Application load balancers
In this article:
Application load balancers#
Important
Currently, the service is at the technology preview stage and is only available to a limited number of users. If you are ready to try the service in the beta mode, please contact your manager or leave a request on the support portal.
Application load balancers distribute inbound HTTP and HTTPS traffic among virtual machines for even load distribution among applications. Traffic is distributed using the round-robin algorithm.
To determine what actions to perform and where to forward the traffic, the application load balancers use the rules. Once the balancer gets a request, the listener checks the rules in order of priority to determine which one to apply. The rules help configure routing to various target groups, forwarding to another URL, or providing a fixed HTTP response, depending on the specified conditions.
Для терминирования соединений HTTPS балансировщик нагрузки использует SSL-сертификаты серверов в формате X.509. При установлении защищённого соединения поддерживаются протоколы TLS 1.0-1.3.
A domain name in the certificate should match the one in the DNS record. It can be FQDN , a short domain name (e.g. example.com), or wildcard name (*.example.com) to protect several subdomains within one domain.
Load balancer decrypts inbound traffic before forwarding it to the target resource. If the target resource awaits unencrypted traffic, use a network load balancer with a listener on port 443.
Attention
Certificates have a limited validity period, so they should be renewed in time.
Load balancer operations#
For a load balancer to operate, in addition to the load balancer itself, you should create at least one listener and an associated target group with at least one resource. Listeners and target groups can be created together with a load balancer. However, it is more convinient to create target groups separately. You can add listeners after the load balancer has been created. To create an HTTPS traffic listener, you should first import at least one certificate.
Create an application load balancer#
Note
You can also create a balancer and associate it with an existing target group in the Target groups subsection.
To create an application load balancer:
Go to the section Load balancing Load balancers and click Create.
Set the basic parameters of the balancer:
Type — Type of the load balancer. Select ALB.
Name tag — Optional description of the load balancer.
Load balancer name — The name must not be longer than 32 characters, can only contain Latin letters, numbers and hyphens, and must not start or end with a hyphen.
Scheme — This parameter defines which clients the load balancer can work with. If the
Internalscheme is selected, the load balancer handles requests to internal addresses only from clients in the same VPC. If theInternet-facingscheme is selected, the load balancer can distribute requests to external addresses from any clients in the Internet.
To go to the next step, click Next.
Specify the network mapping parameters:
VPC — VPC in which the load balancer will be placed. All other balancer components, such as target groups and target resources, must be placed in the same VPC.
Subnet — Subnet in which the network interface of the load balancer will be created.
Elastic IP or Private IP — IP address that will be associated with the network interface, depending on the selected scheme. When the
internet-facingscheme is selected, an external Elastic IP address must be provided. You can also leave this field blank, then the address will be provided automatically. When theinternalscheme is selected, an internal IP address is provided automatically.
To associate the balancer with subnets in other availability zones, click Add subnet.
To go to the next step, click Next.
Add listeners and associate target groups with them. You may skip this step and add listeners later.
Name tag — Name or description of the listener.
Protocol – Protocol whose traffic the listener accepts (HTTP or HTTPS). If HTTPS protocol is selected, add a certificate to be used by default (see for details about certificates).
Port — Port which the listener receives traffic at.
Forwarding to — This option allows you to associate a target group with the listener. You can select an
existing target groupfrom the list or add anew target group. In the latter case, specify:target group name;
port to which traffic is forwarded;
targets that are included in the group.
Note
Targets must be in the same availability zones as the subnets selected in the previous step.
To add a listener, click Add.
If necessary, you can add more listeners right away by repeating the steps above, or you can remove unnecessary ones by clicking Remove.
To go to the next step, click Next.
If required, assign tags to the load balancer.
If the Name tag was not specified in step 2 and you want to add it, click Add Name tag and set the tag value.
To add an arbitrary tag, click Add tag and enter tag key and value.
You can skip this step and add tags later. To go to the next step, click Overview and create.
Check balancer settings. If you need to change any of them, go back to the corresponding step. If everything is OK, click Create to create the balancer.
It may take some time for the balancer to check health of the targets (if those are specified). The health check duration depends on the health check settings for the target groups.
Note
To start the balancer, you need to specify neither a listener nor targets. However, if those are not specified, the balancer will not handle traffic, even when in the Active state.
Map subnet#
When a subnet is mapped to a balancer, a network interface is created in this subnet. The mapped subnet and corresponding interface can be neither changed nor deleted. However, you can map the load balancer to subnets from those availability zones where the load balancer does not have a network interface yet.
To add a subnet:
Go to the section Load balancing Load balancers.
Select the load balancer from the table and click Associate subnets.
Specify the network mapping parameters:
Subnet — Subnet in which an additional network interface of the load balancer will be created. It must be in the same VPC as the already associated subnets.
Elastic IP or Private IP — IP address that will be associated with the network interface, depending on the selected scheme. When the
internet-facingscheme is selected, an external Elastic IP address must be provided. You can also leave this field blank, then the address will be provided automatically. When theinternalscheme is selected, an internal IP address is provided automatically.
To map other subnets to the balancer, click Add subnet.
To map subnets, click Map.
Alternatively, you can associate a subnet on the load balancer page in the Information tab.
Delete load balancer#
Together with the balancer, all listeners belonging to it are deleted. However, deleting a balancer does not affect the associated target groups and their targets.
To delete a load balancer:
Go to the section Load balancing Load balancers.
Select the load balancer from the table and click Delete.
Confirm the action.
You can also delete the load balancer on its page in the Information tab.
Listener operations#
Add listener#
Note
You can also add a listener for the target group in the Target groups subsection.
To add a listener:
Go to the section Load balancing Load balancers.
Select the load balancer from the table and click Add listener.
Add listeners and associate target groups with them. To do this, specify the following parameters:
Name tag — The listener name (optional).
Protocol — Protocol whose traffic is to be received by the listener (HTTP or HTTPS).
Certificate – Default certificate (for HTTPS only).
Port — Port which the listener receives traffic at.
Forward to – This option allows you to bind a target group to the listener.
Select an already
existing target groupfrom the list or add anew target group. In the latter case, specify the target group name, the port where traffic is routed to, and the target resources that belong to the group.
If you want to assign tags to the listener, click Add tags to go to the next step.
If the Name tag was not specified in step 3 and you want to add it, click Add Name tag and set the tag value.
To add an arbitrary tag, click Add tag and enter tag key and value.
To add a listener, click Add.
If you need to add more listeners, repeat the above steps.
Alternatively, you can add a listener on the load balancer page in the Listeners tab.
Note
By default, the created listener forwards traffic to the specified target group. You can add other rules to route inbound traffic.
Modify listener settings#
Unlike the balancer creation wizard or the listener adding dialog, you cannot create a target group when modifying listener settings. If you want a listener to redirect traffic to a new target group, create it first.
To change the listener settings:
Go to the section Load balancing Load balancers.
In the resource table, find the load balancer to which the listener belongs and click on the load balancer name to go to its page
Select the listener from the table and click Modify.
Change the listener settings you need:
Protocol — Protocol whose traffic is to be received by the listener.
Certificate – Default certificate (for HTTPS only).
Port — Port which the listener receives traffic at.
Forwarding to — Target group to which the listener will forward traffic.
To apply settings, click Change.
Add certificate#
Note
This feature is only available for HTTPS listeners.
Important
The user should have permissions to work with certificates. If the user is not an IAM administrator, then assign policy IAMServerCertificateAccess to the user.
Once the listener is created, you can add extra certificates besides the default one, so as to support multiple domains on a single port and provide a different certificate for each domain.
The default certificate is used if the domain name does not match any of the additional certificates or if the client does not use Server Name Indication (SNI) protocol to connect. You can add the default certificate as an additional one so that it is further used to identify the domain even if the default certificate is replaced by another one. The default certificate can be change by modifying the listener settings.
You can add multiple certificates at the same time. Certificates should be imported to be added.
Go to the section Load balancing Load balancers.
In the resource table, find the application load balancer to which the HTTPS traffic listener belongs and click on the load balancer name to go to its page.
Open the Listeners tab, find the listener in the resource table, and click on the Protocol:port field to go the listener page.
Open the Certificates tab and click Add.
In the window that opens, select required certificates from the drop-down list.
To complete the action, click Add.
Delete certificate#
Note
The default certificate cannot be deleted.
If you remove a certificate from the listener, it can still be added (see all available certificates in IAM Certificates)
Go to the section Load balancing Load balancers.
In the resource table, find the application load balancer to which the HTTPS traffic listener belongs and click on the load balancer name to go to its page.
Open the Listeners tab, find the listener in the resource table, and click on the Protocol:port field to go the listener page.
Open the Certificates tab, select certificates you no longer need, and click Add.
In the dialog window, confirm the action.
Delete listener#
Deleting a listener does not affect the associated target group or its targets. After deleting a listener, you can associate the released target group with another listener, including the one belonging to another load balancer.
Go to the section Load balancing Load balancers.
Click the load balancer name to go to its page and open the Listeners tab.
Select the listener from the table and click Delete.
Confirm the action.
Alternatively, you can delete a listener on its page in the Information tab.
Listener rules#
You can set your own rules for the listener. They determine further routing of requests that the load balancer recieves. They also describe actions to be performed when the conditions specified in the rules are met. The conditions of the highest-priority rule are checked first (the lower the priority value, the higher the priority is). If they are not met, then the conditions of the next rule are checked, and so on.
Together with the listener, a default rule is created to forward requests to the bound target group. This rule has the lowest priority and, if there are other rules, is triggered only if the conditions for any other rule have not been met. The default rule cannot be changed or deleted.
The rules are subject to the following constraints:
up to 100 rules per application load balancer;
up to 5 conditions per rule;
up to 5 target groups per rule with Forward to action;
maximum priority up to 49999.
Available actions#
Listener rules support the following actions:
Forward to — Requests are forwarded to the specified target groups.
Redirect — Requests are redirected to a different URL.
Fixed response — A predefined HTTP response is returned to the client receives .
Forwarding#
Inbound requests are distributed across one or more target groups according to the specified weight. For example, if two groups have the same weight, each group will receive exactly half of the requests. If one group has a weight of 10 and the other group has a weight of 5, the first group will receive twice as many requests. The maximum possible weight of a group is 256.
Redirecting#
Inbound requests are redirected to another URL. Redirection can be configured as temporary (HTTP 302 — Found) or permanent (HTTP 301 — Permanently moved).
URL consists of the following components:
<protocol>://<hostname>:<port>/<path>?<request>
protocol — HTTP and HTTPS can be used for redirection.
hostname — The hostname is case insensitive. It may contain Latin letters, numbers, hyphens, periods, underscores, and wildcard character
*. The total number of characters is at least 3 but not more than 256.port — Valid values from 1 to 65535.
path — The absolute case-sensitive path should be specified. The path must begin with a slash
/and may contain Latin letters, numbers, hyphens, wildcard characters (*and?) and special characters_-.$/~~"'@:+. The total number of characters is no more than 128.request — The total number of characters in the request is no more than 128.
To avoid looping, change at least one of the first four components: protocol, hostname, port, or path. To reuse the components of the source URL, specify the following keywords instead:
#{protocol} to use the source URL protocol;
#{host} to use the hostname from the source URL;
#{port} to use the source URL port;
#{path} to use the path from the source URL;
#{query} to use the request text from the source URL.
Fixed response#
Incoming requests are discarded, and a predefined response is returned to the client. To configure this action, you may specify a response code (2xx, 4xx, or 5xx), select content type (application/javascript, application/json, text/css, text/html, text/plain), and add an arbitrary message.
Condition types#
Specify the following types of conditions in rules:
Hostheader — The request is routed based on the specified hostname.
Path templates — The request is routed based on the specified path.
