For demos of common load balancer configurations, see Elastic Load Balancing demos.
Before you begin
• Decide which two Availability Zones you will use for your EC2 instances. Configure your virtual private cloud (VPC) with at least one public subnet in each of these Availability Zones. These public subnets are used to configure the load balancer. You can launch your EC2 instances in other subnets of these Availability Zones instead. For more information, see VPCs and subnets in the Amazon VPC User Guide.
• Launch at least one EC2 instance in each Availability Zone. Be sure to install a web server, such as Apache or Internet Information Services (IIS), on each EC2 instance. Ensure that the security groups for these instances allow HTTP access on port 80. For more information, see Security group rules in the Amazon VPC User Guide.
Step 1: Configure your target group
Create a target group, which is used in request routing. The default rule for your listener routes requests to the registered targets in this target group. The load balancer checks the health of targets in this target group using the health check settings defined for the target group.
To configure your target group
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under Load Balancing, choose Target Groups.
3. Choose Create target group.
4. Under Basic configuration, keep the Target type as instance.
5. For Target group name, enter a name for the new target group.
6. Keep the default protocol (HTTP) and port (80).
7. Select the VPC containing your instances. Keep the protocol version as HTTP1.
Step 2: Choose a load balancer type
8. For Health checks, keep the default settings.
9. Choose Next.
10. On the Register targets page, complete the following steps. This is an optional step for creating the load balancer. However, you must register this target if you want to test your load balancer and ensure that it is routing traffic to this target.
a. For Available instances, select one or more instances.
b. Keep the default port 80, and choose Include as pending below.
11. Choose Create target group.
Step 2: Choose a load balancer type
Elastic Load Balancing supports different types of load balancers. For this tutorial, you create an Application Load Balancer.
To create a Application Load Balancer
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation bar, choose a Region for your load balancer. Be sure to choose the same Region that you used for your EC2 instances.
3. In the navigation pane, under Load Balancing, choose Load Balancers.
4. Choose Create Load Balancer.
5. For Application Load Balancer, choose Create.
Step 3: Configure your load balancer and listener
To create an Application Load Balancer, you must first provide basic configuration information for your load balancer, such as a name, scheme, and IP address type. Then, you provide information about your network, and one or more listeners. A listener is a process that checks for connection requests.
It is configured with a protocol and a port for connections from clients to the load balancer. For more information about supported protocols and ports, see Listener configuration (p. 26).
To configure your load balancer and listener
1. For Load balancer name, enter a name for your load balancer. For example, my-alb.
2. For Scheme and IP address type, keep the default values.
3. For Network mappings, select the VPC that you used for your EC2 instances. Select at least two Availability Zones and one subnet per zone. For each Availability Zone that you used to launch your EC2 instances, select the Availability Zone and then select one public subnet for that Availability Zone.
4. For Security groups, keep the default. This is the default security group that the console creates for the load balancer on your behalf. It includes rules that allow it to communicate with registered targets on both the listener port and the health check port.
5. For Listeners and routing, keep the default, which is a listener that accepts HTTP traffic on port 80.
For this tutorial, you are not creating an HTTPS listener.
6. For Default action, select the target group that you created and registered in Step 1: Configure your target group.
7. (Optional) Add a tag to categorize your load balancer. Tag keys must be unique for each load balancer. Allowed characters are letters, spaces, numbers (in UTF-8), and the following special characters: + - = . _ : / @. Do not use leading or trailing spaces. Tag values are case-sensitive.
Step 4: Test your load balancer
8. Review your configuration, and choose Create load balancer. A few default attributes are applied to your load balancer during creation. You can view and edit them after creating the load balancer. For more information, see Load balancer attributes (p. 12).
Step 4: Test your load balancer
After creating the load balancer, verify that it's sending traffic to your EC2 instances.
To test your load balancer
1. After you are notified that your load balancer was created successfully, choose Close.
2. In the navigation pane, under Load Balancing, choose Target Groups.
3. Select the newly created target group.
4. Choose Targets and verify that your instances are ready. If the status of an instance is initial, it's probably because the instance is still in the process of being registered, or it has not passed the minimum number of health checks to be considered healthy. After the status of at least one instance is healthy, you can test your load balancer.
5. In the navigation pane, under Load Balancing, choose Load Balancers.
6. Select the newly created load balancer.
7. Choose Description and copy the DNS name of the load balancer (for example,
my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com). Paste the DNS name into the address field of an internet-connected web browser. If everything is working, the browser displays the default page of your server.
8. (Optional) To define additional listener rules, see Add a rule (p. 45).
Step 5: (Optional) Delete your load balancer
As soon as your load balancer becomes available, you are billed for each hour or partial hour that you keep it running. When you no longer need a load balancer, you can delete it. As soon as the load balancer is deleted, you stop incurring charges for it. Note that deleting a load balancer does not affect the targets registered with the load balancer. For example, your EC2 instances continue to run after deleting the load balancer created in this guide.
To delete your load balancer
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under Load Balancing, choose Load Balancers.
3. Select the checkbox for the load balancer, choose Actions, then choose Delete.
4. When prompted for confirmation, choose Yes, Delete.
Before you begin
Tutorial: Create an Application Load Balancer using the AWS CLI
This tutorial provides a hands-on introduction to Application Load Balancers through the AWS CLI.
Before you begin
• Use the following command to verify that you are running a version of the AWS CLI that supports Application Load Balancers.
aws elbv2 help
If you get an error message that elbv2 is not a valid choice, update your AWS CLI. For more
information, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.
• Launch your EC2 instances in a virtual private cloud (VPC). Ensure that the security groups for these instances allow access on the listener port and the health check port. For more information, see Target security groups (p. 75).
• Decide if you will create an IPv4 or dualstack load balancer. Use IPv4 if you want clients to
communicate with the load balancer using IPv4 addresses only. Use dualstack if you want clients to communicate with the load balancer using IPv4 and IPv6 addresses. You can also use dualstack to communicate with backend targets, such as IPv6 applications or dualstack subnets, using IPv6.
Create your load balancer
To create your first load balancer, complete the following steps.
To create a load balancer
1. Use the create-load-balancer command to create a load balancer. You must specify two subnets that are not from the same Availability Zone.
aws elbv2 create-load-balancer --name my-load-balancer \
--subnets subnet-0e3f5cac72EXAMPLE subnet-081ec835f3EXAMPLE --security-groups sg-07e8ffd50fEXAMPLE
Use the create-load-balancer command to create a dualstack load balancer.
aws elbv2 create-load-balancer --name my-load-balancer \
--subnets subnet-0e3f5cac72EXAMPLE subnet-081ec835f3EXAMPLE --security-groups sg-07e8ffd50fEXAMPLE --ip-address-type dualstack
The output includes the Amazon Resource Name (ARN) of the load balancer, with the following format:
Add an HTTPS listener
arn:aws:elasticloadbalancing:us-east-2:123456789012:loadbalancer/app/my-load-balancer/1234567890123456
2. Use the create-target-group command to create a target group, specifying the same VPC that you used for your EC2 instances.
You can create IPv4 and IPv6 target groups to associate with dualstack load balancers. The target group's IP address type determines the IP version that the load balancer will use to both communicate with, and check the health of, your backend targets.
IPv4 target groups support IP and instance type targets. IPv6 targets only support IP targets.
aws elbv2 create-target-group --name my-targets --protocol HTTP --port 80 \ --vpc-id vpc-0598c7d356EXAMPLE --ip-address-type [ipv4 or ipv6]
The output includes the ARN of the target group, with this format:
arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/1234567890123456
3. Use the register-targets command to register your instances with your target group:
aws elbv2 register-targets --target-group-arn targetgroup-arn \ --targets Id=i-0abcdef1234567890 Id=i-1234567890abcdef0
4. Use the create-listener command to create a listener for your load balancer with a default rule that forwards requests to your target group:
aws elbv2 create-listener --load-balancer-arn loadbalancer-arn \ --protocol HTTP --port 80 \
--default-actions Type=forward,TargetGroupArn=targetgroup-arn
The output contains the ARN of the listener, with the following format:
arn:aws:elasticloadbalancing:us-east-2:123456789012:listener/app/my-load-balancer/1234567890123456/1234567890123456
5. (Optional) You can verify the health of the registered targets for your target group using this describe-target-health command:
aws elbv2 describe-target-health --target-group-arn targetgroup-arn
Add an HTTPS listener
If you have a load balancer with an HTTP listener, you can add an HTTPS listener as follows.
