All Products
Search

This Product

    Container Service for Kubernetes:Advanced usage of ALB Ingress

    Document Center

    Container Service for Kubernetes:Advanced usage of ALB Ingress

    Last Updated:Mar 26, 2026

    ALB Ingress provides Layer 7 load balancing for services in ACK clusters. This page covers advanced routing, traffic management, and protocol configurations — with annotation references and working YAML examples for each feature.

    Annotation quick reference

    All annotations apply to the metadata.annotations field of an Ingress resource unless noted otherwise in the Location column.

    Annotation Type Default Location Feature
    alb.ingress.kubernetes.io/healthcheck-enabled boolean "false" Ingress Health checks
    alb.ingress.kubernetes.io/healthcheck-path string / Ingress Health checks
    alb.ingress.kubernetes.io/healthcheck-protocol enum HTTP Ingress Health checks
    alb.ingress.kubernetes.io/healthcheck-httpversion enum HTTP1.1 Ingress Health checks
    alb.ingress.kubernetes.io/healthcheck-method enum HEAD Ingress Health checks
    alb.ingress.kubernetes.io/healthcheck-code string http_2xx (HTTP/HTTPS); 0 (gRPC) Ingress Health checks
    alb.ingress.kubernetes.io/healthcheck-httpcode string http_2xx Ingress Health checks
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds integer 5 Ingress Health checks
    alb.ingress.kubernetes.io/healthcheck-interval-seconds integer 2 Ingress Health checks
    alb.ingress.kubernetes.io/healthy-threshold-count integer 3 Ingress Health checks
    alb.ingress.kubernetes.io/unhealthy-threshold-count integer 3 Ingress Health checks
    alb.ingress.kubernetes.io/healthcheck-connect-port integer 0 Ingress Health checks
    alb.ingress.kubernetes.io/ssl-redirect boolean Ingress HTTP to HTTPS redirect
    alb.ingress.kubernetes.io/backend-protocol enum Ingress Backend protocol
    alb.ingress.kubernetes.io/use-regex boolean Ingress Regex path matching
    alb.ingress.kubernetes.io/rewrite-target string Ingress Path rewrite
    alb.ingress.kubernetes.io/listen-ports JSON Ingress Custom listening ports
    alb.ingress.kubernetes.io/order integer 10 Ingress Forwarding rule priority
    alb.ingress.kubernetes.io/canary boolean Ingress Canary release
    alb.ingress.kubernetes.io/canary-by-header string Ingress Canary release
    alb.ingress.kubernetes.io/canary-by-header-value string Ingress Canary release
    alb.ingress.kubernetes.io/canary-by-cookie string Ingress Canary release
    alb.ingress.kubernetes.io/canary-weight integer Ingress Canary release
    alb.ingress.kubernetes.io/sticky-session boolean "false" Ingress Session persistence
    alb.ingress.kubernetes.io/sticky-session-type enum Insert Ingress Session persistence
    alb.ingress.kubernetes.io/cookie-timeout integer 1000 Ingress Session persistence
    alb.ingress.kubernetes.io/cookie string "" Ingress Session persistence
    alb.ingress.kubernetes.io/backend-scheduler enum wrr Ingress Load balancing algorithm
    alb.ingress.kubernetes.io/backend-scheduler-uch-value string Ingress Load balancing algorithm
    alb.ingress.kubernetes.io/enable-cors boolean "false" Ingress CORS
    alb.ingress.kubernetes.io/cors-allow-origin string * Ingress CORS
    alb.ingress.kubernetes.io/cors-allow-methods string GET, PUT, POST, DELETE, PATCH, OPTIONS Ingress CORS
    alb.ingress.kubernetes.io/cors-allow-headers string DNT,X-CustomHeader,... Ingress CORS
    alb.ingress.kubernetes.io/cors-expose-headers string "" Ingress CORS
    alb.ingress.kubernetes.io/cors-allow-credentials boolean "true" Ingress CORS
    alb.ingress.kubernetes.io/cors-max-age integer 172800 Ingress CORS
    alb.ingress.kubernetes.io/backend-keepalive boolean Ingress Backend persistent connections
    alb.ingress.kubernetes.io/enable-ipv6 boolean Ingress IPv6 attachment
    alb.ingress.kubernetes.io/traffic-limit-qps integer Ingress QPS rate limiting
    alb.ingress.kubernetes.io/slow-start-enabled boolean "false" Ingress Backend slow start
    alb.ingress.kubernetes.io/slow-start-duration integer 30 Ingress Backend slow start
    alb.ingress.kubernetes.io/connection-drain-enabled boolean "false" Ingress Connection draining
    alb.ingress.kubernetes.io/connection-drain-timeout integer 300 Ingress Connection draining
    alb.ingress.kubernetes.io/cross-zone-enabled boolean "true" Ingress Cross-zone load balancing

