Configuration description for all ALB Ingress settings - Container Service for Kubernetes

You can configure an AlbConfig resource to customize the settings of an Application Load Balancer (ALB) instance. This topic describes the annotations and AlbConfig fields that ALB Ingress supports and explains their usage.

Index

Annotation fields

Feature classification	Ingress annotation
Annotation YAML	Annotation YAML example
ALB Ingress configuration	Health check
Listener/Protocol configuration	Listener Protocol used by the backend service
Forwarding rule configuration	Redirection Canary release Cross-domain Custom forwarding
Advanced Configuration	Slow start Priority Session persistence Connection draining Load balancing IPv6 support for server groups
Others	Others

AlbConfig fields

Field category	Field link
AlbConfig YAML	Full AlbConfig YAML
AlbConfig	Albconfig AlbConfigSpec
ALB instance	LoadBalancerSpec
Listener configuration	ListenerSpec[]
Virtual switch	ZoneMapping
Simple Log Service	AccessLogConfig
QUIC listener	QuicConfig
Configure certificate	Certificate
Access control	AclConfig
Tracing Analysis	AccessLogTracingConfig
X-Forwarded-For configuration	XForwardedForConfig
Use custom headers for logs	LogConfig
Reserved fields	BillingConfig ModificationProtectionConfig AlbConfigStatus LoadBalancerStatus ListenerStatus AppliedCertificate

Annotation YAML example

The following code provides an example of how to use annotations to configure an ALB instance in an Ingress resource. For more information about the annotations, see the following sections.

Expand to view an Annotation YAML example for Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/healthcheck-enabled: "true"
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
    alb.ingress.kubernetes.io/healthcheck-httpversion: "HTTP1.1"
    alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
    alb.ingress.kubernetes.io/healthcheck-code: "http_2xx"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
    alb.ingress.kubernetes.io/healthy-threshold-count: "3"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
    alb.ingress.kubernetes.io/conditions.service-a: | # The service in this annotation must be an existing service in the cluster. The service name must be the same as the service name specified in the backend field of the rule.
     [{
       "type": "Path",
       "pathConfig": {
           "values": [
              "~*^/pathvalue1", # A regular expression must be prefixed with ~* as a flag. The content that follows ~* is the actual regular expression.
              "/pathvalue2" # An exact match does not require the ~* prefix.
           ]
       }
      }]
    alb.ingress.kubernetes.io/order: "1"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-by-header: "location"
    alb.ingress.kubernetes.io/canary-by-header-value: "hz"
    ... ...
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      # Configure the context path
      - path: /tea
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      # Configure the context path
      - path: /coffee
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

Supported Ingress annotations

When you use ALB Ingress, you can add annotations to the Ingress resource as needed.

