All Products
Search
Document Center

Container Service for Kubernetes:Use an AlbConfig to configure an ALB instance

Last Updated:Nov 15, 2024

An AlbConfig is a CustomResourceDefinition (CRD) that Container Service for Kubernetes (ACK) provides for the Application Load Balancer (ALB) Ingress controller. The ALB Ingress controller uses AlbConfigs to configure ALB instances and listeners. This topic describes how to create, modify, and update an AlbConfig, and how to enable Simple Log Service (SLS).

Table of contents

Category

Reference

ALB instance configurations

Listener configurations

Prerequisites

Usage notes

  • To modify or update resource configurations, we recommend that you use the kubectl edit command. If you need to use the kubectl apply command to modify or update resources, you must first run the kubectl diff command to preview the changes and make sure that the changes are as expected before you run the kubectl apply command. Then, run the kubectl apply command to apply the changes to the resources in your cluster.

  • The NGINX Ingress controller of earlier versions cannot recognize the spec:ingressClassName field in the Ingress resource. If both NGINX Ingresses and ALB Ingresses are configured in your ACK cluster, the ALB Ingresses may be reconciled by an earlier version of the NGINX Ingress controller. To avoid this problem, update the NGINX Ingress controller at the earliest opportunity or use annotations to specify the IngressClasses of ALB Ingresses. For more information, see Update the NGINX Ingress controller or Advanced ALB Ingress configurations.

Create an AlbConfig

An AlbConfig is used to configure an ALB instance. If you want to configure multiple ALB instances, you must create multiple AlbConfigs. To create an AlbConfig, perform the following steps:

Important

When you install the ALB Ingress controller, if you select Create or Select Existing for the Gateway Source parameter, the controller automatically creates an AlbConfig named alb and an IngressClass named alb.

  1. Create a file named alb.yaml and copy the following content to the file. The file is used to create an AlbConfig.

    apiVersion: alibabacloud.com/v1
    kind: AlbConfig
    metadata:
      name: alb
    spec:
      config:
        name: alb
        addressType: Internet
        zoneMappings:               
        - vSwitchId: vsw-uf6ccg2a9g71hx8go**** # Replace the value with the ID of the vSwitch that you want to use.
        - vSwitchId: vsw-uf6nun9tql5t8nh15****
      listeners:
        - port: 80
          protocol: HTTP

    Parameter

    Description

    spec.config.name

    The name of the ALB instance.

    spec.config.addressType

    The type of IP address that the ALB instance uses to provide services. Valid values:

    • Internet: The ALB instance uses a public IP address. The domain name of the Ingress is resolved to the public IP address. Therefore, the ALB instance can be accessed over the Internet. This is the default value.

    • Intranet: The ALB instance uses a private IP address. The domain name of the Ingress is resolved to the private IP address. Therefore, the ALB instance is accessible only within the virtual private cloud (VPC) where the ALB instance is deployed.

    Important

    The addressType parameter in an AlbConfig takes effect only when you create the AlbConfig. This parameter does not take effect when you update the AlbConfig.

    spec.config.zoneMappings

    The IDs of the vSwitches used by the ALB Ingress. If you want to specify vSwitches in a region that contains multiple zones, you must specify at least two vSwitch IDs in different zones. If you want to specify vSwitches in a region that contains only one zone, you can specify only one vSwitch ID. The specified vSwitch must be deployed in a zone supported by the ALB instance and deployed in the same VPC as the cluster. For more information about the regions and zones supported by ALB Ingresses, see Regions and zones in which ALB is available.

    Important
    • If you want to specify vSwitches in a region that contains multiple zones, you must specify at least two vSwitch IDs in different zones.

    • The zoneMappings parameter in an AlbConfig takes effect only when you create the AlbConfig. This parameter does not take effect when you update the AlbConfig.

    When you install the ALB Ingress controller for a cluster, you can create a default AlbConfig. The parameters of the default AlbConfig use the following settings, except for the vSwitchID parameter.