    Route requests by domain name

    The following example routes requests to demo.domain.ingress.top/hello to demo-service.

    Deploy the Service, Deployment, and Ingress:

    Kubernetes 1.19 and later

    apiVersion: v1
kind: Service
metadata:
  name: demo-service
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - host: demo.domain.ingress.top
      http:
        paths:
          - backend:
              service:
                name: demo-service
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - host: demo.domain.ingress.top
      http:
        paths:
          - backend:
              serviceName: demo-service
              servicePort: 80
            path: /hello
            pathType: ImplementationSpecific

    Run kubectl get ing to get the ALB instance address, then verify:

    curl -H "host: demo.domain.ingress.top" <ADDRESS>/hello

    Expected output:

    {"hello":"coffee"}

    Route requests with an empty domain name

    When no domain name is specified, ALB routes requests using only the path. The following example routes all requests to <ADDRESS>/hello to demo-service.

    Kubernetes 1.19 and later

    apiVersion: v1
kind: Service
metadata:
  name: demo-service
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - host: ""
      http:
        paths:
          - backend:
              service:
                name: demo-service
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific

    Kubernetes earlier than 1.19

    apiVersion: v1
kind: Service
metadata:
  name: demo-service
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - host: ""
      http:
        paths:
          - backend:
              serviceName: demo-service
              servicePort: 80
            path: /hello
            pathType: ImplementationSpecific

    Verify the routing rule:

    curl <ADDRESS>/hello

    Expected output:

    {"hello":"coffee"}

    Route requests by URL path

    Use the pathType field to control how ALB matches request paths. Three matching methods are supported:

    pathType value Behavior
    Exact Matches the exact path only.
    ImplementationSpecific Uses the ALB Ingress controller's logic, which treats this as an exact match. If no path is set, defaults to /.
    Prefix Matches any path that starts with the specified prefix, separated by /. Matching is case-sensitive and hierarchical.
    Important

    If pathType is Exact or Prefix, the path field must be a non-empty absolute path. Otherwise, the Ingress fails validation and cannot be created. When multiple rules match the same request, ALB applies forwarding rule priorities to determine which rule wins. See Configure forwarding rule priorities.

    Path matching reference

    Simple paths

    Matching method Rule path Request path Match?
    Prefix / Any path Yes
    Prefix /foo /foo, /foo/ Yes
    Prefix /foo/ /foo, /foo/ Yes
    Prefix /aaa /ccc No — prefix not matched
    Exact or ImplementationSpecific /foo /foo Yes
    Exact or ImplementationSpecific /foo /bar, /foo/ No
    Exact or ImplementationSpecific /foo/ /foo No

    Hierarchical paths

    Matching method Rule path Request path Match?
    Prefix /aaa/bb /aaa/bbb No
    Prefix /aaa/bbb /aaa/bbb Yes
    Prefix /aaa/bbb/ /aaa/bbb Yes — trailing slash in rule path is ignored
    Prefix /aaa/bbb /aaa/bbb/ Yes — matches trailing slash in request path
    Prefix /aaa/bbb /aaa/bbb/ccc Yes — matches subpath

    Multiple rule paths

    Matching method Rule paths Request path Match?
    Prefix /, /aaa /aaa/ccc Yes — matches / prefix in the rule path
    Prefix /aaa, / /aaa/ccc Yes — matches /aaa prefix in the rule path
    Prefix /aaa, / /ccc Yes — matches / prefix in the rule path
    Prefix /aaa, /bbb /ccc No — prefix not matched

    Prefix match

    The following example routes all paths starting with / (including /hello) to demo-service.

    Kubernetes 1.19 and later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-path-prefix
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - path: /
            backend:
              service:
                name: demo-service
                port:
                  number: 80
            pathType: Prefix

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo-path-prefix
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - path: /
            backend:
              serviceName: demo-service
              servicePort: 80
            pathType: Prefix

    Test:

    curl <ADDRESS>/hello

    Expected output:

    {"hello":"coffee"}

    Exact match

    The following example routes only /hello to demo-service. Any other path returns no match.

    Kubernetes 1.19 and later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-path
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - path: /hello
            backend:
              service:
                name: demo-service
                port:
                  number: 80
            pathType: Exact

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo-path
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - path: /hello
            backend:
              serviceName: demo-service
              servicePort: 80
            pathType: Exact

    Configure health checks

    ALB Ingress supports health checks via annotations on the Ingress resource.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/healthcheck-enabled: "true"
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
    alb.ingress.kubernetes.io/healthcheck-httpversion: "HTTP1.1"
    alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
    alb.ingress.kubernetes.io/healthcheck-code: "http_2xx"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
    alb.ingress.kubernetes.io/healthy-threshold-count: "3"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: ImplementationSpecific
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

    Health check annotation reference

    Annotation Description Default
    alb.ingress.kubernetes.io/healthcheck-enabled Enables ("true") or disables ("false") health checks for backend server groups. "false"
    alb.ingress.kubernetes.io/healthcheck-path Health check path. /
    alb.ingress.kubernetes.io/healthcheck-protocol Protocol for health checks: HTTP, HTTPS, TCP, or GRPC. HTTP
    alb.ingress.kubernetes.io/healthcheck-httpversion HTTP version. Applies only when healthcheck-protocol is HTTP or HTTPS. Valid values: HTTP1.0, HTTP1.1. HTTP1.1
    alb.ingress.kubernetes.io/healthcheck-method Health check method: HEAD, POST, or GET. When healthcheck-protocol is GRPC, use POST or GET. HEAD
    alb.ingress.kubernetes.io/healthcheck-code Health check status codes. A backend server is marked healthy only if the probe returns one of these codes. If both healthcheck-httpcode and healthcheck-code are set, healthcheck-code takes precedence. For HTTP or HTTPS: http_2xx, http_3xx, http_4xx, http_5xx (comma-separated). For GRPC: integers in range [0, 99], comma-separated, up to 20 ranges. http_2xx (HTTP/HTTPS); 0 (gRPC)
    alb.ingress.kubernetes.io/healthcheck-httpcode Health check status code. Valid values: http_2xx, http_3xx, http_4xx, http_5xx. When healthcheck-code is also set, this annotation is ignored. http_2xx
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds Health check timeout, in seconds. Valid values: [1, 300]. 5
    alb.ingress.kubernetes.io/healthcheck-interval-seconds Health check interval, in seconds. Valid values: [1, 50]. 2
    alb.ingress.kubernetes.io/healthy-threshold-count Number of consecutive successful checks before a backend server is marked healthy. Valid values: [2, 10]. 3
    alb.ingress.kubernetes.io/unhealthy-threshold-count Number of consecutive failed checks before a backend server is marked unhealthy. Valid values: [2, 10]. 3
    alb.ingress.kubernetes.io/healthcheck-connect-port Port used for health checks. 0 means use the backend server port. 0

    Redirect HTTP to HTTPS

    Add the ssl-redirect annotation to redirect HTTP traffic on port 80 to HTTPS port 443.

    Important

    This annotation applies only to HTTP forwarding rules on listening port 80. It works only alongside custom forwarding actions (such as RemoveHeader and InsertHeader) and the CORS annotation. An HTTPS listener on port 443 must already be configured in the AlbConfig before using this annotation. See Configure ALB listeners using an AlbConfig.

    Kubernetes 1.19 and later

    apiVersion: v1
kind: Service
metadata:
  name: demo-service-ssl
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo-ssl
  sessionAffinity: None
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-ssl
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-ssl
  template:
    metadata:
      labels:
        app: demo-ssl
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo-ssl
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/ssl-redirect: "true"
  name: demo-ssl
  namespace: default
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - ssl.alb.ingress.top
  rules:
    - host: ssl.alb.ingress.top
      http:
        paths:
          - backend:
              service:
                name: demo-service-ssl
                port:
                  number: 80
            path: /
            pathType: Prefix
    Annotation Description
    alb.ingress.kubernetes.io/ssl-redirect: "true" Redirects HTTP requests to HTTPS port 443.

    Configure backend protocol (HTTPS and gRPC)

    ALB supports HTTPS and gRPC as backend protocols. Set the backend-protocol annotation on the Ingress.

    Important

    After an Ingress is created, you cannot modify the backend protocol. To change it, delete and recreate the Ingress.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: "grpc"
  name: demo-alb-ingress
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: grpc-demo-svc
            port:
              number: 9080
    Annotation Value Description
    alb.ingress.kubernetes.io/backend-protocol "https" The backend service uses HTTPS.
    "grpc" The backend service uses gRPC. To forward gRPC traffic, configure an SSL certificate for the domain name and use TLS for communication.

    Configure regular expressions

    Add the use-regex annotation to enable regular expression (regex) matching in path rules.

    Important

    • This annotation applies only to path rules where pathType is Prefix.

    • If this annotation is present — regardless of whether its value is true or false — regex matching is enabled. To disable regex matching, remove the annotation entirely.

    • Without this annotation, paths containing special characters such as %#;!()[]^,"\" cannot be created.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/use-regex: "true"
    alb.ingress.kubernetes.io/conditions.<YOUR-SVC-NAME>: |
      [{
        "type": "Path",
        "pathConfig": {
            "values": [
               "~*/pathvalue1",
               "/pathvalue2"
            ]
        }
       }]
  name: ingress-example
spec:
  ingressClassName: alb
  rules:
   - http:
      paths:
      - path: /test-path-for-alb
        pathType: Prefix
        backend:
          service:
            name: <YOUR-SVC-NAME>
            port:
              number: 88

    Replace <YOUR-SVC-NAME> with the actual Service name. The name must match backend.service.name.

    Regex flags

    Prefix Behavior Example
    ~ Case-insensitive matching ~/api matches /API
    ~* Case-sensitive matching ~*/api does not match /Api
    (none) Exact matching /pathvalue2

    Matching behavior

    Object Prefix Rule Request Match?
    Domain name ~ ~test.example.com test.EXAMPLE.com Yes
    Path ~ ~/api /API Yes
    Path ~* ~*/api /Api No

    Regex prefix matching

    By default, regex matching uses "contains" semantics — a rule matches if the request contains content that matches the expression. To restrict matching to paths that start with specific content, prefix the regex with ^.

    For example, ~*^/api matches only paths that start with /api.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-example
  annotations:
    alb.ingress.kubernetes.io/use-regex: "true"
    alb.ingress.kubernetes.io/conditions.<YOUR-SVC-NAME>: |
      [
        {
          "type": "Path",
          "pathConfig": {
            "values": [
              "~*^/pathvalue1",
              "/pathvalue2"
            ]
          }
        }
      ]
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - path: /test-path-for-alb
            pathType: Prefix
            backend:
              service:
                name: <YOUR-SVC-NAME>
                port:
                  number: 88

    Configure rewrite

    ALB Ingress rewrites the request path before forwarding it to the backend Service. Two annotations work together:

    • alb.ingress.kubernetes.io/rewrite-target: /<path>/${number} — Specifies the rewritten path. Use ${1}, ${2}, or ${3} to reference capturing groups from the original path (up to three groups).

    • alb.ingress.kubernetes.io/use-regex: "true" — Enables regex matching in the path. This is enabled automatically when rewrite-target is set.

    Important

    • pathType must be Prefix.

    • The rewrite-target annotation changes only the path. To rewrite the domain name or query parameters, use custom forwarding rules.

    Example 1: Strip a path prefix

    The path /something(/|$)(.*) captures two groups:

    • Group 1 ((/|$)): matches /something followed by / or end-of-path.

    • Group 2 (.*): matches everything after /something/.

    The rewrite target /${2} prepends / to the second capturing group.

    Original path Matches? Rewritten path
    /something Yes — group 2 is empty /
    /something/ Yes — group 2 is empty /
    /something/new Yes — group 2 is new /new
    /something-new/item No — no rule matched; ALB returns 503 
    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rewrite-ingress
  annotations:
    alb.ingress.kubernetes.io/use-regex: "true"
    alb.ingress.kubernetes.io/rewrite-target: /${2}
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /something(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: rewrite-svc
            port:
              number: 9080

    Example 2: Capture and rearrange multiple path segments

    The path /items/(.*)/(.*)/(.*) captures three groups. The rewrite target /${2}?code=${3} combines groups 2 and 3 into a new path with a query parameter.

    This example requires exactly four path segments. Use it only when clients use a fixed path format.
    Original path Matches? Rewritten path
    /items/electronics/computers/554 Yes /computers?code=554
    /items/produce/fruits/12 Yes /fruits?code=12
    /items/headphones/5 No — ALB returns 503
    /drinks/41 No — ALB returns 503 
    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rewrite-ingress
  annotations:
    alb.ingress.kubernetes.io/use-regex: "true"
    alb.ingress.kubernetes.io/rewrite-target: /${2}?code=${3}
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /items/(.*)/(.*)/(.*)
        pathType: Prefix
        backend:
          service:
            name: rewrite-svc
            port:
              number: 9080

    Example 3: Rewrite multiple paths to a single path

    The following example matches two paths (/app-a(/|$)(.*) and /app-b(/|$)(.*)) and rewrites both to /app-c/<group-2>.

    Original path Matches? Rewritten path
    /app-a/item1 Yes — group 2 is item1 /app-c/item1
    /app-a/item2 Yes — group 2 is item2 /app-c/item2
    /app-a or /app-a/ Yes — group 2 is empty /app-c/
    /drinks/41 No — ALB returns 503 
    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rewrite-ingress
  annotations:
    alb.ingress.kubernetes.io/use-regex: "true"
    alb.ingress.kubernetes.io/rewrite-target: /app-c/${2}
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /app-a(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: rewrite-svc
            port:
              number: 9080
      - path: /app-b(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: rewrite-svc
            port:
              number: 9080

    Verify rewrite rules locally

    Use sed to test whether a path matches your regex and preview the rewritten result before deploying. The following example tests Example 2's capture path /items/(.*)/(.*)/(.*) against the rewrite rule /${2}?code=${3}.

    1. Save the test paths to a file:

      cat > path2.txt << 'EOF'
/items/electronics/computers/554
/items/produce/fruits/12
/items/headphones/5
/drinks/41
EOF

    2. Run sed to check for matches and preview rewritten paths. The command escapes / with \ and changes ${2} to \2 for sed syntax:

      sed -E 's#\/items\/(.*)\/(.*)\/(.*)#Matched: [&]  --->  Rewritten: [/\2?code=\3]#' path2.txt

      Expected output — the first two paths match and are rewritten; the last two do not:

      Matched: [/items/electronics/computers/554]  --->  Rewritten: [/computers?code=554]
Matched: [/items/produce/fruits/12]  --->  Rewritten: [/fruits?code=12]
/items/headphones/5
/drinks/41

    Configure custom listening ports

    Use the listen-ports annotation to expose a service on both port 80 (HTTP) and port 443 (HTTPS) simultaneously.

    Important

    ALB does not support creating listeners directly through an Ingress. First create the required listeners in the AlbConfig, then reference them in the Ingress. See Configure ALB listeners using an AlbConfig.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
    Annotation Description
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]' Configures the service to listen on port 80 (HTTP) and port 443 (HTTPS).

