L4 load balancers route based on IP + port. L7 routes based on HTTP headers, paths, cookies. L7 is more flexible; L4 is faster and supports any TCP protocol. The right choice depends on what routing decisions you need and whether you control the protocol.
L4 (TCP/UDP)
Examples: AWS NLB, HAProxy in TCP mode, Linux IPVS, Cloudflare Spectrum. Speed: 10-50M pps per instance. Sees: source IP, dest IP/port. Routes based on hash, round-robin, or least-conn. Cannot inspect HTTP — protocol-agnostic.
L7 (HTTP/gRPC)
Examples: AWS ALB, Envoy, NGINX, Cloudflare. Speed: ~100K rps per instance. Sees: full HTTP request. Routes based on host header, path, cookies, JWT claims. Adds TLS termination, header rewriting, rate limiting.
When L4 wins
Non-HTTP protocols (gaming, message queues, custom TCP). Maximum throughput needed. End-to-end TLS (L4 doesn't terminate). UDP traffic (video calls, DNS).
When L7 wins
Routing by URL path (microservices). A/B testing by header or cookie. Centralized auth, rate limiting. WebSocket upgrade handling. HTTP/2 multiplexing across backends.
Layered (L4 → L7)
Common production pattern: NLB at edge (handles raw TCP, supports any protocol, fast failover) forwarding to ALB or Envoy fleet (does L7 routing). Best of both. NLB is your DDoS shield; ALB is your app router.