Health check

Annotation	Description
alb.ingress.kubernetes.io/healthcheck-enabled	Specifies whether to enable health checks for the backend server group. For a health check configuration example, see Configure health checks. `true`: Enables the feature. `false`: disabled Default value: `false`.
alb.ingress.kubernetes.io/healthcheck-path	The path for health checks. Default value: `/`.
alb.ingress.kubernetes.io/healthcheck-protocol	The protocol for health checks. `HTTP`: uses the HTTP protocol. HEAD or GET requests are sent to check whether the server application is healthy. `HTTPS`: uses the HTTPS protocol. HEAD or GET requests are sent to check whether the server application is healthy. `TCP`: uses the TCP protocol. SYN handshake messages are sent to check whether the server port is alive. `GRPC`: uses the gRPC protocol. POST or GET requests are sent to check whether the server application is healthy. Default value: `HTTP`.
alb.ingress.kubernetes.io/healthcheck-httpversion	The HTTP version. This parameter is valid when `healthcheck-protocol` is set to `HTTP` or `HTTPS`. `HTTP1.0` `HTTP1.1` Default value: `HTTP1.1`.
alb.ingress.kubernetes.io/healthcheck-method	The health check method. `HEAD` `POST` `GET` Default value: `HEAD`. Important If `healthcheck-protocol` is set to `GRPC`, you must select `POST` or `GET`.
alb.ingress.kubernetes.io/healthcheck-httpcode	The health check status code. A backend server is considered healthy only if a probe is successful and returns the specified status code. You can specify one or more of the following options. Separate multiple status codes with commas (,). `http_2xx` `http_3xx` `http_4xx` `http_5xx` Default value: `http_2xx`.
alb.ingress.kubernetes.io/healthcheck-code	The health check status code. A backend server is considered healthy only if a probe is successful and returns the specified status code. If you use this field together with `healthcheck-httpcode`, this field takes precedence. The valid values depend on the value of `healthcheck-protocol`: `HTTP or HTTPS`: You can specify one or more of the following options. Separate multiple status codes with commas (,). `http_2xx` `http_3xx` `http_4xx` `http_5xx` Default value: `http_2xx`. `GRPC`: Valid values: 0 to 99. Default value: `0`. You can specify up to 20 value ranges. Separate multiple ranges with commas (,).
alb.ingress.kubernetes.io/healthcheck-timeout-seconds	The timeout period for a health check. Unit: seconds (s). Valid values: 1 to 300. Default value: `5`.
alb.ingress.kubernetes.io/healthcheck-interval-seconds	The interval for health checks. Unit: seconds (s). Valid values: 1 to 50. Default value: `2`.
alb.ingress.kubernetes.io/healthy-threshold-count	The number of consecutive successful health checks required to declare a backend server healthy. Valid values: 2 to 10. Default value: `3`.
alb.ingress.kubernetes.io/unhealthy-threshold-count	The number of consecutive failed health checks required to declare a backend server unhealthy. Valid values: 2 to 10. Default value: `3`.
alb.ingress.kubernetes.io/healthcheck-connect-port	The port used for health checks. Default value: `0`. Note A value of `0` indicates that the port of the backend server is used for health checks.

Redirection

Annotation

Description

alb.ingress.kubernetes.io/ssl-redirect

Specifies whether to return a 308 status code for HTTP requests and redirect them to the HTTPS listener on port 443. For a redirection configuration example, see Redirect HTTP requests to HTTPS.

true: redirects to HTTPS.
false: does not redirect to HTTPS.

Default value: false.

Protocol used by the backend service

Annotation

Description

alb.ingress.kubernetes.io/backend-protocol

The protocol used by the backend server group. For a configuration example, see Support for backend HTTPS and gRPC protocols.

http: uses the HTTP protocol.
https: uses the HTTPS protocol.
grpc: uses the gRPC protocol.

Default value: http.

Note

The backend server group protocols supported by different listeners are as follows:

HTTP listeners support HTTP and HTTPS.
HTTPS listeners support HTTP, HTTPS, and gRPC.
QUIC listeners support HTTP.

Rewrite

Annotation	Description
alb.ingress.kubernetes.io/rewrite-target	The path to which requests are rewritten. For a rewrite configuration example, see Rewrite.

Listener

Annotation

Description

alb.ingress.kubernetes.io/listen-ports

The listener ports and protocols associated with the Ingress resource. For a configuration example, see Configure custom listener ports.

You can specify the listener protocols and ports for the Ingress rules. The following code provides some examples:

'[{"HTTP": 80}]' : associates the HTTP listener on port 80.
'[{"HTTPS": 443}]' : associates the HTTPS listener on port 443.
'[{"QUIC": 443}]' : associates the QUIC listener on port 443.
'[{"HTTP": 80}, {"HTTPS": 443}]' : associates both the HTTP listener on port 80 and the HTTPS listener on port 443.
'[{"HTTPS": 443}, {"QUIC": 443}]' : associates both the HTTPS listener and the QUIC listener on port 443.

Slow start

Annotation

Description

alb.ingress.kubernetes.io/slow-start-enabled

Specifies whether to enable the slow start feature. If you enable slow start, ALB Ingress gradually distributes traffic to a new pod after it is added to the backend of a service. This prevents exceptions caused by high CPU and memory usage when the pod starts. For a slow start configuration example, see Backend slow start.

true: Enabled
false: Disabled

By default, this feature is disabled.

alb.ingress.kubernetes.io/slow-start-duration

The duration of the slow start. The longer the duration, the slower the traffic increases. Unit: seconds (s).