A total of 5 conditions (condition values to be exact) can be specified in each rule for both condition types. Conditions of the same type are combined using OR logical operator, while conditions of different types are combined using AND logical operator. For example, if 3 domains are specified for the host header, only 2 paths can be specified for the path templates, and the logical expression of the conditions will look like this:
(host1.com OR host2.com OR host3.com) AND (/api/v1 OR /api/v2)
Host header#
The rule is selected when the hostname in the URL matches the hostname in the condition. Therefore, a single load balancer can support multiple subdomains and different top-level domains.
The condition value (the domain name specified in the condition) can contain Latin letters, numbers, hyphens, periods, underscores, and wildcard character *. The domain name should contain at least two labels (have at least one dot), while the domain label after the last dot may contain only letters. The total number of characters is at least 3 but not more than 256.
Path templates#
This condition defines routing rules when the path in the URL matches the path template in the condition. It is only checked against the path specified in the URL; request parameters are not used for comparison.
The condition value (the path template in the condition) is case sensitive. It can contain Latin letters, numbers, wildcard characters (* and ?) and special characters _-.$/~"'@:+. The total number of characters is no more than 128.
Set the rule#
Go to the section Load balancing Load balancers.
Click the load balancer name to go to its page and open the Listeners tab.
Click on the Protocol:Port field of the desired listener to go to its page.
Open the Rules tab and click Add.
In the window that opens, select Condition type and set the conditions in Condition values field. Click Add to add the conditions. If necessary, set conditions of a different type. Once all conditions have been set, click Next to proceed to the next step.
Select the action to be performed when the rule conditions are met (see supported actions for details).
Forward to. Select one or more target groups and specify their weight(s).
Redirect. Specify the URL where requests will be redirected and select the response code. If it is required to change the host, path, and/or request in the URL, click Other host, path, request.
Fixed response. Set the response code, select the message format (Content type), and enter the text (Response body).
Click Next to proceed to the next step.
Set the rule priority.
Click Create to save the rule.
Modify a rule#
Conditions and actions can be changed, but not the rule priority.
Go to the section Load balancing Load balancers.
Click the load balancer name to go to its page and open the Listeners tab.
Click on the Protocol:Port field of the desired listener to go to its page.
Open the Rules tab and select the rule in the resource table.
Click Add.
You can leave the conditions unchanged and move on directly to the next step to modify the action.
Note
To modify the condition of a particular type, delete it first.
To delete a condition:
Select conditions in the Conditions block
Click Remove.
To add a condition:
Select the Condition type and set the conditions in the Condition values field.
Click Add to add conditions.
Click Next to proceed to the next step.
If necessary, modify the action to be triggered when the rule conditions are met (for details, see about the supported actions).
Click Save to modify the rule.
Delete a rule#
Go to the section Load balancing Load balancers.
Click the load balancer name to go to its page and open the Listeners tab.
Click on the Protocol:Port field of the desired listener to go to its page.
Open the Rules tab and select the rule in the resource table.
Click Delete.
Load balancer information#
The resource page displays data about the load balancer, its related listeners, and network interfaces. To open a specific load balancer page, go to the section Load balancing Load balancer and click its name in the resource table.
The Information tab shows general information about the load balancer:
balancer name;
DNS name;
creation date;
state;
balancer type;
scheme in use;
VPC where the balancer was created;
ARN of the balancer;
availability zones where there are network interfaces of the balancer;
the number of listeners;
the number of network interfaces.
In addition, here you can associate subnets with a balancer and delete it.
The Listeners tab displays a list of listeners in use along with the following information:
listener name (Name tag);
ARN of the listener;
action to be taken with the link to the target group;
port to which traffic comes, and protocol in use.
In addition, here you can add a listener, modify its settings, set tags, and delete it.
The Network Interfaces tab displays the list of network interfaces used by the load balancer, with the following information:
network interface ID;
Name tag;
brief description;
state;
subnet;
availability zone;
VPC;
IP address.
Depending on the balancer scheme selected, either its private IP address or the assigned Elastic IP address is displayed.
The Tags tab displays information about the assigned tags. Here you can also assign tags to a load balancer.