Configure NLB instances listeners and server groups - Container Service for Kubernetes

Configure NLB instances by using annotations

Add annotations to a Service YAML file to configure Network Load Balancer (NLB) instances in ACK. This reference covers all supported annotations for NLB instances, listeners, and server groups, grouped by resource type.

Prerequisites

Before you begin, ensure that you have:

A cluster running Kubernetes v1.24 or later with Cloud Controller Manager (CCM) v2.5.0 or later. To upgrade, see Manually upgrade a cluster and Manage components
spec.loadBalancerClass: alibabacloud.com/nlb set in the Service. Without this field, ACK creates a Classic Load Balancer (CLB) by default

Usage notes

`spec.loadBalancerClass` is immutable. Set it before creating the Service. CLB and NLB cannot be converted to each other after creation.
NLB management is not available in the ACK console. Use kubectl for all NLB operations.
All annotation values are strings. Encode other types as follows:
- Boolean: "true" or "false"
- Integer: "42"
- Comma-separated list: "sg-aaaaa,sg-bbbbb"

Annotation index

The following tables list all supported annotations. Click an annotation name to jump to the detailed description and example.

NLB instance annotations

Annotation	Default	Min CCM version	Notes
`alibaba-cloud-loadbalancer-zone-maps`	—	v2.5.0	Required for new NLB instances. EIP support added in v2.12.1
`alibaba-cloud-loadbalancer-address-type`	`internet`	v2.5.0	`internet` or `intranet`
`alibaba-cloud-loadbalancer-ip-version`	`ipv4`	v2.5.0	`ipv4` or `DualStack`. Requires IPVS kube-proxy mode
`alibaba-cloud-loadbalancer-ipv6-address-type`	`intranet`	v2.9.1	`intranet` or `internet`. Requires an IPv6 gateway in the VPC
`alibaba-cloud-loadbalancer-name`	—	v2.5.0	2–128 characters
`alibaba-cloud-loadbalancer-resource-group-id`	—	v2.5.0	Immutable after creation
`alibaba-cloud-loadbalancer-additional-resource-tags`	—	v2.5.0	Key=value pairs, comma-separated. Tag edits in the console may be overwritten
`alibaba-cloud-loadbalancer-id`	—	v2.5.0	Reuse an existing NLB instance
`alibaba-cloud-loadbalancer-force-override-listeners`	`false`	v2.5.0	Only meaningful when reusing an existing NLB
`alibaba-cloud-loadbalancer-bandwidth-package-id`	—	v2.9.1	Internet Shared Bandwidth package ID
`alibaba-cloud-loadbalancer-cross-zone-enabled`	`on`	v2.13.0	`on` or `off`
`alibaba-cloud-loadbalancer-preserve-lb-on-delete`	—	v2.10.0	Non-empty string enables retention

Listener annotations

Annotation	Default	Min CCM version	Notes
`alibaba-cloud-loadbalancer-security-group-ids`	—	v2.6.0	Comma-separated security group IDs
`alibaba-cloud-loadbalancer-protocol-port`	—	v2.5.0	e.g. `TCP:80,TCPSSL:443`
`alibaba-cloud-loadbalancer-listener-port-range`	—	v2.11.4	Terway only. Format: `startPort-endPort:servicePort`
`alibaba-cloud-loadbalancer-cps`	—	v2.5.0	New connections per second. 0 = unlimited
`alibaba-cloud-loadbalancer-idle-timeout`	`900`	v2.5.0	Seconds. Range: 10–900
`alibaba-cloud-loadbalancer-proxy-protocol`	`off`	v2.5.0	`on` or `off`. Requires Proxy Protocol v2 on the backend
`alibaba-cloud-loadbalancer-ppv2-pvl-vpc-id-enabled`	`off`	v2.9.1	Pass VPC ID via Proxy Protocol
`alibaba-cloud-loadbalancer-ppv2-pvl-ep-id-enabled`	`off`	v2.9.1	Pass PrivateLink endpoint ID via Proxy Protocol
`alibaba-cloud-loadbalancer-ppv2-pvl-eps-id-enabled`	`off`	v2.9.1	Pass PrivateLink endpoint service ID via Proxy Protocol
`alibaba-cloud-loadbalancer-cert-id`	—	v2.5.0	SSL certificate ID from Certificate Management Service
`alibaba-cloud-loadbalancer-additional-cert-ids`	—	—	Comma-separated extended certificate IDs
`alibaba-cloud-loadbalancer-cacert-id`	—	—	CA certificate ID for mutual authentication
`alibaba-cloud-loadbalancer-cacert`	`off`	—	`on` or `off`
`alibaba-cloud-loadbalancer-tls-cipher-policy`	`tls_cipher_policy_1_0`	v2.5.0	TLS security policy ID
`alibaba-cloud-loadbalancer-alpn`	`off`	v2.10.0	`on` or `off`
`alibaba-cloud-loadbalancer-alpn-policy`	—	v2.12.1	e.g. `HTTP1Only`, `HTTP2Only`, `HTTP2Preferred`

