Introduction
Load balancing is one of those infrastructure components that sounds simple — distribute traffic across multiple servers — but becomes surprisingly complex at scale. The choice between load balancers involves decisions about global vs regional distribution, L4 vs L7 processing, health checking strategies, SSL termination points, and integration with the broader security and compute stack.
The four providers take distinctly different approaches. Cloudflare provides DNS-based global load balancing that works across any infrastructure. AWS offers a family of regional load balancers (ALB, NLB, GLB) with a separate global option (Global Accelerator). Azure provides Front Door as a global L7 platform alongside regional options. Google offers a true anycast global load balancer that is arguably the most architecturally elegant.
Understanding these architectural differences matters more than comparing throughput numbers — the right load balancer depends on where your backends are, what protocol they speak, and how globally distributed your users are.
Architecture Deep Dive
Cloudflare Load Balancing: DNS-Based Global Steering
Cloudflare's load balancing operates at the DNS and proxy layer. When a user requests your domain, Cloudflare's DNS returns an IP that routes to the optimal origin based on health, proximity, weight, and custom rules. The request then passes through Cloudflare's reverse proxy (the same proxy that provides CDN, WAF, and DDoS protection) before reaching the origin.
How it works:
- Origins and pools: You define origin pools — groups of origin servers (IP addresses or hostnames). A pool might be "US-East servers" or "EU production cluster."
- Health monitors: Cloudflare probes your origins from multiple global locations. If an origin fails health checks, it is removed from the pool. If an entire pool is unhealthy, traffic fails over to the next pool.
- Traffic steering: Cloudflare directs traffic to the best pool using configurable policies:
| Steering Policy | Description |
|---|---|
| Off (failover) | Route to the first healthy pool in priority order |
| Random | Distribute randomly across healthy pools |
| Weighted | Distribute by percentage across pools |
| Geo | Route to the nearest pool by geographic region |
| Dynamic | Route based on measured RTT from Cloudflare PoPs to origins |
| Proximity | Route based on geographic distance with configurable bias |
| Least outstanding requests | Route to the pool handling the fewest active requests |
Key characteristics:
- Works with any origin — AWS, Azure, GCP, bare metal, on-premises, or any combination
- Health checks run from multiple global locations simultaneously, detecting region-specific outages
- Integrated with Cloudflare's proxy — failover happens without the user experiencing a DNS TTL delay because Cloudflare's proxy handles the routing internally
- Session affinity options: cookie-based, IP-based, or header-based
- Custom rules: Route based on headers, URL paths, cookies, or geographic attributes
What Cloudflare LB is NOT: It is not a traditional L4/L7 load balancer that distributes TCP connections across instances within a data center. It is a global traffic management system that steers users to the right origin region or data center. For intra-region instance-level balancing, you would still use a regional load balancer (ALB, NLB, etc.) behind Cloudflare.
AWS Elastic Load Balancing: A Family of Regional Balancers
AWS provides three distinct load balancers, each optimized for different use cases:
Application Load Balancer (ALB) — Layer 7 (HTTP/HTTPS):
| Feature | Details |
|---|---|
| Scope | Regional (single AZ or cross-AZ) |
| Protocol | HTTP, HTTPS, gRPC, WebSocket |
| Routing | Path-based, host-based, header-based, query string, source IP |
| Targets | EC2 instances, containers (ECS/EKS), Lambda functions, IP addresses |
| SSL/TLS | Termination with ACM certificates, SNI for multiple domains |
| Authentication | Built-in OIDC/Cognito authentication |
| Sticky sessions | Cookie-based (application or ALB-generated) |
| Health checks | HTTP/HTTPS, customizable path/interval/threshold |
| Cross-zone | Enabled by default |
ALB is the workhorse for web applications on AWS. Its deep integration with ECS and EKS makes it the natural choice for containerized workloads. The ability to use Lambda functions as targets bridges serverless and traditional architectures.