Valid values: 30 to 900.

Default value: 30.

Priority

Annotation

Description

alb.ingress.kubernetes.io/order

The relative priority of the forwarding rule. A smaller value indicates a higher priority. For a priority configuration example, see Configure forwarding rule priorities.

Valid values: 1 to 1000.

Default value: 10.

Grayscale

Annotation	Description
alb.ingress.kubernetes.io/canary	Specifies whether to enable canary release. For more information about how to perform a canary release, see Implement canary releases using ALB Ingress. `true`: Enabled. `false`: Disabled. Default value: `false`.
alb.ingress.kubernetes.io/canary-by-header	The request header that is matched when canary release is enabled.
alb.ingress.kubernetes.io/canary-by-header-value	The value of the request header that is matched when canary release is enabled.
alb.ingress.kubernetes.io/canary-by-cookie	The cookie that is matched when canary release is enabled.
alb.ingress.kubernetes.io/canary-weight	The percentage of requests that are forwarded to the specified service. The value must be an integer from 0 to 100. For more information, see Canary release by weight.

Session persistence

Annotation	Description
alb.ingress.kubernetes.io/sticky-session	Specifies whether to enable session persistence for the backend server group. For a session persistence configuration example, see Enable session persistence using annotations. `true`: enables session persistence. `false`: disables session persistence. Default value: `false`.
alb.ingress.kubernetes.io/sticky-session-type	The type of session persistence. `Insert`: insert cookie. The ALB instance inserts a cookie into the response when a client accesses the instance for the first time. `Server`: rewrite cookie. The ALB instance rewrites the original cookie when it detects a custom cookie. Default value: `Insert`.
alb.ingress.kubernetes.io/cookie-timeout	The session persistence timeout. Unit: seconds (s). Valid values: 1 to 86400. Default value: `1000`.
alb.ingress.kubernetes.io/cookie	The custom cookie value. Type: string. Default value: `""`

Connection draining

Annotation

Description

alb.ingress.kubernetes.io/connection-drain-enabled

Specifies whether to enable connection draining. If you enable connection draining, ALB Ingress maintains normal traffic forwarding for a period of time when a backend pod enters the Terminating state or is reported as abnormal by a health check. The connection is terminated after the timeout period is reached. This prevents service interruptions caused by the sudden removal of a backend. For more information about how connection draining works, see Connection draining.

true: enables connection draining.
false: disables connection draining.

By default, this feature is disabled.

alb.ingress.kubernetes.io/connection-drain-timeout

The connection draining timeout. Unit: seconds (s).

Valid values: 0 to 900.

Default value: 300.

Load balancing

Annotation

Description

alb.ingress.kubernetes.io/backend-scheduler

The load balancing algorithm for the backend server group. For a load balancing algorithm configuration example, see Specify a load balancing algorithm for a server group.

wrr: weighted round-robin. Backend servers with higher weights have a higher probability of being selected.
wlc: weighted least connections. If backend servers have the same weight, the one with the fewest current connections has a higher probability of being selected.
sch: source IP hash. Requests from the same source IP address are routed to the same backend server.
uch: URL hash. Requests with the same URL parameter are routed to the same backend server.

Default value: wrr.

alb.ingress.kubernetes.io/backend-scheduler-uch-value

The URL hash parameter used when the load balancing algorithm is "uch".

Cross-domain

Annotation	Description
alb.ingress.kubernetes.io/enable-cors	Specifies whether to enable cross-domain configuration. For a configuration example, see Cross-domain configuration. `true`: enables cross-domain configuration. `false`: disables cross-domain configuration. Default value: `false`.
alb.ingress.kubernetes.io/cors-allow-origin	The allowed cross-domain origins. Default value: `*`.
alb.ingress.kubernetes.io/cors-expose-headers	The list of headers that can be exposed.
alb.ingress.kubernetes.io/cors-allow-methods	The allowed cross-domain request methods. You can specify one or more of the following options: `GET` `POST` `PUT` `DELETE` `HEAD` `OPTIONS` `PATCH` Default value: `"GET, PUT, POST, DELETE, PATCH, OPTIONS"`.
alb.ingress.kubernetes.io/cors-allow-credentials	Specifies whether cross-domain requests can carry credential information. `true`: The operation is allowed. `false`: The action is not allowed. Default value: `true`.
alb.ingress.kubernetes.io/cors-max-age	The maximum cache time for preflight requests in the browser. Unit: seconds (s). Valid values: -1 to 172800. Default value: `172800`. Note A value of `-1` indicates an unlimited cache time.
alb.ingress.kubernetes.io/cors-allow-headers	The list of allowed cross-domain headers. Default value: `"DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"`.

