under virtual private cloud(vpc) drop down.
Click on Create Peering Connection option.
Once peering configuration page open select below opetions.
- Name: VPC Peering Connection
- VPC ID (Requester): vpc-02473e5abdc0ed646
- Select another VPC to peer with:
  - Account: My account
  - Region: Another Region
  - VPC ID (Accepter): vpc-0eef6616fd0e92130
Click on create peering connection
Once above steps are done go to another region( us-east-1 ) peering connection and accept the connection request.
After completing above step, go to the Route Tables section and add the CIDR block of the opposite region’s VPC as a route entry in your private subnet’s route table. Repeat the same process in the opposite region to ensure bidirectional traffic flow between the two VPCs.

Phase-3: SSM_login Role and EC2 Machine Creation in US-WEST-2 (Oregan) Region

SSM_login role creation
Note: This Role requried for EC2 Machine login.

Search Roles in IAM.
Click on Create Role option.
Select Below option while creating Role.
- Select trusted entity: AWS service
- Use case: EC2
- Click on Next option
- Permissions policies: AmazonSSMManagedInstanceCore
- Click on Next option
- Role name: SSM_login
Click on Create Role option.

create first vm in private-1 subnet

Search the EC2 in serch box and click on Launch Instances option.
while creating vm select below configuration then Click on Lunch Instance option.
- Name: demo-vm-1
- Application and OS Images: Ubuntu
- Instance Type: t2.micro
- Key Pair: demo-vm # Generate it if it is not present.
- Network Settings:
  - VPC: demo-project-2-vpc
  - Subnet: demo-project-2-subnet-private1-us-west-2a
  - Firewall: create security group
  - Security Group Name: demo-vm-security-group
- Advanced Settings:
  - IAM instance profile: SSO_login
  - user data:

#!/bin/bash
sudo apt-get update -y
sudo apt-get install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx
echo "<h1>Hello from nginx on $(hostname) (private)</h1>" > /var/www/html/index.html
sudo systemctl restart nginx

create second vm in private-2 subnet

Search the EC2 in serch box and click on Launch Instances
while creating vm select below configuration then Click on Lunch Instance option.
- Name: demo-vm-2
- Application and OS Images: Ubuntu
- Instance Type: t2.micro
- Key Pair: demo-vm # Generate it if it is not present.
- Network Settings:
  - VPC: demo-project-2-vpc
  - Subnet: demo-project-2-subnet-private2-us-west-2a
  - Firewall: Select existing security group
  - Security Group Name: demo-vm-security-group
- Advanced Settings:
  - IAM instance profile: SSO_login
  - user data:

#!/bin/bash
sudo apt-get update -y
sudo apt-get install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx
echo "<h1>Hello from nginx on $(hostname) (private)</h1>" > /var/www/html/index.html
sudo systemctl restart nginx

Phase-4: Loadbalancer Creation

Application Loadbalancer Creation Steps

ALB Security Group Creation

Go to Secuiry group and click on Create security group.
After beow configuration to create security group.
- Security group name: ALB_Security_Group
- Description: ALB_Security_Group
- VPC: vpc-0eef6616fd0e92130
click on Crete security group option.

ALB Target Group Creation

Go to target group under Load Balancing secion in EC2 and Click on create target group.
Select Below configuratin while creating target group
- Target type: IP Addresses
- Target group name: ALB Target Group
- VPC: vpc-0eef6616fd0e92130
Click on Next.
Register the target with below details:
- Choose a network
  - Network: Other private ip address
  - Availability Zone: All
- Specify IPs and define ports:
  - Enter a private IP address: //Add both vm private ip address
- Then click on the Include as pending below option.
After click Next.
Then click on Create Target Group.