Server group annotations

Annotation	Default	Min CCM version	Notes
`alibaba-cloud-loadbalancer-scheduler`	`wrr`	v2.5.0	`wrr`, `rr`, `sch`, `tch`, or `wlc`
`alibaba-cloud-loadbalancer-connection-drain`	`off`	v2.5.0	`on` or `off`
`alibaba-cloud-loadbalancer-connection-drain-timeout`	—	v2.5.0	Seconds. Range: 0–900. 0 = close immediately
`alibaba-cloud-loadbalancer-preserve-client-ip`	`on`	v2.5.0	`on` or `off`
`alibaba-cloud-loadbalancer-health-check-flag`	`on`	v2.5.0	`on` or `off`. Enabled by default for TCP ports
`alibaba-cloud-loadbalancer-health-check-type`	`tcp`	v2.5.0	`tcp` or `http`
`alibaba-cloud-loadbalancer-health-check-connect-port`	`0`	—	0 = use the server's port
`alibaba-cloud-loadbalancer-health-check-connect-timeout`	`5`	—	Seconds. Range: 1–300
`alibaba-cloud-loadbalancer-healthy-threshold`	`2`	—	Range: 2–10
`alibaba-cloud-loadbalancer-unhealthy-threshold`	`2`	—	Range: 2–10
`alibaba-cloud-loadbalancer-health-check-interval`	`10`	—	Seconds. Range: 1–50
`alibaba-cloud-loadbalancer-health-check-uri`	—	v2.5.0	HTTP only. Must start with `/`
`alibaba-cloud-loadbalancer-health-check-domain`	—	v2.5.0	HTTP only. `$SERVER_IP` or domain name
`alibaba-cloud-loadbalancer-health-check-method`	—	—	HTTP only. `GET` or `HEAD`
`alibaba-cloud-loadbalancer-server-group-type`	`Instance`	v2.8.0	`Instance` (ECS/ENI) or `Ip` (IP address)
`alibaba-cloud-loadbalancer-vgroup-port`	—	v2.5.0	Only applies when reusing an existing NLB
`alibaba-cloud-loadbalancer-weight`	—	v2.5.0	Only applies when reusing an existing server group
`alibaba-cloud-loadbalancer-ignore-weight-update`	`off`	v2.11.1	`on` or `off`

All annotations use the prefix service.beta.kubernetes.io/. For example, the full annotation key for alibaba-cloud-loadbalancer-zone-maps is service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps.

NLB instance configuration

Create a public NLB

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps

Specify zone-to-vSwitch mappings for the NLB instance. The format is {zone}:{vSwitchID}:{private IP address}:{EIP instance ID}. Separate multiple entries with commas.

Zone and vSwitchID: Required. Specify at least two zones, for example cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321. Check the NLB console for supported regions and zones.
Private IP address: Optional (v2.12.1 and later).
EIP instance ID: Optional (v2.12.1 and later).