Network Load Balancer (NLB) — Layer 4 (TCP/UDP/TLS):
| Feature | Details |
|---|---|
| Scope | Regional, with static IP per AZ |
| Protocol | TCP, UDP, TLS |
| Performance | Millions of requests/second, ultra-low latency |
| Source IP | Preserved (no SNAT) |
| Health checks | TCP, HTTP, HTTPS |
| Targets | EC2 instances, IP addresses, ALB (as target) |
| TLS termination | Optional |
| Static IP | One per AZ (or Elastic IP) |
NLB handles workloads where ALB cannot: raw TCP connections, UDP protocols (gaming, DNS, IoT), and scenarios requiring source IP preservation or static IPs. NLB can also front an ALB, combining L4 performance with L7 routing.
Gateway Load Balancer (GLB) — Layer 3 (network appliances):
GLB transparently inserts network appliances (firewalls, IDS/IPS, deep packet inspection) into the traffic flow. It is specialized for security appliance integration and not typically used for application load balancing.
AWS Global Accelerator bridges the gap between regional load balancers and global traffic distribution. It provides two static anycast IP addresses that route traffic over AWS's private backbone to the nearest healthy regional endpoint. This reduces internet routing variability and provides faster failover than DNS-based approaches.
Azure: Front Door (Global) + Load Balancer (Regional)
Azure's load balancing strategy mirrors its CDN/security convergence around Azure Front Door:
Azure Front Door (Global L7):
- Operates on Microsoft's global network across 192+ PoPs
- Combines CDN, WAF, DDoS protection, and global load balancing in one service
- Routing methods: Latency-based, priority, weighted, session affinity
- Health probes: Configurable HTTP/HTTPS probes from multiple PoPs
- SSL termination: Automatic certificate management, custom certificates, mTLS
- URL rewrite and redirect: Transform requests before reaching backends
- Private Link origins: Connect to backends without public IP exposure
- Caching: Built-in CDN caching with customizable rules
Azure Application Gateway (Regional L7):
- Regional HTTP/HTTPS load balancer with WAF v2
- Path-based and host-based routing
- SSL offloading with Key Vault integration
- Autoscaling and zone redundancy
- WebSocket and HTTP/2 support
Azure Load Balancer (Regional L4):
- Standard and Basic tiers
- TCP/UDP load balancing within a region
- Health probes (TCP, HTTP, HTTPS)
- Static frontend IP, backend pools with VMs or VMSS
- Cross-zone and cross-region (via global tier) support
Azure Traffic Manager (DNS-based global):
- DNS-level traffic management (similar to Route 53 routing policies)
- Performance, weighted, priority, geographic, multivalue, and subnet routing
- Works with any internet-facing endpoint (not just Azure)
Azure's load balancing is the most complex to navigate. Four different products cover overlapping use cases, and choosing the right one requires understanding the distinctions between global vs regional, L4 vs L7, and Azure-native vs external endpoints.
Google Cloud Load Balancing: True Anycast Global LB
Google Cloud's load balancer is arguably the most architecturally elegant:
Global External HTTP(S) Load Balancer (the primary product):
- A single anycast IP routes traffic globally to the nearest healthy backend
- Users connect to the nearest Google PoP, and traffic is forwarded over Google's private backbone to the best backend region
- Premium tier uses Google's backbone; Standard tier uses public internet routing
- URL map for path and host-based routing
- Backend services can span multiple regions simultaneously
- Cloud CDN is enabled as a checkbox on backend services
- Cloud Armor (WAF/DDoS) integrates at the load balancer level
- Automatic SSL certificate management via Google-managed certs
- HTTP/2, gRPC, and WebSocket support
The elegance of Google's approach: a single configuration resource (the URL map + backend service) represents a globally distributed, anycast-addressed load balancer with integrated CDN and security. There is no separate "global load balancer" vs "regional load balancer" vs "CDN" vs "WAF" — it is all one system.
Other Google load balancers:
- Regional External HTTP(S) LB: L7 load balancer within a single region (envoy-based)
- External TCP/UDP Network LB: L4 for TCP/UDP workloads (pass-through)
- Internal HTTP(S) LB: L7 for traffic between services within GCP
- Internal TCP/UDP LB: L4 for internal traffic
- Cross-region Internal LB: L7 across regions within GCP
Google's premium tier network is the differentiator. Traffic enters Google's network at the nearest PoP and travels over private fiber to the backend — avoiding the congestion, packet loss, and variable latency of the public internet. This is similar to AWS Global Accelerator but built into the default load balancer at no additional per-accelerator charge.
