Skip to content

Reverse Proxy vs Load Balancer

Mental model

A reverse proxy is a receptionist: it greets visitors, decides which office to send them to, and can handle some requests itself (caching, auth). A load balancer is a traffic cop: it stands at a fork in the road and directs cars to the least-busy lane.

Most real tools are both receptionist and traffic cop.

What it looks like

Two separate product categories with clean boundaries.

What it really is

Two overlapping roles that the same software often fills:

  • Reverse proxy: a server that sits between clients and backends. Clients talk to the proxy; the proxy forwards to backends. Clients never see backend addresses.
  • Load balancer: distributes incoming requests across multiple backend instances to spread load and provide failover.

A reverse proxy CAN load balance. A load balancer CAN terminate TLS and rewrite URLs. The overlap is large.

Why it seems confusing

nginx is called a "reverse proxy" but has upstream blocks that load balance. AWS ALB is called a "load balancer" but does path-based routing, TLS termination, and auth — all proxy features. The same tool wears both hats, so the concepts blur.

What actually matters

Reverse proxy features (client-facing intermediary): - TLS termination — decrypt HTTPS, forward plain HTTP to backends. - Caching, compression, URL rewriting. - Authentication / rate limiting at the edge. - Hiding backend topology from clients.

Load balancer features (traffic distributor): - Health checks — stop sending traffic to dead backends. - Algorithms — round-robin, least-connections, weighted. - Session affinity (sticky sessions). - Failover and redundancy.

L4 vs L7: - L4 (transport): routes by IP + port. Doesn't inspect HTTP. Fast, protocol-agnostic. Example: AWS NLB. - L7 (application): routes by hostname, URL path, headers. More flexible, more overhead. Example: AWS ALB, nginx.

Common mistakes

  • Thinking you need separate software for each role. Usually one tool (nginx, Envoy, Traefik) handles both.
  • Confusing L4 and L7. An L4 LB can't route by URL path.
  • Using "reverse proxy" to mean "any proxy." A forward proxy serves clients reaching out; a reverse proxy serves backends.
  • Forgetting health checks — load balancing without them sends traffic to dead servers.

Small examples

# nginx as reverse proxy + load balancer
upstream backend {
    server 10.0.0.1:8080;
    server 10.0.0.2:8080;
}

server {
    listen 443 ssl;
    location / {
        proxy_pass http://backend;   # reverse proxy
    }                                # upstream = load balancer
}

# HAProxy — primarily a load balancer
backend webservers
    balance roundrobin
    server web1 10.0.0.1:80 check
    server web2 10.0.0.2:80 check

One-line summary

A reverse proxy hides backends from clients; a load balancer spreads traffic across them; most tools do both.