deep-dive

Reverse Proxy vs Load Balancer: Key Differences and Use Cases

February 24, 2026 donnemartin/system-design-primer ↗

A reverse proxy acts as a unified gateway to backend services for SSL termination and caching, while a load balancer distributes traffic across identical server instances to ensure horizontal scalability and fault tolerance.

In distributed system architecture, these two patterns serve distinct but complementary roles in managing client requests. According to the donnemartin/system-design-primer repository, understanding when to deploy each pattern—or both together—is essential for designing production-grade infrastructure that scales efficiently.

Core Architectural Differences

While both components sit between clients and backend servers, they solve fundamentally different problems as documented in the README.md sections on Reverse Proxy and Load Balancer vs Reverse Proxy.

Primary Purpose

  • Reverse Proxy: Provides a single entry point for one or more heterogeneous services, handling SSL termination, request routing, compression, and caching. It hides the internal topology of backend servers from public exposure.
  • Load Balancer: Distributes incoming traffic evenly across a pool of identical servers performing the same function, ensuring no single instance becomes a bottleneck.

Operational Scope A reverse proxy delivers value even with a single backend service by centralizing cross-cutting concerns like certificate management and static asset delivery. Conversely, a load balancer becomes necessary only when running multiple server replicas that require traffic distribution and health-check-based failover.

OSI Layer Operation Reverse proxies typically operate at Layer 7 (application level), inspecting HTTP headers, URLs, and cookies to make routing decisions. Load balancers can operate at Layer 4 (transport level, TCP/UDP) for protocol-agnostic distribution or Layer 7 for HTTP-specific routing.

Failure Handling Load balancers include built-in health checks to automatically remove unhealthy nodes from rotation. Reverse proxies require explicit configuration of multiple proxy instances to avoid becoming a single point of failure, as they do not inherently manage backend health states.

When to Use a Reverse Proxy

Deploy a reverse proxy when your architecture requires centralized request handling capabilities independent of scaling concerns:

  • SSL Termination: Offload TLS encryption from backend services so they handle only plain HTTP, reducing CPU overhead on application servers.
  • Caching and Compression: Store static responses at the edge and compress outbound traffic to reduce latency and bandwidth utilization.
  • Static Content Serving: Deliver HTML, CSS, JavaScript, and media files directly from the proxy layer without burdening application servers.
  • Backend Abstraction: Hide internal service ports, hostnames, and network topology from clients while enforcing security policies like IP blacklisting or rate limiting.
  • Multi-Service Routing: Unify access to heterogeneous backend services (different ports, protocols, or technologies) behind a single public endpoint.

When to Use a Load Balancer

Implement a load balancer when your primary concern is distributing workload across redundant infrastructure:

  • Horizontal Scaling: Add or remove identical server instances dynamically without updating client configurations or DNS records.
  • High Availability: Automatically detect server failures through health checks and reroute traffic to healthy nodes with zero manual intervention.
  • Even Utilization: Prevent individual servers from becoming overwhelmed while others remain idle, optimizing resource usage across your fleet.
  • Layer 4 Requirements: Handle non-HTTP protocols such as TCP-based databases, gRPC services, or custom binary protocols that require transport-level distribution.

Combined Deployment Patterns

In production environments, these patterns often work sequentially. As illustrated in the system design primer's web crawler solution and related architectures, a typical deployment places a reverse proxy in front of a load-balanced application tier.

The reverse proxy handles TLS termination, caching, and initial request inspection at the edge, then forwards traffic to a load balancer (or acts as one itself) that distributes requests across multiple identical application server instances. This layered approach combines the security and optimization benefits of reverse proxying with the scalability and resilience of load balancing.

Configuration Examples

The following configurations demonstrate the distinct responsibilities of each component using production-grade tools.