Feature Comparison
| Feature | Cloudflare LB | AWS ALB/NLB | Azure Front Door | Google Global HTTP(S) LB |
|---|---|---|---|---|
| Scope | Global (DNS + proxy) | Regional (ALB/NLB), global (GA) | Global | Global (anycast) |
| Layer | L7 (HTTP/HTTPS) | L7 (ALB) / L4 (NLB) | L7 (HTTP/HTTPS) | L7 (HTTP/HTTPS) |
| Anycast IP | Cloudflare shared | Static per AZ (NLB), GA provides | Microsoft network | Single global anycast IP |
| Health checks | Multi-location global | Same-region | Multi-PoP global | Google probing system |
| Failover speed | Seconds (proxy-level) | Seconds (within region) | Seconds | Seconds |
| SSL termination | Yes (free Universal SSL) | Yes (ACM certs, free) | Yes (managed certs) | Yes (Google-managed certs) |
| Path-based routing | Via Workers or custom rules | Yes (ALB) | Yes | Yes (URL maps) |
| Weighted routing | Yes | Yes (target group weights) | Yes | Yes (backend weights) |
| Geo routing | Yes (geo steering) | No (ALB), yes (Route 53 + GA) | No (latency-based) | No (proximity-based) |
| Session affinity | Cookie, IP, header | Cookie (ALB), source IP (NLB) | Cookie, IP | Cookie, header, IP |
| WebSocket | Yes | Yes (ALB) | Yes | Yes |
| gRPC | Yes | Yes (ALB) | Limited | Yes |
| mTLS | Yes | Yes (ALB) | Yes | Yes |
| Multi-cloud backends | Yes (any origin) | No (AWS targets only) | Yes (any HTTP endpoint) | No (GCP backends primarily) |
| Integrated CDN | Yes (Cloudflare proxy) | Separate (CloudFront) | Yes (built-in) | Yes (Cloud CDN checkbox) |
| Integrated WAF | Yes (Cloudflare WAF) | Separate (AWS WAF) | Yes (Azure WAF) | Yes (Cloud Armor) |
| Integrated DDoS | Yes (all plans) | Shield Standard (free) | Included | Included |
Multi-Cloud: The Cloudflare Advantage
One of Cloudflare Load Balancing's most significant differentiators is cloud-agnostic origin support. Your origin pools can include:
- AWS EC2 instances
- Azure VMs
- GCP Compute Engine instances
- On-premises data centers
- Bare-metal servers
- Other CDN endpoints
- Any combination of the above
This makes Cloudflare the natural choice for multi-cloud architectures where you need a single load balancer that spans providers. AWS ALB/NLB only target AWS resources. Google's global LB primarily targets GCP backends (external backends are supported but limited). Azure Front Door supports any HTTP endpoint but is optimized for Azure backends.
If your resilience strategy requires failover between AWS and GCP, or between cloud and on-premises, Cloudflare is the only load balancer in this comparison that treats all backends equally.
Health Checking: Global vs Regional Perspective
The location of health checks matters more than most people realize.
Cloudflare runs health checks from multiple PoPs globally. If your origin is healthy from the US but unreachable from Europe (due to a regional network issue, ISP problem, or submarine cable failure), Cloudflare detects this and steers European users to an alternative origin. This global perspective catches issues that regional health checks miss.
AWS ALB/NLB health checks run from within the same region as the load balancer. They detect whether a target is healthy from that region's perspective but cannot detect issues affecting users in other regions. AWS Global Accelerator health checks run from multiple AWS edge locations, providing a broader perspective.
Azure Front Door runs health probes from multiple PoPs, similar to Cloudflare. Azure Application Gateway and Azure Load Balancer check from within the region.
Google runs health checks from Google's distributed probing system, providing a global perspective for the global load balancer. Regional health checks probe from within the region.
