L4 vs L7 Load Balancing: When Speed Beats Smartness

The question is not which layer is smarter. The question is how much work you want the load balancer to do on every single packet.

An L4 load balancer looks at five fields: source IP, destination IP, source port, destination port, and protocol. That is it. It picks a backend, sets up a connection, and shuffles bytes between the two sockets. It does not know whether those bytes are HTTP, gRPC, a Postgres handshake, or a custom binary protocol your team built last year. It does not care. That ignorance is the feature. A modern L4 balancer can push millions of packets per second per core because the hot path is essentially a hash and a forward.

An L7 load balancer parses the application protocol. For HTTP that means it reads the request line, the headers, sometimes the body. Now you can route /api/v2/* to a new service, send anything with x-canary: true to a staging pool, terminate TLS at the edge, rewrite paths, enforce per-endpoint rate limits, and emit structured access logs with the full URL. None of that is possible at L4 because the payload is opaque ciphertext or framed bytes the balancer has no parser for.

The cost is real. L7 has to buffer the request, run a parser, evaluate a rule chain, and often re-serialize. You pay in CPU, memory, and added latency on every request, not every connection.

A concrete failure mode I have seen: a team put their internal Redis traffic behind an L7 proxy because the rest of the stack used one. Redis pipelines hundreds of small commands over a single long-lived TCP connection. The proxy could not parse RESP, so it fell back to passthrough mode but still allocated per-request buffers and burned a worker thread per connection. Tail latency went from sub-millisecond to tens of milliseconds under load. The fix was an L4 listener on a different port. The fancy features were not needed and were actively hurting them.

Mental model: L4 asks where this connection should go. L7 asks what this request is trying to do. If every request goes to the same pool and you just need raw distribution, L4 is the right tool.

Most large systems run both. L4 at the edge for raw connection capacity and DDoS absorption. L7 behind it for TLS termination, host and path routing, retries, and observability. You get throughput from the bottom layer and control from the top. Use each one for what it is good at.