NGINX as a Reverse Proxy

This configuration terminates SSL, serves static assets directly, and proxies API requests to a backend service:


# /etc/nginx/conf.d/reverse-proxy.conf

server {
    listen 443 ssl;
    server_name www.example.com;

    ssl_certificate     /etc/ssl/certs/example.crt;
    ssl_certificate_key /etc/ssl/private/example.key;

    # Cache static assets

    location /static/ {
        alias /var/www/static/;
        expires 30d;
        add_header Cache-Control "public";
    }

    # Proxy API requests to backend service

    location /api/ {
        proxy_pass http://backend.internal:8080;
        proxy_set_header Host $host;
        proxy_set_header X‑Real‑IP $remote_addr;
        proxy_set_header X‑Forwarded‑For $proxy_add_x_forwarded_for;
    }
}

NGINX as a Layer 7 Load Balancer

This configuration distributes HTTP traffic across three identical application servers using an upstream pool:


# /etc/nginx/conf.d/load-balancer.conf

upstream app_cluster {
    server app01.example.com;
    server app02.example.com;
    server app03.example.com;
    keepalive 32;
}

server {
    listen 80;
    server_name www.example.com;

    location / {
        proxy_pass http://app_cluster;
        proxy_set_header Host $host;
        proxy_set_header X‑Real‑IP $remote_addr;
        proxy_set_header X‑Forwarded‑For $proxy_add_x_forwarded_for;
    }
}

HAProxy as a Layer 4 Load Balancer

For TCP-based protocols requiring transport-level distribution, HAProxy provides high-performance Layer 4 balancing with health checks:


# /etc/haproxy/haproxy.cfg

frontend ft_http
    bind *:80
    default_backend bk_web

backend bk_web
    balance roundrobin
    option httpchk HEAD / HTTP/1.0\r\nHost:localhost
    server web01 10.0.0.1:80 check
    server web02 10.0.0.2:80 check
    server web03 10.0.0.3:80 check

Summary

  • Reverse proxies provide a unified gateway for SSL termination, caching, and backend abstraction, functioning effectively even with a single service.
  • Load balancers distribute traffic across identical server instances to enable horizontal scaling and automatic failover.
  • Layer distinction: Reverse proxies typically operate at Layer 7 (application), while load balancers can operate at Layer 4 (transport) or Layer 7.
  • Deployment synergy: Production architectures often stack these components, placing a reverse proxy at the edge for optimization and security, followed by load balancing for scalability.
  • Tool flexibility: Solutions like NGINX and HAProxy can fulfill both roles, though dedicated cloud load balancers (AWS ELB, GCP Load Balancing) focus specifically on distribution without content manipulation.

Frequently Asked Questions

Can a single server act as both a reverse proxy and a load balancer?

Yes. Modern solutions like NGINX and HAProxy can simultaneously terminate SSL, cache content, and distribute requests across multiple backend servers. In the README.md of donnemartin/system-design-primer, these capabilities are noted as overlapping features where a reverse proxy configuration can include upstream server pools for load balancing.

Do I need a load balancer if I only have one application server?

No. A load balancer provides value only when distributing traffic across multiple identical instances. For a single server, a reverse proxy alone provides the necessary SSL termination, caching, and security benefits without the complexity of health checks and pool management.

Is a reverse proxy a single point of failure?

Unless deployed in a high-availability configuration with multiple instances, a reverse proxy can become a single point of failure. Unlike load balancers which inherently manage multiple backend nodes, a standalone reverse proxy requires explicit redundancy planning—such as active-passive failover pairs—to ensure continuous availability.

When should I use Layer 4 instead of Layer 7 load balancing?

Use Layer 4 (transport level) load balancing when handling non-HTTP protocols like TCP databases, gRPC, or custom binary protocols where you do not need to inspect packet contents. Use Layer 7 when you require HTTP-specific routing decisions based on headers, cookies, or URL paths, as implemented in the NGINX Layer 7 example above.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:
curl -s "https://instagit.com/install.md"
Works with
Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →