Introduction to ALB Ingress Global Configurations - Container Service for Kubernetes

An AlbConfig defines the settings for an Application Load Balancer (ALB) instance. This document outlines the annotations supported by ALB Ingresses and provides an overview of AlbConfig fields and their applications.

Index

Annotation Fields

Feature classification	Ingress annotation configuration
Annotation YAML	Annotation YAML example
ALB Ingress configuration	Health check
Listener/protocol configuration	Listener Protocol used by backend services
Forwarding rule configuration	Redirection Grayscale Cross-domain Custom forwarding
Advanced configuration	Slow start Priority Session persistence Connection draining Load balancing
Others	Others

AlbConfig Fields

Field classification	Field link
AlbConfig YAML	Full AlbConfig YAML
AlbConfig	Albconfig AlbConfigSpec
ALB instance	LoadBalancerSpec
Listener configuration	ListenerSpec[]
Virtual switch	ZoneMapping
Simple Log Service	AccessLogConfig
QUIC listener	QuicConfig
Configure a certificate	Certificate
Resource Access Management	AclConfig
Tracing analysis	AccessLogTracingConfig
X-Forwarded configuration	XForwardedForConfig
Log using custom headers	LogConfig
Reserved parameter	BillingConfig ModificationProtectionConfig AlbConfigStatus LoadBalancerStatus ListenerStatus AppliedCertificate

Annotation YAML example

Below is an example of how to use annotations to configure ALB within Ingress. For comprehensive annotation details, refer to the sections that follow.

Expand to View the Annotation YAML Example Supported by Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/healthcheck-enabled: "true"
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
    alb.ingress.kubernetes.io/healthcheck-httpversion: "HTTP1.1"
    alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
    alb.ingress.kubernetes.io/healthcheck-code: "http_2xx"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
    alb.ingress.kubernetes.io/healthy-threshold-count: "3"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
    alb.ingress.kubernetes.io/conditions.service-a: | # The Service specified in the annotation must be an existing Service in the cluster, and the Service name must be the same as the Service name in backend of the rule field.
     [{
       "type": "Path",
       "pathConfig": {
           "values": [
              "~*^/pathvalue1", # Add ~* before a regular expression as a regex flag. The content after ~* is the actual regex that takes effect.
              "/pathvalue2" # No need to add ~* before exact matches.
           ]
       }
      }]
    alb.ingress.kubernetes.io/order: "1"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-by-header: "location"
    alb.ingress.kubernetes.io/canary-by-header-value: "hz"
    ... ...
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      # Specify a context path
      - path: /tea
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      # Specify a context path
      - path: /coffee
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

Annotations supported by Ingress

Add annotations to Ingress resources to tailor ALB Ingress functionality to your needs.

Health check

Annotation	Description
alb.ingress.kubernetes.io/healthcheck-enabled	Specifies whether to enable health checks for backend server groups. For a configuration example of health checks, see Configure health checks. `true`: Enable health checks. `false`: Disable health checks. Default value: `false`.
alb.ingress.kubernetes.io/healthcheck-path	The path to which health check requests are sent. Default value: `/`.
alb.ingress.kubernetes.io/healthcheck-protocol	The protocol for health checks. `HTTP`: Use the HTTP protocol. Send HEAD or GET requests to simulate browser access behavior and check whether the server application is healthy. `HTTPS`: Use the HTTPS protocol. Send HEAD or GET requests to simulate browser access behavior and check whether the server application is healthy. `TCP`: Use the TCP protocol. Send SYN handshake messages to check whether the server port is alive. `GRPC`: Use the gRPC protocol. Send POST or GET requests to check whether the server application is healthy. Default value: `HTTP`.
alb.ingress.kubernetes.io/healthcheck-httpversion	The HTTP protocol version. This parameter takes effect only when `healthcheck-protocol` is set to `HTTP` or `HTTPS`. `HTTP1.0` `HTTP1.1` Default value: `HTTP1.1`.
alb.ingress.kubernetes.io/healthcheck-method	The health check method. `HEAD` `POST` `GET` Default value: `HEAD`. Important If `healthcheck-protocol` is set to `GRPC`, you must select `POST` or `GET`.
alb.ingress.kubernetes.io/healthcheck-httpcode	The status codes used for health checks. A backend server is considered healthy only if the probe request succeeds and the specified status code is returned. You can enter any combination of the following options. Separate multiple status codes with commas (,): `http_2xx` `http_3xx` `http_4xx` `http_5xx` Default value: `http_2xx`.
alb.ingress.kubernetes.io/healthcheck-code	The status codes used for health checks. A backend server is considered healthy only if the probe request succeeds and the specified status code is returned. If `healthcheck-httpcode` is also specified, this field takes precedence. Optional parameters depend on the value specified for `healthcheck-protocol`: `HTTP or HTTPS`: You can enter any combination of the following options. Separate multiple status codes with commas (,): `http_2xx` `http_3xx` `http_4xx` `http_5xx` Default value: `http_2xx`. `GRPC`: Valid values: 0 to 99. Default value: `0`. Range input is supported. You can specify up to 20 ranges. Separate multiple ranges with commas (,).
alb.ingress.kubernetes.io/healthcheck-timeout-seconds	The timeout period of health checks in seconds. Valid values: 1 to 300. Default value: `5`.
alb.ingress.kubernetes.io/healthcheck-interval-seconds	The health check interval in seconds. Valid values: 1 to 50. Default value: `2`.
alb.ingress.kubernetes.io/healthy-threshold-count	The number of times that a server needs to consecutively pass health checks before it is considered healthy. Valid values: 2 to 10. Default value: `3`.
alb.ingress.kubernetes.io/unhealthy-threshold-count	The number of times that a server needs to consecutively fail health checks before it is considered unhealthy. Valid values: 2 to 10. Default value: `3`.
alb.ingress.kubernetes.io/healthcheck-connect-port	The port that you want to use for health checks. Default value: `0`. Note A value of `0` indicates that the port of the backend server is used for health checks.

Redirection

Annotation

Description

alb.ingress.kubernetes.io/ssl-redirect

Specifies whether to return a 308 status code for HTTP requests and redirect the requests to HTTPS listeners (port 443). For a configuration example of redirection, see Configure HTTP redirection to HTTPS.

true: Redirect to HTTPS.
false: Do not redirect to HTTPS.

Default value: false.

Protocol used by backend services

Annotation

Description

alb.ingress.kubernetes.io/backend-protocol

The protocol used by backend server groups. For a configuration example, see Support backend HTTPS and gRPC protocols.

http: Use the HTTP protocol.
https: Use the HTTPS protocol.
grpc: Use the gRPC protocol.

Default value: http.

Note

The backend server protocols supported by listeners depend on the listener type:

HTTP listeners support HTTP and HTTPS.
HTTPS listeners support HTTP, HTTPS, and gRPC.
QUIC listeners support HTTP.

Rewrite

Annotation	Description
alb.ingress.kubernetes.io/rewrite-target	The path that overwrites the path in requests. For a configuration example of rewrite, see Rewrite.

Listener

Annotation

Description

alb.ingress.kubernetes.io/listen-ports

The listener ports and protocols associated with ALB Ingresses. For a configuration example, see Configure custom listener ports.

You can specify the listener protocols and ports that you want to configure for ingress rules (examples are provided below):

'[{"HTTP": 80}]': Associate the HTTP listener with port 80.
'[{"HTTPS": 443}]': Associate the HTTPS listener with port 443.
'[{"QUIC": 443}]': Associate the QUIC listener with port 443.
'[{"HTTP": 80}, {"HTTPS": 443}]': Associate the HTTP listener with port 80 and the HTTPS listener with port 443.
'[{"HTTPS": 443}, {"QUIC": 443}]': Associate the HTTPS listener with port 443 and the QUIC listener with port 443.

Slow start

Annotation

Description

alb.ingress.kubernetes.io/slow-start-enabled

Specifies whether to enable the slow start feature. After slow start is enabled, ALB Ingress gradually distributes traffic to new pods when they are added to the backend of a Service. This prevents exceptions caused by high CPU and memory pressure immediately after the pods are started. For a configuration example of slow start, see Backend slow start.

true: Enable slow start.
false: Disable slow start.

Disabled by default.

alb.ingress.kubernetes.io/slow-start-duration

The time taken to gradually increase traffic during slow start. The longer the time, the slower the traffic increases. Unit: seconds.

Valid values: 30 to 900.

Default value: 30.

Priority

Annotation

Description

alb.ingress.kubernetes.io/order

The relative priority of forwarding rules. The smaller the value, the higher the priority. For a configuration example of priority, see Configure forwarding rule priority.

Valid values: 1 to 1000.

Default value: 10.

Grayscale

Annotation	Description
alb.ingress.kubernetes.io/canary	Specifies whether to enable canary release. For detailed operations on canary release, see Implement canary release through ALB Ingress. `true`: Enable canary release. `false`: Disable canary release. Default value: `false`.
alb.ingress.kubernetes.io/canary-by-header	The request header that is hit when canary release is enabled.
alb.ingress.kubernetes.io/canary-by-header-value	The value of the request header that is hit when canary release is enabled.
alb.ingress.kubernetes.io/canary-by-cookie	The cookie of the requests that are routed to the canary.
alb.ingress.kubernetes.io/canary-weight	Set the percentage of requests to the specified service (a value from 0 to 100). For detailed operations, see Grayscale weight.

Session persistence

Annotation	Description
alb.ingress.kubernetes.io/sticky-session	Specifies whether to enable session persistence for backend server groups. For a configuration example of session persistence, see Implement session persistence through annotations. `true`: Enable session persistence. `false`: Disable session persistence. Default value: `false`.
alb.ingress.kubernetes.io/sticky-session-type	The method that is used to handle a cookie. `Insert`: Insert cookie mode. During the first-time visit of a client, the ALB instance adds a cookie to the response. `Server`: Rewrite cookie mode. The ALB instance rewrites cookies based on the user-defined cookie. Default value: `Insert`.
alb.ingress.kubernetes.io/cookie-timeout	The session persistence timeout period in seconds. Valid values: 1 to 86400. Default value: `1000`.

Connection draining

Annotation

Description

alb.ingress.kubernetes.io/connection-drain-enabled

Specifies whether to enable connection draining. After connection draining is enabled, ALB Ingress maintains normal transmission for a period of time when the backend pod enters the Terminating state or health checks report exceptions. After the timeout period is reached, the connection is interrupted. This prevents the sudden removal of the backend from affecting the business. For detailed information about how connection draining works, see Connection draining.

true: Enable connection draining.
false: Disable connection draining.

Disabled by default.

alb.ingress.kubernetes.io/connection-drain-timeout

The timeout period of connection draining in seconds.

Valid values: 0 to 900.

Default value: 300.

Load balancing

Annotation

Description

alb.ingress.kubernetes.io/backend-scheduler

The load balancing algorithm of backend server groups. For a configuration example of load balancing algorithms, see Specify the load balancing algorithm for server groups.

wrr: Weighted round-robin. Backend servers that have higher weights receive more requests than those that have lower weights.
wlc: Weighted least connections. If multiple backend servers have the same weight, requests are forwarded to the backend server with the least connections.
sch: Source IP hash. Requests destined for the same source IP address are distributed to the same backend server.
uch: URL hash. Requests destined for the same URL are distributed to the same backend server.

Default value: wrr.

alb.ingress.kubernetes.io/backend-scheduler-uch-value

The URL hash parameter used when the load balancing algorithm is set to "uch".

Cross-domain

Annotation	Description
alb.ingress.kubernetes.io/enable-cors	Specifies whether to enable cross-domain configuration. For a configuration example, see Cross-domain configuration. `true`: Enable cross-domain configuration. `false`: Disable cross-domain configuration. Default value: `false`.
alb.ingress.kubernetes.io/cors-allow-origin	The origins from which you want to allow cross-domain requests. Default value: `*`.
alb.ingress.kubernetes.io/cors-expose-headers	The headers that can be exposed.
alb.ingress.kubernetes.io/cors-allow-methods	The cross-domain request methods that are allowed. You can enter any combination of the following options: `GET` `POST` `PUT` `DELETE` `HEAD` `OPTIONS` `PATCH` Default value: `"GET, PUT, POST, DELETE, PATCH, OPTIONS"`.
alb.ingress.kubernetes.io/cors-allow-credentials	Specifies whether to allow credentials in requests. `true`: Allow credentials. `false`: Do not allow credentials. Default value: `true`.
alb.ingress.kubernetes.io/cors-max-age	The maximum cache time of preflight requests in browsers. Unit: seconds. Valid values: -1 to 172800. Default value: `172800`. Note A value of `-1` indicates unlimited cache time.
alb.ingress.kubernetes.io/cors-allow-headers	The headers that are allowed in cross-domain requests. Default value: `"DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"`.

Custom forwarding

Annotation	Description
alb.ingress.kubernetes.io/actions.{svcName}	The custom forwarding actions. For detailed operations on custom forwarding, see Custom forwarding rules for ALB Ingress.
alb.ingress.kubernetes.io/conditions.{svcName}	The custom forwarding conditions.
alb.ingress.kubernetes.io/rule-direction.{svcName}	The custom forwarding direction. `Request`: Custom forwarding when receiving requests. `Response`: Custom forwarding when sending responses. Default value: `Request`.

Others

Annotation	Description
alb.ingress.kubernetes.io/backend-keepalive	Specifies whether to enable persistent TCP connections for backend servers. For a configuration example, see Persistent connections for backend servers. Default value: `false`.
alb.ingress.kubernetes.io/traffic-limit-qps	QPS throttling. Valid values: 1 to 100000.
alb.ingress.kubernetes.io/use-regex	Specifies whether regular expressions can be used in the Path field. This annotation is valid only when the path type is Prefix. Default value: `false`.

AlbConfig fields

AlbConfig is a custom resource that details the attributes of ALB instances and their listeners. The following full AlbConfig example illustrates the various fields. For field-specific descriptions, refer to the sections below.

Expand to View the Full AlbConfig YAML

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-config-example
spec:
  # Set the relevant attributes of the ALB instance based on your actual needs.
  config:
    id: ""   # The ID of the ALB instance. Leave this field empty if you do not want to reuse an existing instance.
    name: alb-instance-name       
    addressAllocatedMode: Fixed
    addressType: Internet
    ipv6AddressType: Intranet
    addressIpVersion: IPv4
    resourceGroupId: ""
    edition: Standard
    deletionProtectionEnabled: false
    forceOverride: false
    listenerForceOverride: false
    zoneMappings:            # Virtual switch.
      - vSwitchId: vsw-uf6ccg2a9g71hx8go****
        zoneId: ""   
        allocationId: "eip-xxxx"
        eipType: ""
      - vSwitchId: vsw-uf6nun9tql5t8nh15****
        zoneId: ""      
        allocationId: "eip-xxxx"
        eipType: ""
    accessLogConfig:        # Simple Log Service.
      logProject: ""
      logStore: "alb_******"    
    billingConfig:           
      internetBandwidth: 0
      internetChargeType: ""
      payType: ""
      bandWidthPackageId: "cbwp-xxx" 
    modificationProtectionConfig:
      reason: ""
      status: ""
    tags:
      - key: example-key
        value: example-value
  listeners:
    # Set the relevant attributes of the listeners of the ALB instance based on your actual needs.
    - port: 80
      protocol: HTTP         # HTTP: Use the HTTP protocol. HTTPS: Use the HTTPS protocol. QUIC: Use the QUIC protocol.
      gzipEnabled: null
      http2Enabled: null
      securityPolicyId: ""
      idleTimeout: 15
      loadBalancerId: ""
      description: "Listener description"
      caEnabled: false
      requestTimeout: 60
      quicConfig:
        quicUpgradeEnabled: false
        quicListenerId: ""
      defaultActions: []
      caCertificates: []
      certificates: []
      xForwardedForConfig:     # X-Forwarded configuration.
        XForwardedForClientCertSubjectDNEnabled: false
        XForwardedForProtoEnabled: false
        XForwardedForClientCertIssuerDNEnabled: false
        XForwardedForSLBIdEnabled: false
        XForwardedForClientSrcPortEnabled: false
        XForwardedForClientCertFingerprintEnabled: false
        XForwardedForEnabled: true
        XForwardedForSLBPortEnabled: false
        XForwardedForClientCertClientVerifyEnabled: false
        XForwardedForClientCertSubjectDNAlias: ""
        XForwardedForClientCertClientVerifyAlias: ""
        XForwardedForClientCertIssuerDNAlias: ""
        XForwardedForClientCertFingerprintAlias: ""
        XForwardedForClientSourceIpsEnabled: false
        XForwardedForClientSourceIpsTrusted: ""
      logConfig:
        accessLogRecordCustomizedHeadersEnabled: false
        accessLogTracingConfig:
          tracingEnabled: false
          tracingSample: 100
          tracingType: Zipkin
      aclConfig:
        aclName: ""
        aclType: Black
        aclEntries: []
        aclIds: []
status:
  loadBalancer:
    dnsname: ""
    id: ""
    listeners:
      portAndProtocol: ""
      certificates:
        certificateId: ""
        isDefault: false

Albconfig

Field	Value type	Description
apiVersion	Fixed value	The API version of the object. Fixed value: `alibabacloud.com/v1`.
kind	Fixed value	Kind indicates the REST resource corresponding to the object. Fixed value: `AlbConfig`.
metadata	ObjectMeta	The metadata of the object. For more information about metadata, see metadata.
spec	AlbConfigSpec	A list of parameters used to describe the attributes of the ALB instance and its listeners.
status	AlbConfigStatus	After reconciliation is successful, the instance status is written to `status`. The written value indicates the current status of the instance.

AlbConfigSpec

Field	Value type	Description
config	LoadBalancerSpec	The attributes of the ALB instance.
listeners	ListenerSpec[]	The attributes of the listeners of the ALB instance.

LoadBalancerSpec

Field	Value type	Description
id	string	The ID of the ALB instance. The ALB instance can be reused if an instance ID is specified. If you leave this field empty, the ALB Ingress controller creates an ALB instance. For detailed operations on creating a new ALB instance or reusing an existing instance, see Create AlbConfig. Default value: `""`.
name	string	The name of the ALB instance. Default value: Automatically generated by using the following rule: `k8s-{namespace}-{name}-{hashCode}`.
addressAllocatedMode	enum	The IP address mode of the ALB instance. `Dynamic`: The ALB instance has at least one IP address in each zone. The number of IP addresses automatically scales out as business requests increase. This mode supports up to one million queries per second (QPS). `Fixed`: The ALB instance has only one IP address in each zone. The IP address remains unchanged. An ALB instance in this mode supports up to 100,000 QPS. Default value: `Fixed`.
addressType	enum	The network type of the IPv4 CIDR block of the ALB instance. `Internet`: Public network mode. The ALB instance is assigned a public domain name. `Intranet`: Private network mode. Default value: `Internet`.
ipv6AddressType	enum	The network type of the IPv6 CIDR block of the ALB instance. The network type can be different from that of the IPv4 CIDR block of the ALB instance. `Internet`: Public network mode. The ALB instance is assigned a public domain name. `Intranet`: Private network mode. Default value: `Intranet`.
addressIpVersion	enum	Specifies whether the ALB instance supports dual stack. `IPv4`: Supports only IPv4. `DualStack`: Supports both IPv4 and IPv6. Default value: `IPv4`
resourceGroupId	string	The ID of the resource group to which the instances belong. Default value: `""`.
edition	enum	The edition of the ALB instance. The edition of an ALB instance cannot be changed in reuse mode. `Standard`: Standard Edition. `StandardWithWaf`: WAF-enhanced edition. For more information, see Use ALB WAF-enhanced edition to protect services. Default value: `Standard`.
deletionProtectionEnabled	bool	A reserved parameter. Do not modify this field.
forceOverride	bool	Specifies whether to forcefully overwrite the attributes of the ALB instance in reuse mode. `true`: Forcefully overwrite. `false`: Do not forcefully overwrite. `null`: Do not forcefully overwrite. Default value: `false`.
listenerForceOverride	bool	Specifies whether to forcefully overwrite the attributes of the listeners in reuse mode. `true`: Forcefully overwrite. `false`: Do not forcefully overwrite. `null`: Do not forcefully overwrite. Default value: `null`.
zoneMappings	ZoneMapping[]	The zone and EIP configuration.
accessLogConfig	AccessLogConfig	The log collection configuration.
billingConfig	BillingConfig	The billing method.
modificationProtectionConfig	ModificationProtectionConfig	The configuration protection setting.
tags	Tag[]	The tags of the instance.

ZoneMapping

Field	Value type	Description
vSwitchId	string	The vSwitch ID. This field is required. Default value: `""`.
zoneId	string	The zone of the virtual switch. Retain the default value. Default value: `""`.
allocationId	string	The ID of the EIP. Default value: `"eip-xxxx"`.
eipType	string	A reserved parameter. Do not modify this field.

AccessLogConfig

Field

Value type

Description

logProject

string

The name of the Simple Log Service project.

Default value: "".

logStore

string

The name of the Simple Log Service Logstore. The name must start with alb_. If the Logstore does not exist, it is automatically created. For a configuration example of Simple Log Service Logstore, see Enable access logs for Simple Log Service.

Default value: "alb_****".

BillingConfig

Field	Value type	Description
internetBandwidth	int	A reserved parameter. Do not modify this field.
internetChargeType	string	A reserved parameter. Do not modify this field.
payType	enum	A reserved parameter. Do not modify this field.
bandWidthPackageId	string[]	The ID of the associated Internet Shared Bandwidth instance. You cannot disassociate the Internet Shared Bandwidth instance. Default value: `"cbwp-xxx"`.

ModificationProtectionConfig

Field	Value type	Description
reason	string	A reserved parameter.
status	string	A reserved parameter.

Tag

Field

Value type

Description

key

string

The key of the tag.

Default value: "".

value

string

The value of the tag.

Default value: "".

ListenerSpec

Field	Value type	Description
gzipEnabled	bool	Specifies whether to enable data compression. For a configuration example of data compression, see Use data compression. `true`: Enable compression. `false`: Disable compression. `null`: Enable compression. Default value: `null`.
http2Enabled	bool	Specifies whether to enable HTTP/2. `true`: Enable HTTP/2. `false`: Disable HTTP/2. `null`: Enable HTTP/2. Default value: `null`.
port	int	The listening port. This field is required. Default value: `0`.
protocol	enum	The listening protocol. This field is required. `HTTP`: Use the HTTP protocol. `HTTPS`: Use the HTTPS protocol. `QUIC`: Use the QUIC protocol.
securityPolicyId	string	The ID of the TLS security policy. Default value: `""`.
idleTimeout	int	The timeout period of idle connections in seconds. Default value: `15`. Note A value of 0 indicates that the default value is used.
loadBalancerId	string	A reserved parameter. Do not modify this field.
description	string	The name of the listener. Default value: Automatically generated by using the following rule: `ingress-auto-listener-{port}`.
caEnabled	bool	Specifies whether to enable mutual authentication. `true`: Enable mutual authentication. `false`: Disable mutual authentication. Default value: `false`.
requestTimeout	int	The timeout period of requests in seconds. Default value: `60`.
quicConfig	QuicConfig	The QUICK listener configuration.
defaultActions	Action[]	A reserved parameter. Do not modify this field.
caCertificates	Certificate[]	The root CA certificate of the listener.
certificates	Certificate[]	The server certificate of the listener.
xForwardedForConfig	XForwardedForConfig	The configuration of the XForward field.
logConfig	LogConfig	The listener log configuration.
aclConfig	AclConfig	Resource Access Management.

QuicConfig

Field

Value type

Description

quicUpgradeEnabled

bool

Specifies whether to enable QUIC upgrade. In scenarios where both QUIC and HTTPS listeners are used, set the quicUpgradeEnabled field to associate QUIC listeners with HTTPS listeners or disassociate QUIC listeners from HTTPS listeners. For detailed operations, see Use QUIC listeners to support HTTP/3.

true: Enable QUIC upgrade and associate QUIC listeners with HTTPS listeners.
false: Disable QUIC upgrade and do not associate QUIC listeners with HTTPS listeners.

Default value: false.

quicListenerId

string

HTTPS listeners associated with the QUIC listeners.

Default value: "".

Certificate

Field

Value type

Description

IsDefault

bool

Specifies whether the certificate is a default certificate. For detailed operations on configuring a certificate, see Configure HTTPS certificates for encrypted communication.

true: Specify as the default certificate.
false: Do not specify as the default certificate.

Default value: false.

Important

You can specify only one default certificate.

CertificateId

string

The ID of the certificate.

Default value: "".

XForwardedForConfig

Field	Value type	Description
XForwardedForClientCertSubjectDNEnabled	bool	Specifies whether to add the `X-Forwarded-Clientcert-subjectdn` field to the request header of HTTP messages forwarded by the ALB instance to retain the subject information of the client certificate. `true`: Add the field. `false`: Do not add the field. Default value: `false`.
XForwardedForProtoEnabled	bool	Specifies whether to add the `X-Forwarded-Proto` field to the request header of HTTP messages forwarded by the ALB instance to record the protocol used by the ALB instance. `true`: Add the field. `false`: Do not add the field. Default value: `false`.
XForwardedForClientCertIssuerDNEnabled	bool	Specifies whether to add the `X-Forwarded-Clientcert-issuerdn` field to the request header of HTTP messages forwarded by the ALB instance to retain the issuer information of the client certificate. `true`: Add the field. `false`: Do not add the field. Default value: `false`.
XForwardedForSLBIdEnabled	bool	Specifies whether to add the `X-Forwarded-For-SLB-ID` field to the request header of HTTP messages forwarded by the ALB instance to record the ID of the ALB instance. `true`: Add the field. `false`: Do not add the field. Default value: `false`.
XForwardedForClientSrcPortEnabled	bool	Specifies whether to add the `X-Forwarded-Client-Port` field to the request header of HTTP messages forwarded by the ALB instance to retain the port information of the client. `true`: Add the field. `false`: Do not add the field. Default value: `false`.
XForwardedForClientCertFingerprintEnabled	bool	Specifies whether to add the `X-Forwarded-Clientcert-fingerprint` field to the request header of HTTP messages forwarded by the ALB instance to retain the fingerprint information of the client certificate. `true`: Add the field. `false`: Do not add the field. Default value: `false`.
XForwardedForEnabled	bool	Specifies whether to add the `X-Forwarded-For` field to the request header of HTTP messages forwarded by the ALB instance to retain the real IP information of the client. This feature cannot be disabled.
XForwardedForSLBPortEnabled	bool	Specifies whether to add the `X-Forwarded-Port` field to the request header of HTTP messages forwarded by the ALB instance to record the listening port of the ALB instance. `true`: Add the field. `false`: Do not add the field. Default value: `false`.
XForwardedForClientCertClientVerifyEnabled	bool	Specifies whether to add the `X-Forwarded-Clientcert-clientverify` field to the request header of HTTP messages forwarded by the ALB instance to retain the verification result of the client certificate. `true`: Add the field. `false`: Do not add the field. Default value: `false`.
XForwardedForClientCertSubjectDNAlias	string	A custom field name. After you specify a value, the field name `X-Forwarded-Clientcert-subjectdn` added by `XForwardedForClientCertSubjectDNEnabled` is replaced with the specified value. This field takes effect only when `XForwardedForClientCertSubjectDNEnabled` is set to `true`. Default value: `""`.
XForwardedForClientCertClientVerifyAlias	string	A custom field name. After you specify a value, the field name `X-Forwarded-Clientcert-clientverify` added by `XForwardedForClientCertClientVerifyEnabled` is replaced with the specified value. This field takes effect only when `XForwardedForClientCertClientVerifyEnabled` is set to `true`. Default value: `""`.
XForwardedForClientCertIssuerDNAlias	string	A custom field name. After you specify a value, the field name `X-Forwarded-Clientcert-issuerdn` added by `XForwardedForClientCertIssuerDNEnabled` is replaced with the specified value. This field takes effect only when `XForwardedForClientCertIssuerDNEnabled` is set to `true`. Default value: `""`.
XForwardedForClientCertFingerprintAlias	string	A custom field name. After you specify a value, the field name `X-Forwarded-Clientcert-fingerprint` added by `XForwardedForClientCertFingerprintEnabled` is replaced with the specified value. This field takes effect only when `XForwardedForClientCertFingerprintEnabled` is set to `true`. Default value: `""`.
XForwardedForClientSourceIpsEnabled	bool	Specifies whether to allow ALB to obtain the real client IP address from the `X-Forwarded-For` header field. `true`: Allow. In this case, you must configure `XForwardedForClientSourceIpsTrusted` and specify a valid value. `false`: Do not allow. Default value: `false`.
XForwardedForClientSourceIpsTrusted	string	The trusted proxy IP address. Enter a valid IP address or CIDR block. Separate multiple IP addresses or CIDR blocks with semicolons `;`. No spaces are required between IP addresses or CIDR blocks. This field takes effect only when `XForwardedForClientSourceIpsEnabled` is set to `true`. If the trusted IP list is set to `0.0.0.0/0`: Obtain the leftmost address in the `X-Forwarded-For` request header, which is the real client source IP address. If the trusted IP list is set to `proxy1 IP; proxy2 IP,..`: Obtain the first value from right to left that is not in the list and use it as the real client source IP address. Example value: `192.168.x.x;192.168.x.x/16`