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Create a private NLB

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type

Set to intranet to create a private NLB. Change this value at any time to switch the NLB between public and private networks.

Value	Description
`internet`	Public NLB (default)
`intranet`	Private NLB

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Specify a private IP address for the NLB

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps

Include a private IP address in the zone-maps format: {zone}:{vSwitchID}:{private IP address}.

apiVersion: v1
kind: Service
metadata:
  annotations:
    # For example, cn-hangzhou-k:vsw-i123456:10.1.0.1,cn-hangzhou-j:vsw-j654321:10.2.0.1
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A}:${private-ipv4-A},${zone-B}:${vsw-B}:${private-ipv4-B}"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Specify an EIP for the NLB

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps

Include an Elastic IP Address (EIP) instance ID in the zone-maps format: {zone}:{vSwitchID}:{private IP address}:{EIP instance ID}. Leave the private IP address field blank if not needed.

apiVersion: v1
kind: Service
metadata:
  annotations:
    # Leave the private IP address field blank if not needed.
    # For example, cn-hangzhou-k:vsw-i123456::eip-12345,cn-hangzhou-j:vsw-j654321::eip-54321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A}::${eip-A},${zone-B}:${vsw-B}::${eip-B}"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Specify the NLB name

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-name

The name must be 2–128 characters, start with a letter or Chinese character, and may contain digits, periods (.), underscores (_), and hyphens (-).

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-name: "${your-nlb-name}"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Specify the NLB resource group

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-resource-group-id

Important

The resource group cannot be changed after it is set.

Find the resource group ID in the Resource Management console.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-resource-group-id: "${your-resource-group-id}"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Create a dual-stack NLB

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version

Important

The IP version cannot be changed after creation.

Set to DualStack to support both IPv4 and IPv6. Requirements:

Both vSwitches in alibaba-cloud-loadbalancer-zone-maps must have IPv6 enabled.
The cluster's kube-proxy mode must be IPVS.
The generated IPv6 address is only accessible from IPv6-enabled environments.

Value	Description
`ipv4`	IPv4 only (default)
`DualStack`	IPv4 and IPv6

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "DualStack"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  sessionAffinity: None
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Specify IPv6 network type

Annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version and service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ipv6-address-type

When creating a dual-stack NLB, use alibaba-cloud-loadbalancer-ipv6-address-type to set the IPv6 network type.

Annotation	Value	Description
`alibaba-cloud-loadbalancer-ipv6-address-type`	`intranet`	Private IPv6 (default)
`alibaba-cloud-loadbalancer-ipv6-address-type`	`internet`	Public IPv6. The VPC must have an IPv6 gateway. See Create and manage IPv6 gateways

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "DualStack"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ipv6-address-type: "internet"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  sessionAffinity: None
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Add tags to the NLB

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-additional-resource-tags

Important

If this annotation is set, manual tag edits on the corresponding NLB instance in the console may be overwritten during the next Service synchronization.

Specify key-value tags separated by commas, for example k1=v1,k2=v2. Modifying tags on existing and reused instances requires v2.10.0 or later.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-additional-resource-tags: "Key1=Value1,Key2=Value2"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  sessionAffinity: None
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Reuse an existing load balancer

Annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id and service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners

Important

Do not add or modify reuse annotations on an existing LoadBalancer Service. Doing so may cause the reuse to fail or prevent the original NLB instance from being released properly.

