All Products
Search

This Product

    Container Service for Kubernetes:Advanced ALB Ingress configurations for registered clusters

    Document Center

    Container Service for Kubernetes:Advanced ALB Ingress configurations for registered clusters

    Last Updated:Mar 26, 2026

    Application Load Balancer (ALB) Ingresses in registered clusters are API objects that manage external access to Services and provide Layer 7 load balancing. This topic covers advanced ALB Ingress configurations, including domain name and URL routing, health checks, HTTPS redirection, gRPC, URL rewriting, custom listeners, forwarding rule priorities, canary releases, session persistence, load balancing algorithms, CORS, persistent TCP connections, and QPS throttling.

    Prerequisites

    Before you begin, ensure that you have:

    Annotation quick reference

    The following table lists all annotations covered in this topic.

    Annotation Description Default
    alb.ingress.kubernetes.io/healthcheck-enabled Enables health checks. true
    alb.ingress.kubernetes.io/healthcheck-path URL path for health checks. Must start with / and be 1–80 characters. /
    alb.ingress.kubernetes.io/healthcheck-protocol Protocol for health checks: HTTP or TCP. HTTP
    alb.ingress.kubernetes.io/healthcheck-method HTTP method for health checks: HEAD or GET. HEAD
    alb.ingress.kubernetes.io/healthcheck-httpcode HTTP status codes that indicate a healthy backend. Valid values: http_2xx, http_3xx, http_4xx, http_5xx. http_2xx
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds Timeout for a health check response. Valid values: 1–300. Unit: seconds. 5
    alb.ingress.kubernetes.io/healthcheck-interval-seconds Interval between consecutive health checks. Valid values: 1–50. Unit: seconds. 2
    alb.ingress.kubernetes.io/healthy-threshold-count Consecutive successes required to mark a backend healthy. Valid values: 2–10. 3
    alb.ingress.kubernetes.io/unhealthy-threshold-count Consecutive failures required to mark a backend unhealthy. Valid values: 2–10. 3
    alb.ingress.kubernetes.io/ssl-redirect Redirects HTTP requests to HTTPS port 443. false
    alb.ingress.kubernetes.io/backend-protocol Backend protocol: https or grpc. Cannot be changed after the Ingress is created.
    alb.ingress.kubernetes.io/rewrite-target Rewrites request paths before forwarding. Supports up to three capturing groups (${1}, ${2}, ${3}).
    alb.ingress.kubernetes.io/listen-ports Custom listening ports. Example: '[{"HTTP": 80},{"HTTPS": 443}]'.
    alb.ingress.kubernetes.io/order Explicit forwarding rule priority. Valid values: 1–1000. Lower value = higher priority. 10
    alb.ingress.kubernetes.io/canary Enables canary releases.
    alb.ingress.kubernetes.io/canary-by-header Routes requests matching a specific header to the canary version. Use with canary-by-header-value.
    alb.ingress.kubernetes.io/canary-by-header-value Header value to match for canary routing.
    alb.ingress.kubernetes.io/canary-by-cookie Routes requests by cookie value. Set to always or never.
    alb.ingress.kubernetes.io/canary-weight Percentage of traffic routed to the canary version. Valid values: 0–100.
    alb.ingress.kubernetes.io/sticky-session Enables session persistence. false
    alb.ingress.kubernetes.io/sticky-session-type Cookie handling method: Insert or Server. Insert
    alb.ingress.kubernetes.io/cookie-timeout Cookie timeout period. Valid values: 1–86400. Unit: seconds. 1800
    alb.ingress.kubernetes.io/backend-scheduler Load balancing algorithm: wrr, wlc, sch, or uch. wrr
    alb.ingress.kubernetes.io/backend-scheduler-uch-value URL parameter name for consistent hashing. Required only when backend-scheduler is uch.
    alb.ingress.kubernetes.io/enable-cors Enables Cross-Origin Resource Sharing (CORS).
    alb.ingress.kubernetes.io/cors-allow-origin Allowed origins. Each URL must start with http:// or https://. *
    alb.ingress.kubernetes.io/cors-allow-methods Allowed HTTP methods. Values are not case-sensitive. GET, PUT, POST, DELETE, PATCH, OPTIONS
    alb.ingress.kubernetes.io/cors-allow-headers Allowed request headers. DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
    alb.ingress.kubernetes.io/cors-expose-headers Headers exposed to client scripts. Empty
    alb.ingress.kubernetes.io/cors-allow-credentials Whether to include credentials in CORS requests. true
    alb.ingress.kubernetes.io/cors-max-age How long (in seconds) the browser can cache preflight results. Valid values: -1 to 172800. 172800
    alb.ingress.kubernetes.io/backend-keepalive Enables persistent TCP connections (HTTP keep-alive). true
    alb.ingress.kubernetes.io/traffic-limit-qps QPS limit at the forwarding rule level. Valid values: 1–100000.