Custom forwarding

Annotation	Description
alb.ingress.kubernetes.io/actions.{svcName}	The custom forwarding action. For more information about custom forwarding, see Customize forwarding rules for ALB Ingresses.
alb.ingress.kubernetes.io/conditions.{svcName}	The custom forwarding condition.
alb.ingress.kubernetes.io/rule-direction.{svcName}	The custom forwarding direction. `Request`: custom forwarding for incoming requests. `Response`: custom forwarding for responses. Default value: `Request`.

IPv6 support for server groups

Annotation

Description

alb.ingress.kubernetes.io/enable-ipv6

Specifies whether to enable IPv6 for the server group. For a configuration example, see IPv6 support for server groups.

true: Enabled.
false: The feature is disabled.

Default value: false.

Others

Annotation	Description
alb.ingress.kubernetes.io/backend-keepalive	Specifies whether to enable persistent connections to backend servers. For a configuration example, see Backend persistent connections. Default value: `false`.
alb.ingress.kubernetes.io/traffic-limit-qps	The queries per second (QPS) throttling configuration. Valid values: 1 to 1000000.
alb.ingress.kubernetes.io/use-regex	Allows the Path field to use regular expressions. This is valid only for the Prefix type. Default value: `false`.

AlbConfig fields

AlbConfig is a CustomResourceDefinition (CRD) that describes an ALB instance and its listeners. The following code provides a full AlbConfig example. For more information about the fields, see the following sections.

Expand to view the full AlbConfig YAML

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-config-example
spec:
  # Set the properties for the ALB instance as needed.
  config:
    id: ""   # The ID of the ALB instance. If you do not want to reuse an existing instance, leave this field empty.
    name: alb-instance-name       
    addressAllocatedMode: Fixed
    addressType: Internet
    ipv6AddressType: Intranet
    addressIpVersion: IPv4
    resourceGroupId: ""
    edition: Standard
    deletionProtectionEnabled: false
    forceOverride: false
    listenerForceOverride: false
    zoneMappings:            # Virtual switch.
      - vSwitchId: vsw-uf6ccg2a9g71hx8go****
        zoneId: "" 
        allocationId:   eip-asdfas****         
        eipType: ""
      - vSwitchId: vsw-uf6nun9tql5t8nh15****
        zoneId: ""      
        allocationId: "eip-xxxx"
        eipType: ""
    securityGroupids:           
      - sg-uf6blkp8************ # Security group ID.
      - sg-djladhla************ # Security group ID.
    accessLogConfig:        # SLS access log.
      logProject: ""
      logStore: "alb_******"    
    billingConfig:           
      internetBandwidth: 0
      internetChargeType: ""
      payType: ""
      bandWidthPackageId: "cbwp-xxx" 
    modificationProtectionConfig:
      reason: ""
      status: ""
    tags:
      - key: example-key
        value: example-value
  listeners:
    # Set the properties for the listeners of the ALB instance as needed.
    - port: 80
      protocol: HTTP         # HTTP: uses the HTTP protocol. HTTPS: uses the HTTPS protocol. QUIC: uses the QUIC protocol.
      gzipEnabled: null
      http2Enabled: null
      securityPolicyId: ""
      idleTimeout: 15
      loadBalancerId: ""
      description: "Listener description"
      caEnabled: false
      requestTimeout: 60
      quicConfig:
        quicUpgradeEnabled: false
        quicListenerId: ""
      defaultActions: []
      caCertificates: []
      certificates: []
      xForwardedForConfig:     # X-Forwarded-For configuration.
        XForwardedForClientCertSubjectDNEnabled: false
        XForwardedForProtoEnabled: false
        XForwardedForClientCertIssuerDNEnabled: false
        XForwardedForSLBIdEnabled: false
        XForwardedForClientSrcPortEnabled: false
        XForwardedForClientCertFingerprintEnabled: false
        XForwardedForEnabled: true
        XForwardedForSLBPortEnabled: false
        XForwardedForClientCertClientVerifyEnabled: false
        XForwardedForClientCertSubjectDNAlias: ""
        XForwardedForClientCertClientVerifyAlias: ""
        XForwardedForClientCertIssuerDNAlias: ""
        XForwardedForClientCertFingerprintAlias: ""
        XForwardedForClientSourceIpsEnabled: false
        XForwardedForClientSourceIpsTrusted: ""
      logConfig:
        accessLogRecordCustomizedHeadersEnabled: false
        accessLogTracingConfig:
          tracingEnabled: false
          tracingSample: 100
          tracingType: Zipkin
      aclConfig:
        aclName: ""
        aclType: Black
        aclEntries: []
        aclIds: []
status:
  loadBalancer:
    dnsname: ""
    id: ""
    listeners:
      portAndProtocol: ""
      certificates:
        certificateId: ""
        isDefault: false