    Default AlbConfig configurations

    apiVersion: alibabacloud.com/v1
    kind: AlbConfig
    metadata:
      name: alb # The name of the AlbConfig. 
    spec:
      config:
        accessLogConfig:
          logProject: ""
          logStore: ""
        addressAllocatedMode: Dynamic # You can use this parameter to specify how an IP address is assigned to the ALB instance. Valid values: Dynamic and Fixed. A value of Dynamic specifies a dynamic IP address. A value of Fixed specifies a static IP address. 
        addressType: Internet
        billingConfig:
          internetBandwidth: 0
          internetChargeType: ""
          payType: PostPay
        deletionProtectionEnabled: true
        edition: Standard
        forceOverride: false
        zoneMappings:
        - vSwitchId: #...
        - vSwitchId: #...
    status:
      loadBalancer:
        dnsname: alb-s2em8fr9debkg5****.cn-shenzhen.alb.aliyuncs.com
        id: alb-s2em8fr9debkg5****
  2. Run the following command to create an AlbConfig:

    kubectl apply -f alb.yaml

    Expected output:

    AlbConfig.alibabacloud.com/alb created
  3. Run the following command to query the AlbConfig:

    kubectl get AlbConfig

    Expected output:

    NAME   ALBID        DNSNAME                                  PORT&PROTOCOL   CERTID   AGE
    alb    alb-******   alb-******.<regionID>.alb.aliyuncs.com                            28m
    Note

    If you configure HTTP listeners and certificates, the PORT&PROTOCOL and CERTID parameters are not empty. Otherwise, the parameters are empty in the output.

Reuse an existing ALB instance

If you want to reuse an existing ALB instance, specify the ID of the ALB instance in the AlbConfig. You can reuse a standard ALB instance or a Web Application Firewall (WAF)-enabled ALB instance that is created in the ALB console. You cannot reuse a basic ALB instance.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: reuse-alb
spec:
  config:
    id: **** # The ID of the standard ALB instance or WAF-enabled ALB instance that is created in the SLB console. 
    forceOverride: false
    listenerForceOverride: false

The following table describes the parameters.

Parameter

Description

id

  • If the id parameter does not exist or the id parameter is not specified, no ALB instance is reused. In this case, the forceOverride and listenerForceOverride parameters do not take effect.

  • If the id parameter is set to a valid instance ID, the corresponding ALB instance is reused.

    • If the forceOverride parameter is set to true, the ALB instance attributes and listener attributes are forcefully overwritten.

    • If the forceOverride parameter is set to false, the ALB instance attributes are not forcefully overwritten. In this case, the listenerForceOverride parameter determines whether to forcefully overwrite the listener attributes.

Important

If an ALB instance is reused, we recommend that you do not modify the listener names. Otherwise, the listeners cannot be managed by ACK. The listeners created or updated by using AlbConfigs are managed by ACK, and their names are in the ingress-auto-listener-{port} format by default. The listeners whose names are not in the preceding format are managed in the SLB console.

forceOverride

Specifies whether to forcefully overwrite ALB instance attributes when the ALB instance is reused. Valid values:

  • true: forcefully overwrites ALB instance attributes.

  • false: does not overwrite ALB instance attributes. If you set this parameter to false, the ALB instance attributes are not modified when you modify the AlbConfig.

listenerForceOverride

Specifies whether to forcefully overwrite listener attributes when the ALB instance is reused. Valid values:

  • true: forcefully overwrites listener attributes.

  • false: does not overwrite listener attributes.

Update an AlbConfig

To update an ALB instance created by using an AlbConfig, we recommend that you use the kubectl edit command. To update an AlbConfig, perform the following steps:

  1. Run the following command to query the name of the AlbConfig that you want to update:

    kubectl get AlbConfig

    Expected output:

    NAME       ALBID        DNSNAME                                  PORT&PROTOCOL   CERTID   AGE
    alb        alb-******   alb-******.<regionID>.alb.aliyuncs.com                            28m
  2. Run the following command to modify the AlbConfig:

    kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.

    Update the AlbConfig configuration file based on your business requirements. For example, you can update the spec.config.name parameter to change the name of the ALB instance to new_alb.

    ...
     spec:
       config:
         name: new_alb # The new name of the ALB instance. 
    ...

Use an IngressClass to associate an AlbConfig with an Ingress

You can associate an AlbConfig with an ALB Ingress by using an IngressClass. To do this, specify the AlbConfig in the IngressClass configurations.

  1. Create a file named ingress_class.yaml and copy the following content to the file:

    Clusters that run Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: alb
    spec:
      controller: ingress.k8s.alibabacloud/alb
      parameters:
        apiGroup: alibabacloud.com
        kind: AlbConfig
        name: alb # The name of the AlbConfig that you want to associate.