Pricing Comparison
Prices as of February 2026. All prices in USD.
Cloudflare Load Balancing
| Component | Cost |
|---|---|
| Base (2 origins, 60s health checks, 500K queries) | $5/month |
| Additional origins | $5/month each |
| Additional 500K DNS queries | $0.50 per 500K |
| 10-second health check intervals | Additional (contact sales) |
| Geo steering | Included |
| Session affinity | Included |
| Custom rules | Included |
AWS Elastic Load Balancing
ALB:
| Component | Cost |
|---|---|
| Hourly charge | $0.0225/hour (~$16.20/month) |
| LCU-hour | $0.008/LCU-hour |
An LCU (Load Balancer Capacity Unit) is the maximum of: new connections (25/sec), active connections (3,000), processed bytes (1 GB/hour), or rule evaluations (1,000/sec). For a moderate workload, expect $30-80/month.
NLB:
| Component | Cost |
|---|---|
| Hourly charge | $0.0225/hour (~$16.20/month) |
| NLCU-hour | $0.006/NLCU-hour |
Global Accelerator:
| Component | Cost |
|---|---|
| Hourly charge | $0.025/hour (~$18/month per accelerator) |
| Data transfer premium | $0.015-0.035/GB (over standard transfer) |
Azure Front Door
| Tier | Base | Per Request | Per GB |
|---|---|---|---|
| Standard | Included in routing | $0.01/10K requests | $0.065/GB (first 10TB) |
| Premium | Included in routing | $0.012/10K requests | $0.10/GB (first 10TB) |
Azure Front Door's pricing is usage-based with no fixed monthly charge, but the per-request and per-GB costs add up quickly at scale.
Google Cloud Load Balancing
| Component | Cost |
|---|---|
| Forwarding rules (first 5) | $0.025/hour each (~$18/month) |
| Additional forwarding rules | $0.01/hour each |
| Data processing | $0.008/GB (inbound), $0.008-0.012/GB (outbound) |
| Premium tier network | Included in LB pricing |
Cost Comparison: Worked Examples
Scenario 1: Simple failover (2 origins, low traffic)
| Provider | Configuration | Monthly Cost |
|---|---|---|
| Cloudflare | LB with 2 origins | $5 |
| AWS | ALB + health checks | ~$20 (ALB minimum) |
| Azure | Front Door Standard | ~$15-30 (traffic dependent) |
| Global LB (1 forwarding rule) | ~$20 |
Cloudflare is cheapest for simple failover at $5/month.
Scenario 2: Production web app (4 origins, 50M requests/month, 500GB data)
| Provider | Configuration | Monthly Cost |
|---|---|---|
| Cloudflare | LB with 4 origins + Cloudflare proxy | $15 (LB) + plan cost |
| AWS | ALB + moderate LCU usage | ~$50-80 |
| Azure | Front Door Standard | ~$90 (requests + data) |
| Global LB + Cloud CDN | ~$30-50 |
Scenario 3: Global multi-region (8 origins across 4 regions, 500M requests/month)
| Provider | Configuration | Monthly Cost |
|---|---|---|
| Cloudflare | LB with 8 origins + geo steering | $45 (LB) + plan cost |
| AWS | 4 regional ALBs + Global Accelerator | ~$250-400 |
| Azure | Front Door Premium | ~$600+ |
| Global LB (multi-region backends) | ~$150-250 |
At global scale with multiple regions, Cloudflare's load balancing is dramatically cheaper. The hyperscaler load balancers cost more because they charge per-hour, per-LCU/connection, and per-GB at each regional deployment. Cloudflare's per-origin pricing does not scale with traffic volume.
Calculate Your Costs
Use the calculator below to estimate costs for your specific workload:
Load Balancing Cost Calculator
Compare load balancing costs based on your traffic and origin setup.
Estimates based on published pricing as of February 2026. Actual costs may vary by region, commitment, and usage patterns.