Albconfig

Field	Type	Description
apiVersion	Fixed value	The versioned schema of this object. Fixed value: `alibabacloud.com/v1`.
kind	Fixed value	The REST resource that this object represents. Fixed value: `AlbConfig`.
metadata	ObjectMeta	Standard object metadata. For more information, see metadata.
spec	AlbConfigSpec	A list of parameters that describe the properties of the ALB instance and its listeners.
status	AlbConfigStatus	After a successful reconciliation, the instance status is written to the `status` field. The value indicates the current status of the instance.

AlbConfigSpec

Field	Type	Description
config	LoadBalancerSpec	The properties of the ALB instance.
listeners	ListenerSpec[]	The listener properties of the instance.

LoadBalancerSpec

Field	Type	Description
id	string	The ID of the ALB instance. Specify an ID to reuse an existing instance. If you leave this field empty, the controller creates an ALB instance. For more information about how to create a new ALB instance or reuse an existing one, see Create an AlbConfig. Default value: `""`.
name	string	The name of the ALB instance. Default value: automatically generated based on the following rule: `k8s-{namespace}-{name}-{hashCode}`.
addressAllocatedMode	enum	The address mode of the ALB instance. `Dynamic`: The ALB instance has at least one IP address in each zone. The number of IP addresses automatically increases as business requests grow. This mode supports up to 1 million QPS. `Fixed`: Each zone has one and only one fixed IP address. This mode has limited elasticity and supports up to 100,000 QPS. Default value: `Fixed`.
addressType	enum	The IPv4 address type of the ALB instance. `Internet`: public mode. A public domain name is automatically assigned. `Intranet`: private mode. Default value: `Internet`.
ipv6AddressType	enum	The IPv6 address type of the ALB instance. This does not need to be the same as the IPv4 address type. `Internet`: public mode. A public domain name is automatically assigned. `Intranet`: private mode. Default value: `Intranet`.
addressIpVersion	enum	Specifies whether the ALB instance supports dual-stack. `IPv4`: supports only IPv4. `DualStack`: supports both IPv4 and IPv6. Default value: `IPv4`
resourceGroupId	string	The ID of the resource group to which the instance belongs. Default value: `""`.
edition	enum	The edition of the instance. You cannot change the edition of a reused instance. `Standard`: Standard Edition. `StandardWithWaf`: WAF-enabled instance. For more information, see Protect services with a WAF-enabled ALB instance. Default value: `Standard`.
deletionProtectionEnabled	bool	This is a reserved field. Do not modify it.
forceOverride	bool	Specifies whether to forcibly overwrite the instance properties in reuse mode. `true`: forcibly overwrites the properties. `false`: does not forcibly overwrite the properties. `null`: does not forcibly overwrite the properties. Default value: `false`.
listenerForceOverride	bool	Specifies whether to forcibly overwrite the listener properties in reuse mode. `true`: forcibly overwrites the properties. `false`: does not forcibly overwrite the properties. `null`: does not forcibly overwrite the properties. Default value: `null`.
zoneMappings	ZoneMapping[]	The zone and EIP configurations.
accessLogConfig	AccessLogConfig	Log collection.
billingConfig	BillingConfig	Billing method.
modificationProtectionConfig	ModificationProtectionConfig	Configuration read-only mode.
tags	Tag[]	The tags of the instance.
securityGroupIds	string[]	The IDs of the security groups to which the ALB instance is added. For more information, see Configure a security group using an AlbConfig.

