Load balancer breakeven

Load balancer breakeven — self-hosted vs managed

Load balancers are rarely the biggest cost in your stack, but they're one of the most commonly over-provisioned. AWS ALB at $22/mo baseline plus per-request fees adds up fast on high-traffic APIs, while HAProxy or Nginx on a $5/mo VM can handle the same load if you're willing to operate it. This calculator shows the crossover point so you can pick without guessing.

What a load balancer does

• Distributes traffic across 2+ backend instances (round-robin, least-connections, hash-based).
• Health checks: pings backends, removes unhealthy ones from rotation until they recover.
• SSL termination: handles HTTPS so backends can speak plain HTTP internally.
• Connection pooling: reduces backend connections from one-per-client to fewer pooled connections.
• Request routing: path-based, host-based, header-based routing to different services.

Managed LB pricing

The big three hyperscalers all charge three components:

• Base (LCU or connection hours): Typically $18-25/mo baseline before any traffic. Pays for the LB running 24/7.
• Per-request fees: AWS ALB $0.008 per LCU-hour; GCP $0.0060-0.025 per rule-hour; Azure similar. Works out to ~$0.50-1.00 per million requests.
• Bandwidth: Usually bundled into egress costs from the LB. AWS NLB charges separately for LCU processed.

A mid-size app at 500M requests/month with 50GB bandwidth typically pays $350-600/mo for managed LB.

Self-hosted options

• HAProxy: The industry standard for high-throughput TCP/HTTP load balancing. Very fast (millions of requests/sec on single core). Complex config. Battle-tested.
• Nginx: Multi-purpose (reverse proxy + static content). Slightly slower than HAProxy for pure LB but more versatile. Easier config.
• Traefik: Auto-discovery (Docker, Kubernetes). Less config overhead. Good for dynamic environments.
• Caddy: Automatic HTTPS via Let's Encrypt. Simplest config. Slightly less performant.

All run fine on a $5-40/mo VM. The real cost is operational: cert renewal (solved by Caddy/Let's Encrypt), monitoring, failover (active-passive HA needs two VMs + VRRP/keepalived), patching, logging.

Cloudflare as a hybrid option

Cloudflare's load balancer is often the best option for content-heavy public apps:

• $5/mo base
• $0.50/mo per origin pool
• $0.50 per million DNS queries
• Free SSL, DDoS, and CDN caching
• Global anycast routing

Hidden wins: bandwidth caching via Cloudflare CDN dramatically reduces origin egress costs (often 60-80% savings), and Cloudflare to your origin bandwidth is free if peered (like AWS Direct Connect).

The hidden cost: operational burden

Self-hosted LB saves infrastructure cost but costs engineering time:

• Cert rotation: Without Caddy, renewing certs every 60-90 days. Automation via certbot helps. Most teams have had at least one cert-expiry outage.
• HA setup: Single LB = single point of failure. HA needs two VMs + VRRP or floating IP. Adds complexity.
• Monitoring: Prometheus + exporters, or paid monitoring. Cost of observing the LB itself.
• Patching: HAProxy/Nginx vulns periodically require patching. Ops burden.
• Scaling: Beyond single VM capacity, you add sharding or clustering. Complex.

If a developer costs $75/hour loaded, 5 hours/month of LB ops work is $375 — more than most managed LB bills at small-medium scale.

When to switch from managed to self-hosted

Rough trigger points:

• Under $100/mo on managed LB: Stay managed. Ops cost exceeds savings.
• $100-500/mo: Consider Cloudflare LB first. Self-host rarely worth it yet.
• $500-3,000/mo: Break-even zone. Self-host if you have DevOps capacity; else optimize managed (reserved capacity, fewer LBs).
• $3,000+/mo: Self-hosting on bare metal or smaller VMs almost always saves 50-80%. Engineering time investment pays back.

Patterns that work

1. Cloudflare front + managed backend LB: Cloudflare handles global routing + DDoS + caching; a small managed LB or direct origin connection behind it.
2. Regional ALB + global Route53 failover: Cheaper than global load balancing; works for most multi-region setups.
3. Istio / service mesh: For microservice architectures, internal LBing is handled by the mesh. Egress LB is minimal.
4. Kubernetes ingress: Nginx or Traefik ingress controller on managed Kubernetes. Pay for cluster, LB comes "free" as part of ingress.