Annotation	Value	Description
`alibaba-cloud-loadbalancer-id`	NLB instance ID	The ID of the existing NLB instance to reuse
`alibaba-cloud-loadbalancer-force-override-listeners`	`true`	CCM creates, updates, and deletes NLB listeners based on the Service configuration
`alibaba-cloud-loadbalancer-force-override-listeners`	`false`	CCM does not process NLB listeners (default)

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: "${your-nlb-id}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners: "true"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  sessionAffinity: None
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Bind an Internet Shared Bandwidth package

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-bandwidth-package-id

Find the bandwidth package ID in the VPC console.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-bandwidth-package-id: "cbwp-xxxxxxxxxx"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  sessionAffinity: None
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure cross-AZ forwarding

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cross-zone-enabled

Enable or disable forwarding across availability zones. Default: on.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cross-zone-enabled: "off"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  sessionAffinity: None
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Retain the NLB instance when deleting a Service

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-preserve-lb-on-delete

When a LoadBalancer Service is deleted, retain the NLB instance instead of deleting it. CCM removes the kubernetes.do.not.delete and ack.aliyun.com tags from the NLB instance and server group, and retains existing servers.

Non-empty value: Enable retention.
Empty or unset: Disable retention (default).

After setting this annotation, verify that the feature is active by checking for a Warning event of type PreservedOnDelete during Service synchronization.

Important

Delete the Service directly instead of changing the Service type. Modifying the type may cause the Service to incorrectly re-associate with the previously retained NLB instance.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-preserve-lb-on-delete: "true"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Listener configuration

Configure listener security groups

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-security-group-ids

Specify one or more security group IDs separated by commas, for example sg-aaaaa,sg-bbbbb.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-security-group-ids: "sg-aaaaa,sg-bbbbb"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Create a TCP listener

Define TCP ports in spec.ports with protocol: TCP. CCM creates one TCP listener per port.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  sessionAffinity: None
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Create a UDP listener

When creating a UDP listener without explicitly configuring health checks, TCP health checks are enabled for the server group by default. Use the health check annotations to configure UDP health checks, or disable health checks explicitly.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: udp
    port: 80
    protocol: UDP
    targetPort: 80
  selector:
    app: nginx
  sessionAffinity: None
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure both TCP and UDP listeners on the same port

Requires Kubernetes cluster version v1.24 or later. To upgrade, see Upgrade the Kubernetes version of an ACK cluster.

Define both TCP and UDP entries for the same port number in spec.ports. CCM creates separate listeners for each protocol.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: udp
    port: 80
    protocol: UDP
    targetPort: 81
  selector:
    app: nginx
  sessionAffinity: None
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Create a TCP/SSL listener

Annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port and service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id

Important

TCP/SSL listeners do not support server groups with client IP preservation enabled. You cannot use alibaba-cloud-loadbalancer-protocol-port: "tcpssl:${port}" together with alibaba-cloud-loadbalancer-preserve-client-ip: "on". To get client IPs through NLB, see Obtain client originating IP addresses through NLB.

Annotation	Value	Description
`alibaba-cloud-loadbalancer-protocol-port`	`tcpssl:443`	Configure the listener as TCP/SSL on the specified port. Separate multiple values with commas, e.g. `TCP:80,TCPSSL:443`
`alibaba-cloud-loadbalancer-cert-id`	Certificate ID	SSL certificate ID. Find it in the Certificate Management Service consoleCertificate Management Service consoleCertificate Management Service console under SSL Certificate Management

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "tcpssl:443"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${CertIdentifier}"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure a listener port range

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-listener-port-range

Only supported with the Terway network plug-in.

Configure full-port forwarding to listen on a port range and forward traffic to the corresponding ports on backend servers.

The format is startPort-endPort:servicePort. Separate multiple ranges with commas. For example: 80-100:80,400-500:443. Port ranges under the same protocol cannot overlap. Valid range: 1–65535.

targetPort specifies the health check port on backend servers and must be an integer.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    # Configure listeners for port ranges 80-100 and 400-500.
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-listener-port-range: "80-100:80,400-500:443"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    # targetPort is the health check port of the backend server and must be an integer.
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure the connection rate limit

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cps

Set the maximum new connections per second (CPS) for the NLB instance. Range: 0–1,000,000. Set to 0 to disable rate limiting.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cps: "100"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure the connection idle timeout

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-idle-timeout

Set the connection idle timeout in seconds. Range: 10–900. Default: 900.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-idle-timeout: "60"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure Proxy Protocol

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-proxy-protocol

Important

Before enabling Proxy Protocol, confirm that the backend service has Proxy Protocol v2 enabled. Enabling it on NLB when the backend does not support it will cause access failures.