ZoneMapping

Field	Type	Description
vSwitchId	string	(Required) The ID of the virtual switch. Default value: `""`.
zoneId	string	The zone of the virtual switch. Keep the default value. Default value: `""`.
allocationId	string	The ID of the elastic IP address (EIP). For a configuration example, see Configure an ALB instance using an AlbConfig. Default value: `"eip-xxxx"`.
eipType	string	This is a reserved field. Do not modify it.

AccessLogConfig

Field

Type

Description

logProject

string

The name of the Simple Log Service (SLS) project.

Default value: "".

logStore

string

The name of the SLS Logstore. The name must start with alb_. If the Logstore does not exist, it is automatically created. For an SLS Logstore configuration example, see Enable access logs.

Default value: "alb_****".

BillingConfig

Field	Type	Description
internetBandwidth	int	This is a reserved field. Do not modify it.
internetChargeType	string	This is a reserved field. Do not modify it.
payType	enum	This is a reserved field. Do not modify it.
bandWidthPackageId	string	The ID of the Internet Shared Bandwidth instance to attach. You cannot detach the instance after it is attached. For a configuration example, see Internet Shared Bandwidth configuration. Default value: `"cbwp-xxx"`.

ModificationProtectionConfig

Field	Type	Description
reason	string	Reserved field.
status	string	Reserved field.

Tag

Field

Type

Description

key

string

The key of the tag.

Default value: "".

value

string

The value of the tag.

Default value: "".

ListenerSpec

Field	Type	Description
gzipEnabled	bool	Specifies whether to enable data compression. For a data compression configuration example, see Use data compression. `true`: enables compression. `false`: disables compression. `null`: enables compression. Default value: `null`.
http2Enabled	bool	Specifies whether to enable HTTP/2. `true`: enables HTTP/2. `false`: disables HTTP/2. `null`: enables HTTP/2. Default value: `null`.
port	int	(Required) The port used by the listener. Default value: `0`.
protocol	enum	(Required) The protocol used by the listener. `HTTP`: uses the HTTP protocol. `HTTPS`: uses the HTTPS protocol. `QUIC`: uses the QUIC protocol.
securityPolicyId	string	The ID of the TLS security policy. Default value: `""`.
idleTimeout	int	The idle connection timeout. Unit: seconds (s). Valid values: 1 to 600. Default value: `15`. Note A value of 0 indicates that the default value is used.
loadBalancerId	string	This is a reserved field. Do not modify it.
description	string	The name of the listener. Default value: automatically generated based on the following rule: `ingress-auto-listener-{port}`.
caEnabled	bool	Specifies whether to enable mutual authentication. `true`: enables mutual authentication. `false`: disables mutual authentication. Default value: `false`.
requestTimeout	int	The request timeout. Unit: seconds (s). Valid values: 1 to 600. Default value: `60`.
quicConfig	QuicConfig	QUIC listener configuration.
defaultActions	Action[]	This is a reserved field. Do not modify it.
caCertificates	Certificate[]	The root CA certificate of the listener.
certificates	Certificate[]	The server certificate of the listener.
xForwardedForConfig	XForwardedForConfig	X-Forwarded-For field configuration.
logConfig	LogConfig	Listener log configuration.
aclConfig	AclConfig	Access control.

QuicConfig

Field

Type

Description

quicUpgradeEnabled

bool

Specifies whether to enable QUIC upgrade. In scenarios where QUIC and HTTPS listeners are used together, quicUpgradeEnabled is used to associate or disassociate the QUIC and HTTPS listeners. For more information, see Use a QUIC listener to support HTTP/3.

true: enables QUIC upgrade and associates the QUIC and HTTPS listeners.
false: disables QUIC upgrade and does not associate the QUIC and HTTPS listeners.