AclConfig

Field	Value type	Description
aclName	string	The name of the network ACL in AclEntry mode. For detailed operations on configuring ACLs, see Configure ACLs to implement access control. Default value: `""`.
aclType	enum	The access control mode. `Black`: Blacklist mode. Blocks specific IP addresses from accessing the service. `White`: Whitelist mode. Allows only specific IP addresses to access the service.
aclEntries	string[]	The network ACL rules. Default value: `""`. Important The `aclEntries` and `aclIds` fields cannot be used at the same time. For more information, see Configure ACLs to implement access control.
aclIds	string[]	The list of the IDs of existing network ACLs. Default value: `""`.

LogConfig

Field

Value type

Description

accessLogRecordCustomizedHeadersEnabled

bool

Specifies whether to record custom headers in the access log of the ALB instance.

true: Use custom headers.
false: Do not use custom headers.

Default value: false.

accessLogTracingConfig

AccessLogTracingConfig

The Tracing Analysis configuration. For detailed operations on Tracing Analysis, see Enable Xtrace for Tracing Analysis through Albconfig.

AccessLogTracingConfig

Field	Value type	Description
tracingEnabled	bool	Specifies whether to enable Tracing Analysis. `true`: Enable Tracing Analysis. `false`: Disable Tracing Analysis. Default value: `false`.
tracingSample	int	The sample rate of Tracing Analysis. Unit: `0.01%`. Valid values: 1 to 10000.
tracingType	enum	The sampling algorithm of Tracing Analysis. `Zipkin`: Use the Zipkin algorithm.

AlbConfigStatus

Important

The fields AlbConfigStatus, LoadBalancerStatus, ListenerStatus, and AppliedCertificate are reserved for ALB Ingress to automatically log status updates. These fields should not be altered.

Field

Output content

Description

loadBalancer

LoadBalancerStatus

A reserved parameter. Do not modify this field.

The status of the ALB instance.

LoadBalancerStatus

Field	Output content	Description
dnsname	string	A reserved parameter. Do not modify this field. The DNS address of the ALB instance.
id	string	A reserved parameter. Do not modify this field. The ID of the ALB instance.
listeners	ListenerStatus	A reserved parameter. Do not modify this field. The attributes of the listeners of the ALB instance.

ListenerStatus

Field

Output content

Description

portAndProtocol

string

A reserved parameter. Do not modify this field.

The ports and protocols used by listeners.

certificates

AppliedCertificate

A reserved parameter. Do not modify this field.

The certificates associated with listeners.

AppliedCertificate

Field

Output content

Description

certificateId

string

A reserved parameter. Do not modify this field.

The ID of the certificate.

isDefault

bool

A reserved parameter. Do not modify this field.

Specifies whether the certificate is a default certificate.

References

For more information about AlbConfig settings, see Configure ALB Instances Through AlbConfig.
For more information on using ALB Ingress annotations, see Advanced Usage of ALB Ingress Services.