    Clusters that run Kubernetes versions earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
    kind: IngressClass
    metadata:
      name: alb
    spec:
      controller: ingress.k8s.alibabacloud/alb
      parameters:
        apiGroup: alibabacloud.com
        kind: AlbConfig
        name: alb
  2. Run the following command to create an IngressClass:

    kubectl apply -f ingress_class.yaml

    Expected output:

    ingressclass.networking.k8s.io/alb created
  3. Create a file named ingress.yaml and copy the following content to the file: Set the ingressClassName parameter to the alb IngressClass.

    Clusters that run Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: cafe-ingress 
    spec:
      ingressClassName: alb # Specify the name of the IngressClass that is used to associate the Ingress.
      rules:
      - http:
          paths:
          # Configure a context path. 
          - path: /tea
            pathType: ImplementationSpecific
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          # Configure a context path. 
          - path: /coffee
            pathType: ImplementationSpecific
            backend:
              service:
                name: coffee-svc
                port: 
                  number: 80

    Clusters that run Kubernetes versions earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      name: cafe-ingress
    spec:
      ingressClassName: alb
      rules:
      - http:
          paths:
          # Configure a context path. 
          - path: /tea
            backend:
              serviceName: tea-svc
              servicePort: 80
          # Configure a context path. 
          - path: /coffee
            backend:
              serviceName: coffee-svc
              servicePort: 80
  4. Run the following command to create an Ingress:

    kubectl apply -f ingress.yaml

    Expected output:

    ingress.networking.k8s.io/cafe-ingress created

After you complete the preceding steps, you can use the IngressClass to associate the AlbConfig with the Ingress.

Create and use multiple ALB instances

If you want to share an Ingress among multiple ALB instances, specify different IngressClasses in the spec.ingressClassName parameter in the Ingress configuration file.

  1. Create a file named alb-2.yaml and copy the following content to the file:

    apiVersion: alibabacloud.com/v1
    kind: AlbConfig
    metadata:
      name: alb-2
    spec:
      config:
        name: alb-2        # The name of an ALB instance. 
        addressType: Internet  # The ALB instance uses a public IP address. 
        zoneMappings:
        - vSwitchId: vsw-uf6ccg2a9g71hx8go**** # The ID of the vSwitch that you want to use.
        - vSwitchId: vsw-uf6nun9tql5t8nh15****
  2. Run the following command to create an AlbConfig:

    kubectl apply -f alb-2.yaml

    Expected output:

    AlbConfig.alibabacloud.com/alb-2 created
  3. Create a file named ingress_class2.yaml and copy the following content to the file. The file is used to create an IngressClass.

    Clusters that run Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: alb-2
    spec:
      controller: ingress.k8s.alibabacloud/alb
      parameters:
        apiGroup: alibabacloud.com
        kind: AlbConfig
        name: alb-2 # The name of the AlbConfig that you want to associate.

    Clusters that run Kubernetes versions earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
    kind: IngressClass
    metadata:
      name: alb-2
    spec:
      controller: ingress.k8s.alibabacloud/alb
      parameters:
        apiGroup: alibabacloud.com
        kind: AlbConfig
        name: alb-2 # The name of the AlbConfig that you want to associate.
  4. Run the following command to create an IngressClass:

    kubectl apply -f ingress_class2.yaml

    Expected output:

    ingressclass.networking.k8s.io/alb-2 created
  5. Create a file named ingress2.yaml and copy the following content to the file. You can use the ingressClassName parameter to specify different ALB instances that you want to associate with the Ingress. In the following example, the ingressClassName parameter is set to alb-2. This associates the Ingress with the alb-2 IngressClass, which is associated with the alb-2 ALB instance.

    Clusters that run Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: cafe-ingress2
    spec:
      ingressClassName: alb-2
      rules:
      - http:
          paths:
          # Configure a context path. 
          - path: /tea
            pathType: ImplementationSpecific
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          # Configure a context path. 
          - path: /coffee
            pathType: ImplementationSpecific
            backend:
              service:
                name: coffee-svc
                port: 
                  number: 80

    Clusters that run Kubernetes versions earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      name: cafe-ingress2
    spec:
      ingressClassName: alb-2
      rules:
      - http:
          paths:
          # Configure a context path. 
          - path: /tea
            backend:
              serviceName: tea-svc
              servicePort: 80
          # Configure a context path. 
          - path: /coffee
            backend:
              serviceName: coffee-svc
              servicePort: 80
  6. Run the following command to create an Ingress:

    kubectl apply -f ingress2.yaml

    Expected output:

    ingress.networking.k8s.io/cafe-ingress2 created

Enable IPv6

When you use an AlbConfig to create an ALB instance, you can set the addressIpVersion parameter to DualStack to enable IPv4/IPv6 dual stack.