Default value: false.

quicListenerId

string

The HTTPS listener associated with the QUIC listener.

Default value: "".

Certificate

Field

Type

Description

IsDefault

bool

Specifies whether the certificate is the default certificate. For more information about how to configure a certificate, see Configure an HTTPS certificate to enable encrypted communication.

true: specifies the certificate as the default certificate.
false: does not specify the certificate as the default certificate.

Default value: false.

Important

You can specify only one certificate as the default certificate.

CertificateId

string

The CertIdentifier of the certificate.

Default value: "".

XForwardedForConfig

Field	Type	Description
XForwardedForClientCertSubjectDNEnabled	bool	Specifies whether to add the `X-Forwarded-Clientcert-subjectdn` header to HTTP requests forwarded by the ALB instance to preserve the owner information of the client certificate. `true`: Adds a field. `false`: does not add the header. Default value: `false`.
XForwardedForProtoEnabled	bool	Specifies whether to add the `X-Forwarded-Proto` header to HTTP requests forwarded by the ALB instance to record the listener protocol used by the ALB instance. `true`: A field is added. `false`: does not add the header. Default value: `false`.
XForwardedForClientCertIssuerDNEnabled	bool	Specifies whether to add the `X-Forwarded-Clientcert-issuerdn` header to HTTP requests forwarded by the ALB instance to preserve the issuer information of the client certificate. `true`: Adds a field. `false`: does not add the header. Default value: `false`.
XForwardedForSLBIdEnabled	bool	Specifies whether to add the `X-Forwarded-For-SLB-ID` header to HTTP requests forwarded by the ALB instance to record the ID of the ALB instance. `true`: Adds a field. `false`: does not add the header. Default value: `false`.
XForwardedForClientSrcPortEnabled	bool	Specifies whether to add the `X-Forwarded-Client-Port` header to HTTP requests forwarded by the ALB instance to preserve the port information of the client. `true`: A field is added. `false`: does not add the header. Default value: `false`.
XForwardedForClientCertFingerprintEnabled	bool	Specifies whether to add the `X-Forwarded-Clientcert-fingerprint` header to HTTP requests forwarded by the ALB instance to preserve the fingerprint information of the client certificate. `true`: Adds a field. `false`: does not add the header. Default value: `false`.
XForwardedForEnabled	bool	Specifies whether to add the `X-Forwarded-For` header to HTTP requests forwarded by the ALB instance to preserve the originating IP address of the client. This feature cannot be disabled.
XForwardedForSLBPortEnabled	bool	Specifies whether to add the `X-Forwarded-Port` header to HTTP requests forwarded by the ALB instance to record the listener port of the ALB instance. `true`: A field is added. `false`: does not add the header. Default value: `false`.
XForwardedForClientCertClientVerifyEnabled	bool	Specifies whether to add the `X-Forwarded-Clientcert-clientverify` header to HTTP requests forwarded by the ALB instance to preserve the verification result of the client certificate. `true`: A field is added. `false`: does not add the header. Default value: `false`.
XForwardedForClientCertSubjectDNAlias	string	A custom field name. After you specify a value, the `X-Forwarded-Clientcert-subjectdn` header added by `XForwardedForClientCertSubjectDNEnabled` is replaced with the specified value. This field is valid only when `XForwardedForClientCertSubjectDNEnabled` is set to `true`. Default value: `""`.
XForwardedForClientCertClientVerifyAlias	string	A custom field name. After you specify a value, the `X-Forwarded-Clientcert-clientverify` header added by `XForwardedForClientCertClientVerifyEnabled` is replaced with the specified value. This field is valid only when `XForwardedForClientCertClientVerifyEnabled` is set to `true`. Default value: `""`.
XForwardedForClientCertIssuerDNAlias	string	A custom field name. After you specify a value, the `X-Forwarded-ClientCert-IssuerDN` header added by `XForwardedForClientCertIssuerDNEnabled` is replaced with the specified value. This field is valid only when `XForwardedForClientCertIssuerDNEnabled` is set to `true`. Default value: `""`.
XForwardedForClientCertFingerprintAlias	string	A custom field name. After you specify a value, the `X-Forwarded-Client-Cert-Fingerprint` header added by `XForwardedForClientCertFingerprintEnabled` is replaced with the specified value. This field is valid only when `XForwardedForClientCertFingerprintEnabled` is set to `true`. Default value: `""`.
XForwardedForClientSourceIpsEnabled	bool	Specifies whether to allow ALB to retrieve the originating IP address of the client from the `X-Forwarded-For` header. `true`: allows retrieval. You must also configure `XForwardedForClientSourceIpsTrusted` with a valid value. `false`: does not allow retrieval. Default value: `false`.
XForwardedForClientSourceIpsTrusted	string	Specifies the trusted proxy IP addresses. Enter a valid IP address or CIDR block. Separate multiple values with semicolons (`;`) without adding spaces. This field is valid only when `XForwardedForClientSourceIpsEnabled` is set to `true`. If you set the trusted IP list to `0.0.0.0/0`, ALB retrieves the leftmost address from the `X-Forwarded-For` request header as the originating IP address of the client. If you set the trusted IP list to `proxy1 IP; proxy2 IP,..`, ALB retrieves the first value from right to left that is not in the list and uses it as the originating IP address of the client. Example: `192.168.x.x;192.168.x.x/16`