    Route requests by domain name

    Create an Ingress with a domain name

    1. Apply the following manifest to create a Deployment, a Service, and an Ingress. Requests to the specified domain name are forwarded to the Service. Kubernetes earlier than 1.19

      apiVersion: v1
kind: Service
metadata:
  name: demo-service
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo
  sessionAffinity: None
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - host: demo.domain.ingress.top
      http:
        paths:
          - backend:
              serviceName: demo-service
              servicePort: 80
            path: /hello
            pathType: ImplementationSpecific

      Kubernetes 1.19 or later

      apiVersion: v1
kind: Service
metadata:
  name: demo-service
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo
  sessionAffinity: None
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - host: demo.domain.ingress.top
      http:
        paths:
          - backend:
              service:
                name: demo-service
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific

    2. Send a request using the domain name. Replace ADDRESS with the ALB instance IP address, which you can get by running kubectl get ing.

      curl -H "host: demo.domain.ingress.top" <ADDRESS>/hello

      Expected output:

      {"hello":"coffee"}

    Create an Ingress without a domain name

    1. Apply the following Ingress manifest. Leave the host field blank to match requests regardless of the Host header. Kubernetes earlier than 1.19

      apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - host: ""
      http:
        paths:
          - backend:
              serviceName: demo-service
              servicePort: 80
            path: /hello
            pathType: ImplementationSpecific

      Kubernetes 1.19 or later

      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - host: ""
      http:
        paths:
          - backend:
              service:
                name: demo-service
                port:
                  number: 80
            path: /hello

    2. Send a request without a domain name. Replace ADDRESS with the ALB instance IP address.

      curl <ADDRESS>/hello

      Expected output:

      {"hello":"coffee"}

    Route requests by URL path

    Set pathType in the Ingress spec to control how URL paths are matched. The supported values are Exact, ImplementationSpecific, and Prefix.

    When multiple URL match rules conflict, ALB evaluates them in descending order of priority. For more information, see Configure forwarding rule priorities.

    The following table shows how each match mode handles different URL paths:

    Match mode Rule URL path Match
    Prefix / All paths Yes
    Prefix /foo /foo, /foo/ Yes
    Prefix /foo/ /foo, /foo/ Yes
    Prefix /aaa/bb /aaa/bbb No
    Prefix /aaa/bbb /aaa/bbb Yes
    Prefix /aaa/bbb/ /aaa/bbb Yes. The rule ignores the trailing slash.
    Prefix /aaa/bbb /aaa/bbb/ Yes. The rule matches the trailing slash.
    Prefix /aaa/bbb /aaa/bbb/ccc Yes. The rule matches subpaths.
    Prefix / and /aaa /aaa/ccc Yes. The URL path matches the / rule.
    Prefix /aaa and / /aaa/ccc Yes. The URL path matches the /aaa rule.
    Prefix /aaa and / /ccc Yes. Matches /.
    Prefix /aaa /ccc No
    Exact or ImplementationSpecific /foo /foo Yes
    Exact or ImplementationSpecific /foo /bar No
    Exact or ImplementationSpecific /foo /foo/ No
    Exact or ImplementationSpecific /foo/ /foo No

    Exact

    Matches the URL path exactly. The path /hello matches only /hello, not /hello/ or /hello/world.

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo-path
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
        - path: /hello
          backend:
            serviceName: demo-service
            servicePort: 80
          pathType: Exact

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-path
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
        - path: /hello
          backend:
            service:
              name: demo-service
              port:
                number: 80
          pathType: Exact

    Verify the configuration. Replace ADDRESS with the ALB instance IP address.

    curl <ADDRESS>/hello

    Expected output:

    {"hello":"coffee"}

    ImplementationSpecific

    Behaves the same as Exact for ALB Ingresses.

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo-path
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
        - path: /hello
          backend:
            serviceName: demo-service
            servicePort: 80
          pathType: ImplementationSpecific

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-path
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
        - path: /hello
          backend:
            service:
              name: demo-service
              port:
                number: 80
          pathType: ImplementationSpecific

    Verify the configuration. Replace ADDRESS with the ALB instance IP address.

    curl <ADDRESS>/hello

    Expected output:

    {"hello":"coffee"}

    Prefix

    Matches the URL path by prefix. Path elements are separated by /, and matching is case-sensitive. The rule / matches all paths.

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo-path-prefix
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
        - path: /
          backend:
            serviceName: demo-service
            servicePort: 80
          pathType: Prefix

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-path-prefix
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
        - path: /
          backend:
            service:
              name: demo-service
              port:
                number: 80
          pathType: Prefix

    Verify the configuration. Replace ADDRESS with the ALB instance IP address.

    curl <ADDRESS>/hello

    Expected output:

    {"hello":"coffee"}

    Configure health checks

    Add health check annotations to your Ingress to monitor backend server availability. The following example enables health checks on the /tea and /coffee paths.