    Configure forwarding rule priorities

    ALB assigns forwarding rule priorities in the following order by default:

    • Across Ingress resources: sorted lexicographically by namespace/name. A lexicographically smaller value gets a higher priority. Namespaces are compared first; if equal, names are compared character by character.

    • Within the same Ingress: rules are prioritized by their order in the rules field. Rules listed earlier have higher priority.

    To set a custom priority without changing namespace/name, use the order annotation:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/order: "2"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
    Annotation Description Valid values Default
    alb.ingress.kubernetes.io/order Priority for ALB forwarding rules. A lower value means higher priority. Priorities must be unique within the same listener. [1, 1000] 10

    Implement canary release

    ALB supports canary releases based on request headers, cookies, and traffic weight. Canary rules are evaluated in the following order of precedence:

    Header > Cookie > Weight (highest to lowest)

    Create a canary Ingress with alb.ingress.kubernetes.io/canary: "true", then add one or more of the canary routing annotations below.

    Important

    Keep the original Ingress rules in place during a canary release. Deleting them may cause service disruptions. After validating the canary release, update the backend Service in the original Ingress to point to the new version, then delete the canary Ingress.

    Route by header

    When a request header matches both the configured header name and value, the request is routed to the canary Service. All other requests fall through to the next canary rule based on precedence.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "1"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-by-header: "location"
    alb.ingress.kubernetes.io/canary-by-header-value: "hz"
  name: demo-canary
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - backend:
              service:
                name: demo-service-hello
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific

    In this example, requests with the header location: hz are routed to the canary Service.

    Annotation Description
    alb.ingress.kubernetes.io/canary-by-header Header name to match. Must be configured together with canary-by-header-value.
    alb.ingress.kubernetes.io/canary-by-header-value Expected header value.

    Route by cookie

    When a request cookie matches the configured name with the value always, the request is routed to the canary Service. When the value is never, the request is not routed to the canary Service.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "2"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-by-cookie: "demo"
  name: demo-canary-cookie
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - backend:
              service:
                name: demo-service-hello
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific

    In this example:

    • Cookie: demo=always — routed to the canary Service

    • Cookie: demo=never — not routed to the canary Service

    Annotation Value Description
    alb.ingress.kubernetes.io/canary-by-cookie Cookie name Cookie-based canary routing supports only always and never as cookie values.

    Route by weight

    Set the percentage of requests to route to the canary Service. The remaining traffic goes to the original Service.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "3"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-weight: "50"
  name: demo-canary-weight
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - backend:
              service:
                name: demo-service-hello
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific
    Annotation Description Valid values
    alb.ingress.kubernetes.io/canary-weight Percentage of requests routed to the canary Service. Integers from 0 to 100

    For canary release best practices, see Implement canary release using an ALB Ingress.

    Configure session persistence

    ALB Ingress supports session persistence via cookie-based annotations. When enabled, the load balancer routes repeated requests from the same client to the same backend server.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress-v3
  annotations:
    alb.ingress.kubernetes.io/sticky-session: "true"
    alb.ingress.kubernetes.io/sticky-session-type: "Insert"
    alb.ingress.kubernetes.io/cookie-timeout: "1800"
    alb.ingress.kubernetes.io/cookie: "test"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - backend:
          service:
            name: tea-svc
            port:
              number: 80
        path: /tea2
        pathType: ImplementationSpecific
      - backend:
          service:
            name: coffee-svc
            port:
              number: 80
        path: /coffee2
        pathType: ImplementationSpecific
    Annotation Description Default
    alb.ingress.kubernetes.io/sticky-session Enables ("true") or disables ("false") session persistence. "false"
    alb.ingress.kubernetes.io/sticky-session-type Cookie handling method: Insert (load balancer inserts a SERVERID cookie) or Server (load balancer rewrites a user-defined cookie). Takes effect only when sticky-session is "true". Insert
    alb.ingress.kubernetes.io/cookie-timeout Cookie timeout, in seconds. Valid values: 1–86400. Applies only when sticky-session-type is Insert. 1000
    alb.ingress.kubernetes.io/cookie Custom cookie name. Required (and cannot be blank) when sticky-session-type is Server. ""