Enable to pass client source IP addresses to backend servers via Proxy Protocol. Default: off.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-proxy-protocol: "on"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Pass additional information via Proxy Protocol

When Proxy Protocol is enabled, use the following annotations to pass additional metadata to backend servers.

Annotation	Default	Description
`alibaba-cloud-loadbalancer-ppv2-pvl-vpc-id-enabled`	`off`	Pass the VPC ID
`alibaba-cloud-loadbalancer-ppv2-pvl-ep-id-enabled`	`off`	Pass the PrivateLink endpoint ID
`alibaba-cloud-loadbalancer-ppv2-pvl-eps-id-enabled`	`off`	Pass the PrivateLink endpoint service ID

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-proxy-protocol: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ppv2-pvl-ep-id-enabled: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ppv2-pvl-eps-id-enabled: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ppv2-pvl-vpc-id-enabled: "on"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Enable mutual authentication

Annotations: alibaba-cloud-loadbalancer-protocol-port, alibaba-cloud-loadbalancer-cert-id, alibaba-cloud-loadbalancer-cacert-id, and alibaba-cloud-loadbalancer-cacert

Annotation	Description
`alibaba-cloud-loadbalancer-protocol-port`	Set to `tcpssl:443` (or the target port) to use TCP/SSL
`alibaba-cloud-loadbalancer-cert-id`	SSL certificate ID from the Certificate Management Service consoleCertificate Management Service consoleCertificate Management Service console — SSL Certificate Management page
`alibaba-cloud-loadbalancer-cacert-id`	CA certificate ID from the Certificate Management Service consoleCertificate Management Service consoleCertificate Management Service console — PCA Certificate Management page
`alibaba-cloud-loadbalancer-cacert`	Set to `on` to enable mutual authentication. Default: `off`

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "tcpssl:443"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${CertIdentifier}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cacert-id: "${your-cacert-id}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cacert: "on"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure a TLS security policy

Annotations: alibaba-cloud-loadbalancer-protocol-port, alibaba-cloud-loadbalancer-cert-id, and alibaba-cloud-loadbalancer-tls-cipher-policy

Value	Description
`tls_cipher_policy_1_0`	TLS 1.0 and later (default)
`tls_cipher_policy_1_1`	TLS 1.1 and later
`tls_cipher_policy_1_2`	TLS 1.2 and later
`tls_cipher_policy_1_2_strict`	TLS 1.2 strict mode
`tls_cipher_policy_1_2_strict_with_1_3`	TLS 1.2 and 1.3 strict mode

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "tcpssl:443"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${CertIdentifier}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-tls-cipher-policy: "tls_cipher_policy_1_0"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure an ALPN policy

Annotations: alibaba-cloud-loadbalancer-protocol-port, alibaba-cloud-loadbalancer-cert-id, alibaba-cloud-loadbalancer-alpn, and alibaba-cloud-loadbalancer-alpn-policy

Annotation	Value	Description
`alibaba-cloud-loadbalancer-alpn`	`on` / `off`	Enable or disable Application-Layer Protocol Negotiation (ALPN). Default: `off`
`alibaba-cloud-loadbalancer-alpn-policy`	`HTTP1Only`	Negotiate only HTTP/1.x. Priority: HTTP/1.1 > HTTP/1.0
	`HTTP2Only`	Negotiate only HTTP/2.0
	`HTTP2Optional`	Prefer HTTP/1.x, accept HTTP/2.0. Priority: HTTP/1.1 > HTTP/1.0 > HTTP/2.0
	`HTTP2Preferred`	Prefer HTTP/2.0, accept HTTP/1.x. Priority: HTTP/2.0 > HTTP/1.1 > HTTP/1.0