AclConfig

Field	Type	Description
aclName	string	The name of the associated access control list (ACL) policy in AclEntry mode. For more information about how to configure an ACL, see Configure an ACL for access control. Default value: `""`.
aclType	enum	The access control mode. `Black`: blacklist mode. Blocks access from specific IP addresses. `White`: whitelist mode. Allows access only from specific IP addresses.
aclEntries	string	The ACL entries. Default value: `""`. Important The `aclEntries` and `aclIds` fields cannot be used at the same time. For more information, see Configure an ACL for access control.
aclIds	string	A list of existing policy IDs to associate. Default value: `""`.

LogConfig

Field

Type

Description

accessLogRecordCustomizedHeadersEnabled

bool

Specifies whether to use custom headers in the access logs of the ALB instance.

true: uses custom headers.
false: does not use custom headers.

Default value: false.

accessLogTracingConfig

AccessLogTracingConfig

Parameters for Tracing Analysis. For more information about how to use Tracing Analysis, see Enable Xtrace for Tracing Analysis using an AlbConfig.

AccessLogTracingConfig

Field	Type	Description
tracingEnabled	bool	Specifies whether to enable Tracing Analysis. `true`: enables Tracing Analysis. `false`: disables Tracing Analysis. Default value: `false`.
tracingSample	int	The sample rate for Tracing Analysis. The unit is `0.01%`. Valid values: 1 to 10000.
tracingType	enum	The sampling algorithm for Tracing Analysis. `Zipkin`: uses the Zipkin algorithm.

AlbConfigStatus

Important

The following fields, AlbConfigStatus, LoadBalancerStatus, ListenerStatus, and AppliedCertificate, are reserved fields. They are used by ALB Ingress to automatically record status information. Do not modify them.

Field

Output

Description

loadBalancer

LoadBalancerStatus

This is a reserved field. Do not modify it.

The status of the ALB instance.

LoadBalancerStatus

Field	Output	Description
dnsname	string	This is a reserved field. Do not modify it. The DNS name of the ALB instance.
id	string	This is a reserved field. Do not modify it. The ID of the ALB instance.
listeners	ListenerStatus	This is a reserved field. Do not modify it. The listener properties of the ALB instance.

ListenerStatus

Field

Output

Description

portAndProtocol

string

This is a reserved field. Do not modify it.

The port and protocol used by the listener.

certificates

AppliedCertificate

This is a reserved field. Do not modify it.

The certificate that is associated with the listener.

AppliedCertificate

Field

Output

Description

certificateId

string

This is a reserved field. Do not modify it.

The CertIdentifier of the certificate.

isDefault

bool

This is a reserved field. Do not modify it.

Specifies whether the certificate is the default certificate.

References

For information about the specific settings in AlbConfig, see Configure an ALB instance using an AlbConfig.
For information about how to use ALB Ingress annotations, see Advanced usage of ALB Ingress.