    Configure the load balancing algorithm

    Use the backend-scheduler annotation to set the load balancing algorithm for backend server groups.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/backend-scheduler: "uch"
    alb.ingress.kubernetes.io/backend-scheduler-uch-value: "test"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
    Annotation Value Description
    alb.ingress.kubernetes.io/backend-scheduler wrr Weighted round robin (default). Servers with higher weights receive proportionally more requests.
    wlc Weighted least connections. Distributes requests based on weight and current connection count. When weights are equal, servers with fewer connections are preferred.
    sch Source IP consistent hash. Requests from the same client IP are consistently routed to the same backend server.
    uch URL parameter consistent hash. Requires the backend-scheduler-uch-value annotation to specify the URL parameter used for hashing.
    alb.ingress.kubernetes.io/backend-scheduler-uch-value URL parameter name Required only when backend-scheduler is uch.

    Configure CORS

    Use cross-origin resource sharing (CORS) annotations to control which origins, methods, and headers are allowed for cross-origin requests.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-ingress
  annotations:
    alb.ingress.kubernetes.io/enable-cors: "true"
    alb.ingress.kubernetes.io/cors-allow-origin: "https://example.com:4443, http://aliyundoc.com"
    alb.ingress.kubernetes.io/cors-allow-methods: "GET,POST"
    alb.ingress.kubernetes.io/cors-allow-credentials: "true"
    alb.ingress.kubernetes.io/cors-max-age: "600"
    alb.ingress.kubernetes.io/cors-expose-headers: ""
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: cloud-nodeport
            port:
              number: 80
    Annotation Description Default
    alb.ingress.kubernetes.io/enable-cors Enables CORS. "false"
    alb.ingress.kubernetes.io/cors-allow-origin Allowed origins. Separate multiple values with commas. Each value must start with http:// or https:// followed by a valid domain name or top-level wildcard domain name. IP addresses are not supported. *
    alb.ingress.kubernetes.io/cors-allow-methods Allowed HTTP methods, comma-separated, case-insensitive. GET, PUT, POST, DELETE, PATCH, OPTIONS
    alb.ingress.kubernetes.io/cors-allow-headers Request headers allowed in cross-origin requests. Set to * or a comma-separated list. Each value: letters and digits only, cannot start or end with _ or -, max 32 characters. DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
    alb.ingress.kubernetes.io/cors-expose-headers Response headers exposed to the browser. Set to * or a comma-separated list. Same character constraints as cors-allow-headers. ""
    alb.ingress.kubernetes.io/cors-allow-credentials Whether to allow credentials (cookies, authorization headers) in cross-origin requests. "true"
    alb.ingress.kubernetes.io/cors-max-age Maximum cache duration (in seconds) for OPTIONS preflight responses in browsers. Valid values: [0, 172800]. 172800

    Enable backend persistent connections

    Enabling backend persistent connections (keepalive) reuses existing TCP connections instead of opening a new one per request. This reduces TCP handshake overhead and improves throughput for high-traffic services.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-ingress
  annotations:
    alb.ingress.kubernetes.io/backend-keepalive: "true"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: cloud-nodeport
            port:
              number: 80
    Annotation Description
    alb.ingress.kubernetes.io/backend-keepalive: "true" Enables persistent backend connections.

    Enable IPv6 attachment for server groups

    After enabling IPv6 attachment, ALB can route traffic to both IPv4 and IPv6 pods. The cluster must have the dual-stack feature enabled. See Create an ACK managed cluster.

    Important

    • IPv6 must be enabled for the VPC where the server group resides.

    • IPv6 attachment is not supported for IP-based or Function Compute-based server groups configured via custom forwarding actions.

    • An Ingress associated with an IPv4-only ALB instance does not support IPv6 attachment.