For additional values, see the AlpnPolicy field in the CreateListener API.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "tcpssl:443"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${CertIdentifier}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-alpn: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-alpn-policy: "HTTP1Only"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure extended certificates

Annotations: alibaba-cloud-loadbalancer-protocol-port, alibaba-cloud-loadbalancer-cert-id, and alibaba-cloud-loadbalancer-additional-cert-ids

Annotation	Description
`alibaba-cloud-loadbalancer-cert-id`	Primary SSL certificate ID
`alibaba-cloud-loadbalancer-additional-cert-ids`	Comma-separated list of extended certificate IDs. Find them in the Certificate Management Service consoleCertificate Management Service consoleCertificate Management Service console under SSL Certificate Management

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "tcpssl:443"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${CertIdentifier}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-additional-cert-ids: "${CertIdentifier-1},${CertIdentifier-2}"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Server group configuration

Configure the scheduling algorithm

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-scheduler

Value	Algorithm	Description
`wrr`	Weighted round-robin	Servers with higher weights receive proportionally more requests (default)
`rr`	Round-robin	Requests are distributed to servers in sequence
`sch`	Source IP hash	Requests from the same source IP are always sent to the same server
`tch`	Four-tuple hash	Consistent hashing based on source IP, destination IP, source port, and destination port
`wlc`	Weighted least connections	Balances by weight and current connection count; servers with fewer connections are preferred when weights are equal

For additional values, see the Scheduler field in the CreateServerGroup API.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-scheduler: "sch"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure connection draining

Annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain and service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout

When connection draining is enabled and a backend server is removed or fails a health check, existing connections continue to be served for the draining timeout period. After the timeout, connections are actively closed.

Annotation	Value	Description
`alibaba-cloud-loadbalancer-connection-drain`	`on`	Enable connection draining
`alibaba-cloud-loadbalancer-connection-drain`	`off`	Disable. Connections close only when the client disconnects or the session expires (default)
`alibaba-cloud-loadbalancer-connection-drain-timeout`	Integer (seconds)	Draining timeout. Range: 0–900. 0 = close immediately

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout: "30"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure client IP preservation

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-preserve-client-ip

Enable to pass the original client IP address to backend servers. Default: on.

TCP/SSL listeners do not support server groups with client IP preservation enabled. If you use a TCP/SSL listener, set this annotation to off or omit the alibaba-cloud-loadbalancer-preserve-client-ip annotation. See Obtain client originating IP addresses through NLB for alternatives.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-preserve-client-ip: "on"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure TCP health checks

Health checks are enabled by default for TCP ports. The following annotations configure TCP health check behavior.

Annotation	Default	Description
`alibaba-cloud-loadbalancer-health-check-flag`	`on`	`on` or `off`
`alibaba-cloud-loadbalancer-health-check-type`	`tcp`	`tcp` or `http`
`alibaba-cloud-loadbalancer-health-check-connect-port`	`0`	Server port for health checks. 0 = use the server's own port. Range: 0–65535
`alibaba-cloud-loadbalancer-health-check-connect-timeout`	`5`	Response timeout in seconds. Range: 1–300
`alibaba-cloud-loadbalancer-healthy-threshold`	`2`	Consecutive successes required to mark a server healthy. Range: 2–10
`alibaba-cloud-loadbalancer-unhealthy-threshold`	`2`	Consecutive failures required to mark a server unhealthy. Range: 2–10
`alibaba-cloud-loadbalancer-health-check-interval`	`10`	Health check interval in seconds. Range: 1–50

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-flag: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-type: "tcp"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-timeout: "8"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-healthy-threshold: "4"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-unhealthy-threshold: "4"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval: "5"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure HTTP health checks

To use HTTP health checks, set alibaba-cloud-loadbalancer-health-check-type to http and configure the following annotations.