To add an HTTPS listener to your load balancer
1. Create an SSL certificate for use with your load balancer using one of the following methods:
• Create or import the certificate using AWS Certificate Manager (ACM). For more information, see Request a certificate or Importing certificates in the AWS Certificate Manager User Guide.
• Upload the certificate using AWS Identity and Access Management (IAM). For more information, see Working with server certificates in the IAM User Guide.
Add path-based routing
2. Use the create-listener command to create the listener with a default rule that forwards requests to your target group. You must specify an SSL certificate when you create an HTTPS listener. Note that you can specify an SSL policy other than the default using the --ssl-policy option.
aws elbv2 create-listener --load-balancer-arn loadbalancer-arn \ --protocol HTTPS --port 443 \
--certificates CertificateArn=certificate-arn \
--default-actions Type=forward,TargetGroupArn=targetgroup-arn
Add path-based routing
If you have a listener with a default rule that forwards requests to one target group, you can add a rule that forwards requests to another target group based on URL. For example, you can route general requests to one target group and requests to display images to another target group.
To add a rule to a listener with a path pattern
1. Use the create-target-group command to create a target group:
aws elbv2 create-target-group --name my-targets --protocol HTTP --port 80 \ --vpc-id vpc-0598c7d356EXAMPLE
2. Use the register-targets command to register your instances with your target group:
aws elbv2 register-targets --target-group-arn targetgroup-arn \ --targets Id=i-0abcdef1234567890 Id=i-1234567890abcdef0
3. Use the create-rule command to add a rule to your listener that forwards requests to the target group if the URL contains the specified pattern:
aws elbv2 create-rule --listener-arn listener-arn --priority 10 \ --conditions Field=path-pattern,Values='/img/*' \
--actions Type=forward,TargetGroupArn=targetgroup-arn
Delete your load balancer
When you no longer need your load balancer and target group, you can delete them as follows:
aws elbv2 delete-load-balancer --load-balancer-arn loadbalancer-arn aws elbv2 delete-target-group --target-group-arn targetgroup-arn
Subnets for your load balancer
Application Load Balancers
A load balancer serves as the single point of contact for clients. Clients send requests to the load balancer, and the load balancer sends them to targets, such as EC2 instances. To configure your load balancer, you create target groups (p. 61), and then register targets with your target groups. You also create listeners (p. 26) to check for connection requests from clients, and listener rules to route requests from clients to the targets in one or more target groups.
For more information, see How Elastic Load Balancing works in the Elastic Load Balancing User Guide.
Contents
• Subnets for your load balancer (p. 10)
• Load balancer security groups (p. 12)
• Load balancer state (p. 12)
• Load balancer attributes (p. 12)
• IP address type (p. 13)
• Connection idle timeout (p. 14)
• Deletion protection (p. 14)
• Desync mitigation mode (p. 15)
• Application Load Balancers and AWS WAF (p. 16)
• Create an Application Load Balancer (p. 17)
• Availability Zones for your Application Load Balancer (p. 20)
• Security groups for your Application Load Balancer (p. 21)
• IP address types for your Application Load Balancer (p. 23)
• Tags for your Application Load Balancer (p. 24)
• Delete an Application Load Balancer (p. 24)
Subnets for your load balancer
When you create an Application Load Balancer, you must specify one of the following types of subnets:
Availability Zone, Local Zone, or Outpost.
Availability Zones
You must select at least two Availability Zone subnets. The following restrictions apply:
• Each subnet must be from a different Availability Zone.
• To ensure that your load balancer can scale properly, verify that each Availability Zone subnet for your load balancer has a CIDR block with at least a /27 bitmask (for example, 10.0.0.0/27) and at least 8 free IP addresses per subnet. Your load balancer uses these IP addresses to establish connections with the targets. Depending on your traffic profile, the load balancer can scale higher and consume up to a maximum of 100 IP addresses distributed across all enabled subnets.