Application LoadBalancer Creation

Click on Create Load Balancer.
Click on Create option of application load balancer.
Create the Applicaation loadbalancer with below configuration
- Load balancer name: Application Load Balancer
- Scheme: Internal
- vpc: vpc-0eef6616fd0e92130
- Availability Zones and subnets:
  - us-east-1a: demo-project-1-subnet-private1-us-east-1a
  - us-east-1b: demo-project-1-subnet-private2-us-east-1b
- Security groups: ALB_Security_Group
- Routing action: Forward to target groups
- Target group: ALB-Target-Group
After above step click on Create load balancer option.

Network Loadbalancer Creation Steps

NLB Security Group Creation

Go to Secuiry group and click on Create security group.
After use below configuration to create security group.
- Security group name: NLB-Security-Group
- Description: NLB-Security-Group
- VPC: vpc-0eef6616fd0e92130
click on Crete security group option.

NLB Target Group Creation

Go to target group under Load Balancing secion in EC2 and Click on create target group.
Select Below configuratin while creating target group
- Target type: Application Load Balancer
- Target group name: NLB Target Group
- VPC: vpc-0eef6616fd0e92130
Click on Next.
Register the target with below details:
- Register Application Load Balancer: Register now
- Port: Use the target group port 80
- Application Load Balancer: Application-Load-Balancer
After click Next.
Then click on Create Target Group.

Network LoadBalancer Creation

Click on Create Load Balancer.
Click on Create option of Network load balancer.
Create the Network loadbalancer with below configuration
- Load balancer name: Network-Load-Balancer
- Scheme: Internet-facing
- vpc: vpc-0eef6616fd0e92130
- Availability Zones and subnets:
  - us-east-1a: demo-project-1-subnet-public1-us-east-1a
  - us-east-1b: demo-project-1-subnet-public2-us-east-1b
- Security groups: NLB-Security-Group
- Listeners and routing:
  - Protocol: TCP
  - Port: 80
  - Default action: NLB-Target-Group
After above step click on Create load balancer option.

Phase-5: Configuring Security Groups Inbound Rules for Trafic Flow

us-east-1 Region

Network-Security-Group

Go To Security Group.
Click on the Netowrk-Security-Group ID
Click on Edit inbound rule option.
Use Below configuration to create rule.
- Click on ADD rule option.
- Type: HTTP
- Source: Anywhere-IPv4
- CIDR blocks: 0.0.0.0/0
click on Save rules option.

Application-Security-Group

Go To Security Group.
Click on the Netowrk-Security-Group ID
Click on Edit inbound rule option.
Use Below configuration to create rule.
- Click on ADD rule option.
- Type: HTTP
- Source: Custom
- CIDR blocks: NLB-Security-Group
click on Save rules option.

us-west-2 Region

demo-vm-Security-Group

Go To Security Group.
Click on the Netowrk-Security-Group ID
Click on Edit inbound rule option.
Use Below configuration to create rule.
- Click on ADD rule option.
- Type: HTTP
- Source: Custom
- CIDR blocks: 10.0.144.0/20 //us-east-1 private subnet cidr
Add both private subnets cidr.
click on Save rules option. Note: Waite some time to update this changes in our architecture.

Phase-6: Verify the Load-Balaner

Go to Network-Load-Balancer which we create.
Go inside the Network-Load-Balancer and copy the DNS Name.

Load the the DNS Name in Browser.

🌐 Conclusion

We’ve built a powerful Cross-Region Load Balancer Architecture 🌎 connecting private workloads between East US and West US like a pro! 💪

By combining VPC Peering + Internal ALB + Internet Facing NLB, we achieved:
⚡ Ultra-fast low-latency routing
🧩 Enterprise-grade high availability
🔒 Secure private-to-private communication
🚀 A scalable foundation for global apps

This setup reflects what top cloud teams design for resilient, production-ready systems and now, you can too!

If this project sparked your cloud curiosity
💬 Drop a comment | ⭐ Give it a like | 🔁 Share with your DevOps circle!

🚀 Follow Manoj Savukar for More
Daily drops on Cloud | DevOps | Kubernetes | Real-Time Projects ☁️

DEV Community