Load Balancer Types: L4 vs L7

L4 vs L7 is the foundational LB choice. Pick wrong and you pay forever in operational complexity.

What each does

L4 and L7 operate at different layers of the stack. The layer dictates what they can see and what decisions they can make.

• L4 (TCP/UDP). Forwards based on source/destination IP and port; the LB does not inspect application data.
• L4 traits. Fast, cheap, protocol-agnostic; works for anything that runs over TCP or UDP.
• L7 (HTTP). Inspects request headers, path, cookies, host; routes on application semantics.
• L7 traits. Richer features (TLS termination, rate limiting, header rewriting) at the cost of CPU per request.

When L4 wins

• 1. Sub-ms latency required.
• 2. Non-HTTP protocols.
• 3. Pure throughput.
• 4. SSL passthrough preferred.

When L7 wins

L7 wins when the LB has to make application-aware decisions. Anything that requires looking inside the HTTP request belongs at L7.

• Header-based routing. Route by Host, Authorization, X-Tenant; impossible at L4.
• Path-based routing. /api/* to one backend, /static/* to another; standard L7 use case.
• TLS termination. Cert ops centralised at the LB; backends speak plain HTTP within the trusted boundary.
• Application-aware controls. Rate limiting per route, response caching, retries, circuit breaking.

Hybrid posture

The mature pattern is layered. L4 at the edge for raw speed and DDoS absorption; L7 inside for application-aware routing.

• Edge L4. Network LB or anycast handles the first packet; survives volumetric attacks; sub-millisecond.
• Inside L7. Ingress controller or service mesh handles application routing once traffic is inside the cluster.
• Each layer. Does what it does best; do not push HTTP semantics down to L4 or raw TCP up to L7.
• Latency budget. Each LB hop adds 1 to 5ms; budget the chain explicitly, do not stack indiscriminately.

Antipatterns

• L7 for non-HTTP. Wrong layer; loses features.
• L4 with HTTP-aware needs. Re-implement at app layer.
• Multiple LB layers without thinking. Latency stacks.

What to do this week

Three moves. (1) Apply this pattern to your highest-risk network path. (2) Measure the failure mode rate before/after. (3) Document the change so the next incident-responder inherits the knowledge.