Annotation	Default	Description
`alibaba-cloud-loadbalancer-health-check-flag`	`on`	`on` or `off`
`alibaba-cloud-loadbalancer-health-check-type`	`tcp`	Set to `http` to use HTTP health checks
`alibaba-cloud-loadbalancer-health-check-uri`	—	Health check path. Must start with `/`. Length: 1–80 characters. See CreateServerGroup for allowed characters
`alibaba-cloud-loadbalancer-health-check-domain`	—	Domain for health checks. Use `$SERVER_IP` to use the backend server's private IP address, or specify a domain name (1–80 characters, lowercase letters, digits, hyphens, and periods allowed)
`alibaba-cloud-loadbalancer-health-check-connect-port`	`0`	Server port for health checks. 0 = use the server's own port. Range: 0–65535
`alibaba-cloud-loadbalancer-health-check-connect-timeout`	`5`	Response timeout in seconds. Range: 1–300
`alibaba-cloud-loadbalancer-healthy-threshold`	`2`	Consecutive successes required to mark a server healthy. Range: 2–10
`alibaba-cloud-loadbalancer-unhealthy-threshold`	`2`	Consecutive failures required to mark a server unhealthy. Range: 2–10
`alibaba-cloud-loadbalancer-health-check-interval`	`10`	Health check interval in seconds. Range: 1–50
`alibaba-cloud-loadbalancer-health-check-method`	—	HTTP method. `GET` or `HEAD`

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-flag: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-type: "http"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-uri: "/test/index.html"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-domain: "www.test.com"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-healthy-threshold: "4"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-unhealthy-threshold: "4"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-timeout: "10"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval: "5"
    # Optional: configure the health check method
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-method: "head"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Configure the server group type

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-server-group-type

Value	Description
`Instance`	Add ECS instances or ENIs as backend servers (default)
`Ip`	Add backend servers directly by IP address

For details on server group types, see NLB server groups.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-server-group-type: "Ip"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Reuse an existing server group

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-vgroup-port

Reuse an existing server group. This only takes effect when reusing an existing NLB. For a full example, see Deploy services across clusters by reusing an existing load balancer.

Configure service traffic weight

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-weight

When multiple Services share the same NLB, use this annotation to set the traffic weight for the current Service. This only takes effect when reusing an existing server group. For a full example, see Deploy services across clusters by reusing an existing load balancer.

Ignore backend server weight updates

Annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ignore-weight-update

When set to on, CCM skips updating backend server weights in the server group during Service synchronization. Use this when managing backend server weights through a mechanism other than CCM. Default: off.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-zone-maps: "${zone-A}:${vsw-A},${zone-B}:${vsw-B}" # For example, cn-hangzhou-k:vsw-i123456,cn-hangzhou-j:vsw-j654321
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ignore-weight-update: "on"
  name: nginx
  namespace: default
spec:
  externalTrafficPolicy: Local
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: nginx
  loadBalancerClass: "alibabacloud.com/nlb"
  type: LoadBalancer

Prerequisites

Usage notes

Annotation index

NLB instance annotations

Listener annotations

Server group annotations

NLB instance configuration

Create a public NLB

Create a private NLB

Specify a private IP address for the NLB

Specify an EIP for the NLB

Specify the NLB name

Specify the NLB resource group

Create a dual-stack NLB

Specify IPv6 network type

Add tags to the NLB

Reuse an existing load balancer

Bind an Internet Shared Bandwidth package

Configure cross-AZ forwarding

Retain the NLB instance when deleting a Service

Listener configuration

Configure listener security groups

Create a TCP listener

Create a UDP listener

Configure both TCP and UDP listeners on the same port

Create a TCP/SSL listener

Configure a listener port range

Configure the connection rate limit

Configure the connection idle timeout

Configure Proxy Protocol

Pass additional information via Proxy Protocol

Enable mutual authentication

Configure a TLS security policy

Configure an ALPN policy

Configure extended certificates

Server group configuration

Configure the scheduling algorithm

Configure connection draining

Configure client IP preservation

Configure TCP health checks

Configure HTTP health checks

Configure the server group type

Reuse an existing server group

Configure service traffic weight

Ignore backend server weight updates

What's next