Local Zones
You can specify one or more Local Zone subnets. The following restrictions apply:
Subnets for your load balancer
• You cannot use AWS WAF with the load balancer.
• You cannot use a Lambda function as a target.
Outposts
You can specify a single Outpost subnet. The following restrictions apply:
• You must have installed and configured an Outpost in your on-premises data center. You must have a reliable network connection between your Outpost and its AWS Region. For more information, see the AWS Outposts User Guide.
• The load balancer requires two instances on the Outpost for the load balancer nodes. The supported instances are shown in the following table . Initially, the instances are large instances. The load balancer scales as needed, from large to xlarge, xlarge to 2xlarge, and 2xlarge to 4xlarge. If you need additional capacity, the load balancer adds 4xlarge instances. If you do not have sufficient instance capacity or available IP addresses to scale the load balancer, the load balancer reports an event to the AWS Health Dashboard and the load balancer state is active_impaired.
• You can register targets by instance ID or IP address. If you register targets in the AWS Region for the Outpost, they are not used.
• The following features are not available: Lambda functions as targets, AWS WAF integration, sticky sessions, authentication support, and integration with AWS Global Accelerator.
An Application Load Balancer can be deployed on c5/c5d, m5/m5d, or r5/r5d instances on an Outpost.
The following table shows the size and EBS volume per instance type that the load balancer can use on an Outpost:
Instance type and size EBS volume (GB) c5/c5d
large 50
xlarge 50
2xlarge 50
4xlarge 100
m5/m5d
large 50
xlarge 50
2xlarge 100
4xlarge 100
r5/r5d
large 50
xlarge 100
2xlarge 100
4xlarge 100
Load balancer security groups
Load balancer security groups
A security group acts as a firewall that controls the traffic allowed to and from your load balancer. You can choose the ports and protocols to allow for both inbound and outbound traffic.
The rules for the security groups that are associated with your load balancer must allow traffic in both directions on both the listener and the health check ports. Whenever you add a listener to a load balancer or update the health check port for a target group, you must review your security group rules to ensure that they allow traffic on the new port in both directions. For more information, see Recommended rules (p. 21).
Load balancer state
A load balancer can be in one of the following states:
provisioning
The load balancer is being set up.
active
The load balancer is fully set up and ready to route traffic.
active_impaired
The load balancer is routing traffic but does not have the resources it needs to scale.
failed
The load balancer could not be set up.
Load balancer attributes
The following are the load balancer attributes:
access_logs.s3.enabled
Indicates whether access logs stored in Amazon S3 are enabled. The default is false.
access_logs.s3.bucket
The name of the Amazon S3 bucket for the access logs. This attribute is required if access logs are enabled. For more information, see Bucket permissions (p. 116).
access_logs.s3.prefix
The prefix for the location in the Amazon S3 bucket.
deletion_protection.enabled
Indicates whether deletion protection is enabled. The default is false.
idle_timeout.timeout_seconds
The idle timeout value, in seconds. The default is 60 seconds.
ipv6.deny_all_igw_traffic
Blocks internet gateway (IGW) access to the load balancer, preventing unintended access to your internal load balancer through an internet gateway. It is set to false for internet-facing load balancers and true for internal load balancers. This attribute does not prevent non-IGW internet access (such as, through peering, Transit Gateway, AWS Direct Connect, or AWS VPN).
IP address type
routing.http.desync_mitigation_mode
Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are monitor, defensive, and strictest. The default is defensive.
routing.http.drop_invalid_header_fields.enabled
Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true), or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names conform to the regular expression [-A-Za-z0-9]+, which describes all registered internet message headers. Each name consists of alphanumeric characters or hyphens.
routing.http.x_amzn_tls_version_and_cipher_suite.enabled
Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true and false. The default is false.
routing.http.xff_client_port.enabled
Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false. The default is false.
routing.http2.enabled
Indicates whether HTTP/2 is enabled. The default is true.
waf.fail_open.enabled
Indicates whether to allow a AWS WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are true and false. The default is
Indicates whether to allow a AWS WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are true and false. The default is