Important

The addressIpVerison parameter in an AlbConfig takes effect only when you create the AlbConfig. This parameter does not take effect when you update the AlbConfig.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    addressIpVersion: DualStack # Enable IPv4/IPv6 dual stack.
    ...

Specify a custom TLS security policy

When you use an AlbConfig to configure HTTPS listeners, you can specify a TLS security policy. Custom TLS security policies and default TLS security policies are supported. For more information, see TLS security policies.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    #...
  listeners:
  - port: 443
    protocol: HTTPS
    securityPolicyId: tls_cipher_policy_1_1 # Specify the ID of the security group.
  #...

Enable SLS to collect access logs

If you want to collect the access logs of ALB Ingresses, set the logProject and logStore parameters in the AlbConfig configuration.

Note
  • If you configure a new or existing SLS project for your cluster when you create the cluster, you can perform the following steps to view the project. Log on to the ACK console. In the left-side navigation pane, click Clusters. On the Clusters page, click the name of your cluster. In the left-side navigation pane of the cluster details page, click Cluster Information. On the Basic Information tab, you can view the Log Service Project that is associated with the cluster.

  • The value of the logStore parameter must start with alb_. If the specified Logstore does not exist, a new Logstore with the specified name is created.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    accessLogConfig:
      logProject: "k8s-log-xz92lvykqj1siwvif****"
      logStore: "alb_****"
    #...

On the Basic Information tab, you can click the project name on the right side of Log Service Project to view the collected logs in the SLS console.

Delete an ALB instance

An AlbConfig is used to configure an ALB instance. Therefore, you can delete an ALB instance by deleting the corresponding AlbConfig.

Important

Before you can delete an AlbConfig, you must delete all Ingresses that are associated with the AlbConfig.

Run the following command to delete the AlbConfig:

kubectl delete AlbConfig <AlbConfig_NAME> # Replace <AlbConfig_NAME> with the name of the AlbConfig that you want to delete.

Delete the AlbConfig of a reused ALB instance

If you delete the AlbConfig of a reused ALB instance, the ALB instance is not deleted. To delete the AlbConfig of a reused ALB instance, perform the following steps:

  1. Run the kubectl edit command to modify the AlbConfig to delete all entries of the spec.listeners parameter. This way, all the listeners specified in the AlbConfig are deleted.

    Important

    If the version of the ALB Ingress controller installed in your cluster is later than 2.10.0-aliyun.1, skip this step.

  2. Run the following command to delete the AlbConfig:

    Important

    Before you can delete an AlbConfig, you must delete all Ingresses that are associated with the AlbConfig.

    kubectl delete AlbConfig <AlbConfig_NAME> # Replace <AlbConfig_NAME> with the name of the AlbConfig that you want to delete.

Create listeners

ALB instances use listeners to receive and forward external requests based on the application-layer information of the requests. An ALB instance listens for requests from clients only after you create a listener for the ALB instance.

To create a listener, set the port and protocol parameters in the AlbConfig. If you modify the port, protocol, or other parameters of a listener, the original listener is deleted and a new listener is created based on the modified parameters.

A listener supports the following protocols at the application layer: HTTP, HTTPS, and Quick UDP Internet Connections (QUIC).

Important

You can configure multiple listeners that use different protocols at the same time. In this case, you must add the required annotations to the Ingress configurations to specify multiple listening ports. For more information, see Configure custom listening ports.

Create an HTTP listener

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
  ...
  listeners:
    - port: 80
      protocol: HTTP # Valid values: HTTP, HTTPS, and QUIC. 
  ...
Note

HTTP is compatible with WebSocket. No additional configuration is required.

Create an HTTPS listener

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
  ...
  listeners:
    - port: 443
      protocol: HTTPS
  ...
Important

You need to configure certificates for an HTTPS listener. For more information, see Configure certificates to encrypt communication on HTTPS ports.

Create a QUIC listener

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
  ...
  listeners:
    - port: 443
      protocol: QUIC
  ...
Important

QUIC listeners can receive requests from clients that use the HTTP/3 protocol. For more information, see Use QUIC listeners to support HTTP/3.

Set the connection timeout period for listeners

You can set the connection timeout period for listeners in the configurations of an AlbConfig. Valid values: 1 to 180. Unit: seconds. If no response is received from the backend server within the specified timeout period, ALB returns an HTTP 504 error code to the client. If you do not specify the connection timeout period, the default timeout period (60 seconds) is used. The following YAML file is an example:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    requestTimeout: 40 # The default timeout period is 60 seconds.
  ...