    Configure both the Service and the Ingress for dual-stack:

    apiVersion: v1
kind: Service
metadata:
  name: tea-svc
spec:
  ipFamilyPolicy: RequireDualStack
  ipFamilies:
  - IPv4
  - IPv6
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
  selector:
    app: tea
  type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/enable-ipv6: "true"
spec:
  ingressClassName: alb
  rules:
   - host: demo.alb.ingress.top
     http:
      paths:
      - path: /tea
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80
    Object Field / Annotation Value Description
    Service ipFamilies IPv4, IPv6 IP address families available for the Service.
    Service ipFamilyPolicy RequireDualStack, PreferDualStack Sets the IP policy for dual-stack support.
    ALB Ingress alb.ingress.kubernetes.io/enable-ipv6 "true" Enables IPv6 attachment for the server group.

    Configure QPS rate limiting

    Set a queries-per-second (QPS) rate limit for forwarding rules using the traffic-limit-qps annotation.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/traffic-limit-qps: "50"
spec:
  ingressClassName: alb
  rules:
   - host: demo.alb.ingress.top
     http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: ImplementationSpecific
        backend:
          service:
            name: coffee-svc
            port:
              number: 80
    Annotation Description Valid values
    alb.ingress.kubernetes.io/traffic-limit-qps QPS rate limit for forwarding rules. [1, 1,000,000]

    Configure backend slow start

    When new pods are added to a backend server group, ALB immediately routes traffic to them. This can cause CPU or memory spikes, leading to errors. Slow start lets ALB gradually increase traffic to new pods over a configurable duration.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/slow-start-enabled: "true"
    alb.ingress.kubernetes.io/slow-start-duration: "100"
  name: alb-ingress
spec:
  ingressClassName: alb
  rules:
  - host: alb.ingress.alibaba.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80
    Annotation Description Valid values Default
    alb.ingress.kubernetes.io/slow-start-enabled Enables ("true") or disables ("false") slow start. "true", "false" Disabled
    alb.ingress.kubernetes.io/slow-start-duration Duration of the slow start ramp-up period, in seconds. A longer duration means a more gradual traffic increase. [30, 900] 30

    Configure connection draining

    When a pod enters the Terminating state, ALB removes it from the backend server group but does not immediately close existing connections. Clients may continue sending requests to the terminating pod, causing errors or prolonged unavailability.

    Connection draining tells ALB to maintain active connections for a specified duration after a pod is removed or fails a health check, then actively close them — ensuring a clean shutdown.

    Important

    ALB cannot guarantee the pod stays running until the draining period ends. Use spec.terminationGracePeriodSeconds or a preStop hook to control pod availability during termination.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/connection-drain-enabled: "true"
    alb.ingress.kubernetes.io/connection-drain-timeout: "199"
  name: alb-ingress
spec:
  ingressClassName: alb
  rules:
  - host: alb.ingress.alibaba.com
    http:
      paths:
      - path: /test
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80
    Annotation Description Valid values Default
    alb.ingress.kubernetes.io/connection-drain-enabled Enables ("true") or disables ("false") connection draining. "true", "false" Disabled
    alb.ingress.kubernetes.io/connection-drain-timeout Duration ALB maintains active connections after a pod is removed, in seconds. [0, 900] 300

    For more information, see Smooth service shutdown through ALB connection draining.

    Disable cross-zone load balancing

    By default, ALB distributes traffic across backend servers in different availability zones (AZs) within the same region. Disabling cross-zone load balancing restricts traffic distribution to backend servers in the same AZ.

    Important

    If you disable cross-zone load balancing, make sure each AZ has sufficient backend servers with available resources. Proceed with caution to avoid service interruptions.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-ingress
  namespace: default
  annotations:
    alb.ingress.kubernetes.io/cross-zone-enabled: "false"
spec:
  ingressClassName: alb
  rules:
  - host: alb.ingress.alibaba.com
    http:
      paths:
      - path: /test
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80
    Annotation Description Default
    alb.ingress.kubernetes.io/cross-zone-enabled Enables ("true") or disables ("false") cross-zone load balancing. Enabled ("true")

    What's next