The Core Difference in One Sentence
External (Internet facing) Load Balancer: Balances traffic coming from the public internet to resources inside your private network.
Internal (Private) Load Balancer: Balances traffic coming from inside your private network to other resources also inside your private network.
External (Internet Facing) Load Balancer
How it works
It has a public IP address and is accessible from the internet. Clients (users, mobile apps, external APIs) send requests to this public IP, and the load balancer distributes those requests to backend servers (like web servers or application servers) inside your Virtual Private Cloud (VPC).
Common Use Cases
- Hosting a public website or e-commerce site
- Exposing a public REST API to external developers
- Serving a mobile app's backend
Example
Users in different countries typing https://yourapp.com → DNS resolves to a public load balancer IP → Load balancer forwards requests to healthy web servers in your VPC.
Security Note
External load balancers often sit at the "edge" and are paired with security groups, Web Application Firewalls (WAF), and SSL/TLS termination.
Internal (Private) Load Balancer
How it works
It has only a private IP address (no public internet access). It routes traffic within your VPC or data center. Clients are typically other internal services, databases, or application components.
Common Use Cases
- Microservices communication: Service A calls Service B internally
- Database load balancing: Distributing read queries across database replicas
- Internal API gateways: Exposing APIs only to other internal apps
- Tiered architectures: Web tier (external LB) → App tier (internal LB) → Database tier
Example
Your internal order processing service needs to call the inventory service. An internal load balancer sits in front of three inventory service instances, distributing requests and hiding failures — all without ever being reachable from the internet.
Side by Side Comparison
| Feature | External Load Balancer | Internal Load Balancer |
|---|---|---|
| IP Address | Public IP | Private IP only |
| Internet Access | Yes, accessible from internet | No, not accessible from internet |
| Traffic Source | External users, mobile apps, third-party APIs | Internal services, microservices, databases |
| Typical Use | Public websites, external APIs | Internal microservices, database clustering |
| Security | Requires WAF, SSL/TLS, DDoS protection | Only internal security groups needed |
| DNS | Public DNS name | Private DNS name |
| Subnet | Public subnet | Private subnet |
Real World Architecture Example
Internet user
│
▼
┌─────────────────────┐
│ External Load │ (public IP, in public subnet)
│ Balancer │
└─────────────────────┘
│
▼
┌─────────────────────┐
│ Web servers │ (in private subnet)
└─────────────────────┘
│
▼
┌─────────────────────┐
│ Internal Load │ (private IP only, in private subnet)
│ Balancer │
└─────────────────────┘
│
▼
┌─────────────────────┐
│ Application servers │ (in private subnet)
│ + Database replicas │
└─────────────────────┘
- The External LB handles raw HTTPS from users
- The Internal LB distributes API calls from web servers to app servers — never exposed to the internet
Code Example: AWS Load Balancers
External Load Balancer (Public)
// AWS CDK - External Application Load Balancer
import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const externalLB = new elbv2.ApplicationLoadBalancer(this, 'ExternalLB', {
vpc: vpc,
internetFacing: true, // External - public IP
loadBalancerName: 'public-web-lb'
});
// Add listener for HTTPS traffic
externalLB.addListener('HTTPS', {
port: 443,
certificates: [certificate],
defaultAction: elbv2.ListenerAction.forward([webTargetGroup])
});
Internal Load Balancer (Private)
// AWS CDK - Internal Application Load Balancer
const internalLB = new elbv2.ApplicationLoadBalancer(this, 'InternalLB', {
vpc: vpc,
internetFacing: false, // Internal - private IP only
loadBalancerName: 'internal-api-lb'
});
// Add listener for internal traffic
internalLB.addListener('HTTP', {
port: 8080,
defaultAction: elbv2.ListenerAction.forward([appTargetGroup])
});
When to Use Which?
Choose External Load Balancer when:
- Your users are on the public internet
- You're hosting a public website or API
- Mobile apps need to connect to your backend
- You need SSL/TLS termination for external traffic
Choose Internal Load Balancer when:
- Services within your network need to communicate
- You're implementing microservices architecture
- You need database read replica distribution
- You want to keep internal traffic private and secure
Common Cloud Provider Names
| Provider | External LB Name | Internal LB Name |
|---|---|---|
| AWS | Internet-facing ALB/NLB | Internal ALB/NLB |
| Azure | Public Load Balancer | Internal Load Balancer |
| GCP | External HTTP(S) LB | Internal TCP/UDP LB |
Key Takeaway
| Type | Traffic Source | Accessibility |
|---|---|---|
| External | Public traffic from outside your network | Internet accessible |
| Internal | Private traffic from inside your network | Only within VPC |
Choose External when your users are on the internet.
Choose Internal when services within your network need to talk to each other reliably at scale.
Written by Kashaf Abdullah
Software Engineer | MERN Stack | Web Development
Top comments (0)