Configure data compression

After you enable this feature, the ALB instance compresses specific types of files. Valid values of the gzipEnabled parameter:

  • true: compresses specific types of files.

  • false: does not compress files.

Note

All file types support Brotli compression. The following file types support Gzip compression: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

The following YAML file is an example:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    gzipEnabled: true
  ...

Preserve client IP addresses

After you enable this feature, the ALB instance adds a parameter that specifies the client IP address to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForEnabled parameter:

  • true: enables client IP address preservation.

  • false: disables client IP address preservation.

Important

This parameter is available for HTTP listeners and HTTPS listeners.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    #...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForEnabled: true # XForwardedForEnabled cannot be disabled.
  #...

Retrieve the port that a client uses to connect to an ALB instance

After you enable this feature, the ALB instance adds a parameter that specifies the client port to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForClientSrcPortEnabled parameter:

  • true: retrieves the port that a client uses to connect to the ALB instance.

  • false: does not retrieve the port that a client uses to connect to the ALB instance.

Important

This parameter is available for HTTP listeners and HTTPS listeners.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForClientSrcPortEnabled: true
  ...

Retrieve the listener protocols used by an ALB instance

After you enable this feature, the ALB instance adds a parameter that specifies the listener protocols used by the ALB instance to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForProtoEnabled parameter:

  • true: retrieves the listener protocols used by the ALB instance.

  • false: does not retrieve the listener protocols used by the ALB instance.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForProtoEnabled: true
  ...

Retrieve the ID of an ALB instance

After you enable this feature, the ALB instance adds a parameter that specifies the ID of the ALB instance to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForSLBIdEnabled parameter:

  • true: retrieves the ID of the ALB instance.

  • false: does not retrieve the ID of the ALB instance.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForSLBIdEnabled: true
  ...

Retrieve the listening ports of an ALB instance

After you enable this feature, the ALB instance adds a parameter that specifies the listening ports of the ALB instance to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForSLBPortEnabled parameter:

  • true: retrieves the listener ports of the ALB instance.

  • false: does not retrieve the listener ports of the ALB instance.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForSLBPortEnabled: true
  ...

Specify the IP address of a trusted proxy server

You can specify the XForwardedForClientSourceIpsEnabled parameter in the configurations of an AlbConfig to enable the ALB instance to retrieve client IP addresses from the X-Forwarded-For header field. You can use the XForwardedForClientSourceIpsTrusted parameter to specify a list of trusted proxy server IP addresses. This way, the ALB instance traverses the IP addresses in the X-Forwarded-For header field from the rightmost IP address to the leftmost IP address. The first IP address that is not on the trusted IP address list is considered the client IP address.

For example, if the value of X-Forwarded-For is <client IP, proxy server IP-1, proxy server IP-2>, you can specify proxy server IP-1 and proxy server IP-2 in the XForwardedForClientSourceIpsTrusted parameter. This way, the ALB instance can retrieve client IP addresses.

Important

This parameter is available for HTTP listeners and HTTPS listeners.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata: 
  name: alb
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForClientSourceIpsEnabled: true # A value of true allows the ALB instance to retrieve client IP addresses from the X-Forwarded-For header. If you set the value to true, you must configure the XForwardedForClientSourceIpsTrusted parameter in a valid format. A value of false forbids the ALB instance from retrieving client IP addresses from the X-Forwarded-For header. 
      XForwardedForClientSourceIpsTrusted: 192.168.x.x;192.168.x.x/16  # Enter a valid IP address or CIDR block. This parameter takes effect only when XForwardedForClientSourceIpsEnabled is set to true. 
  ...

Configure network ACLs

You can configure an AlbConfig to enable network access control lists (ACLs) for the listeners of an ALB instance. You can configure network ACLs to allow or deny access from specific IP addresses or CIDR blocks. This allows you to implement fine-grained access control on client requests. For more information, see Configure ACLs.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
   #...
  listeners:
  - port: 80
    protocol: HTTP
    aclConfig:
      aclEntries:
      - 127.0.0.1/32
      aclType: White
  #...

Parameters:

  • aclType: the type of network ACL. Valid values: Black (blacklist) and White (whitelist).

  • aclEntries: the CIDR block that you want to add to the ACL rule for access control. Example: 127.0.0.1/32.