SSL/TLS Termination
Load balancers serve as the SSL/TLS termination point in most architectures. How each provider handles certificate management affects both security posture and operational overhead.
| Feature | Cloudflare | AWS ALB | Azure Front Door | Google Global LB |
|---|---|---|---|---|
| Free certificates | Universal SSL (all plans) | ACM (free, auto-renewed) | Managed certs (free) | Google-managed (free) |
| Custom certificates | Business+ / Advanced Certificate Manager | Upload or ACM | Upload or Key Vault | Upload or Certificate Manager |
| Automatic renewal | Yes | Yes (ACM) | Yes (managed) | Yes (Google-managed) |
| TLS versions | 1.0-1.3 (configurable min) | 1.0-1.3 (security policy) | 1.0-1.3 (configurable) | 1.0-1.3 (SSL policy) |
| Cipher suite control | Predefined profiles | Security policy selection | Predefined profiles | SSL policy selection |
| SNI support | Yes (unlimited domains) | Yes | Yes | Yes |
| mTLS (client certs) | Yes (API Shield) | Yes | Yes | Yes |
| Certificate transparency | Automatic CT monitoring | N/A | N/A | Certificate Transparency logs |
Cloudflare's Universal SSL is notable: every domain on Cloudflare automatically gets a free SSL certificate with no configuration required. This includes subdomains and handles renewal automatically. The Advanced Certificate Manager ($10/month) adds custom certificates, certificate pinning, and finer control.
Decision Framework
Choose Cloudflare Load Balancing When:
- Multi-cloud or hybrid — you need one load balancer across AWS, Azure, GCP, and on-premises
- Global traffic steering — geo, latency, and weighted routing across regions with integrated CDN
- Simple failover — $5/month for 2-origin health-checked failover beats any alternative
- Security-integrated LB — DDoS, WAF, and bot protection in the same traffic path
- Cost sensitivity at global scale — per-origin pricing does not scale with traffic volume
Choose AWS ALB/NLB When:
- Single-region, high-throughput HTTP — ALB is the most mature L7 load balancer for AWS workloads
- L4 TCP/UDP — NLB for gaming, IoT, gRPC, or any non-HTTP protocol
- Deep AWS integration — targets include EC2, ECS, EKS, Lambda, and IP addresses
- Advanced L7 routing — path-based, host-based, header-based routing with weighted target groups
- Container orchestration — ALB's native ECS/EKS integration is the smoothest container LB experience
Choose Azure Front Door When:
- Azure-native global — global L7 with integrated CDN, WAF, and DDoS for Azure backends
- Private Link origins — secure backend connectivity without public IPs
- Consolidated platform — one service for LB + CDN + WAF instead of three separate products
- Enterprise Microsoft — integration with Azure Monitor, Azure Policy, and Microsoft support
Choose Google Cloud Global LB When:
- True anycast elegance — single anycast IP for global HTTP(S) load balancing with CDN and security
- GCP-native workloads — seamless integration with GKE, Cloud Run, Compute Engine
- Premium network — traffic enters Google's backbone at the nearest PoP for consistently low latency
- Integrated CDN + security — Cloud CDN and Cloud Armor as simple checkboxes on the backend service
The Architectural Choice
Load balancing is the infrastructure category where the providers' architectural philosophies are most visible.
Cloudflare says: "Traffic is already flowing through our network (for CDN and security). We will add intelligent routing on top of the same path — at minimal additional cost."
AWS says: "We provide purpose-built load balancers for every protocol and use case within our cloud. If you need global distribution, add Global Accelerator."
Azure says: "Azure Front Door consolidates CDN, LB, WAF, and DDoS into one global platform. For regional L4/L7, we have dedicated products."
Google says: "Our global anycast load balancer runs on the same network as Search and YouTube. Add CDN and security as configuration options."
The honest takeaway: Cloudflare and Google offer the cleanest global load balancing models — one configuration, one IP (for Google), global distribution. AWS offers the deepest regional load balancing with the most protocol support and tightest container integration. Azure Front Door provides a good middle ground for Azure-centric organizations but adds complexity with its four overlapping LB products.
For most web applications, the right architecture is Cloudflare or Google for global traffic steering plus a regional load balancer (ALB, Azure App Gateway, or GCP regional LB) for intra-region instance distribution. These layers serve different purposes and work well together.