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/healthcheck-enabled: "true"
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
    alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
    alb.ingress.kubernetes.io/healthcheck-httpcode: "http_2xx"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
    alb.ingress.kubernetes.io/healthy-threshold-count: "3"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/healthcheck-enabled: "true"
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
    alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
    alb.ingress.kubernetes.io/healthcheck-httpcode: "http_2xx"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
    alb.ingress.kubernetes.io/healthy-threshold-count: "3"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - path: /tea
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

    The following table describes the health check annotations:

    Annotation Description Default
    alb.ingress.kubernetes.io/healthcheck-enabled Enables health checks. true
    alb.ingress.kubernetes.io/healthcheck-path The URL path for health checks. Must start with / and be 1–80 characters. /
    alb.ingress.kubernetes.io/healthcheck-protocol The protocol for health checks. HTTP: ALB sends HEAD or GET requests to simulate browser access. TCP: ALB sends TCP SYN packets to check port availability. HTTP
    alb.ingress.kubernetes.io/healthcheck-method The HTTP request method. HEAD: ALB sends HEAD requests. Use GET if your backend doesn't support HEAD requests. GET: Responses larger than 8 KB are fragmented but do not affect the health check result. HEAD
    alb.ingress.kubernetes.io/healthcheck-httpcode The HTTP status codes that indicate a healthy backend. Valid values: http_2xx, http_3xx, http_4xx, http_5xx. http_2xx
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds The timeout period for a health check response. If the backend doesn't respond within this period, it fails the health check. Valid values: 1–300. Unit: seconds. 5
    alb.ingress.kubernetes.io/healthcheck-interval-seconds The interval between consecutive health checks. Valid values: 1–50. Unit: seconds. 2
    alb.ingress.kubernetes.io/healthy-threshold-count The number of consecutive successful health checks required before marking an unhealthy backend as healthy. Valid values: 2–10. 3
    alb.ingress.kubernetes.io/unhealthy-threshold-count The number of consecutive failed health checks required before marking a healthy backend as unhealthy. Valid values: 2–10. 3

    Redirect HTTP to HTTPS

    Add the alb.ingress.kubernetes.io/ssl-redirect: "true" annotation to redirect HTTP requests to HTTPS port 443.

    Important

    When configuring SSL redirection, specify both the pre-redirect and post-redirect listening ports and protocols in the Ingress.

    Kubernetes earlier than 1.19

    apiVersion: v1
kind: Service
metadata:
  name: demo-service-ssl
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo-ssl
  sessionAffinity: None
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-ssl
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-ssl
  template:
    metadata:
      labels:
        app: demo-ssl
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo-ssl
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/ssl-redirect: "true"
  name: demo-ssl
  namespace: default
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - ssl.alb.ingress.top
  rules:
    - host: ssl.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: demo-service-ssl
              servicePort: 80
            path: /
            pathType: Prefix

    Kubernetes 1.19 or later

    apiVersion: v1
kind: Service
metadata:
  name: demo-service-ssl
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo-ssl
  sessionAffinity: None
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-ssl
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-ssl
  template:
    metadata:
      labels:
        app: demo-ssl
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo-ssl
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/ssl-redirect: "true"
  name: demo-ssl
  namespace: default
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - ssl.alb.ingress.top
  rules:
    - host: ssl.alb.ingress.top
      http:
        paths:
          - backend:
              service:
                name: demo-service-ssl
                port:
                  number: 80
            path: /
            pathType: Prefix

    Configure HTTPS or gRPC backends

    Use the alb.ingress.kubernetes.io/backend-protocol annotation to set the backend protocol to https or grpc. For gRPC, the backend Service must have an SSL certificate and use TLS.

    The backend protocol cannot be changed after the Ingress is created. To change the protocol, delete and recreate the Ingress.

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: "grpc"
  name: lxd-grpc-ingress
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: grpc-demo-svc
              servicePort: 9080
            path: /
            pathType: Prefix

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: "grpc"
  name: lxd-grpc-ingress
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: grpc-demo-svc
            port:
              number: 9080

    Configure rewrite rules

    Use the alb.ingress.kubernetes.io/rewrite-target annotation to rewrite request paths before forwarding them to backends. The following rules apply:

    • Set pathType to Prefix when using capturing groups (${number}) in the rewrite target.

    • By default, path does not support regex characters such as * and ?. Add the rewrite-target annotation to enable regex in the path field.

    • The path value must start with /.

    You can use up to three capturing groups (${1}, ${2}, ${3}) enclosed in parentheses () in the path field. The rewrite-target value concatenates the matched groups to form the rewritten path.

    The following example uses path: /something(/|$)(.*) and rewrite-target: /path/${2}. Requests are rewritten as follows:

    Request path Rewritten to
    /something /path/
    /something/ /path/
    /something/new /path/new

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/rewrite-target: /path/${2}
  name: rewrite-ingress
spec:
  ingressClassName: alb
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: rewrite-svc
              servicePort: 9080
            path: /something(/|$)(.*)
            pathType: Prefix

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/rewrite-target: /path/${2}
  name: rewrite-ingress
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /something(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: rewrite-svc
            port:
              number: 9080

    Configure custom listening ports

    Expose a Service on multiple ports simultaneously. The following example exposes the Service on both HTTP port 80 and HTTPS port 443.

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
  name: cafe-ingress
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: tea-svc
              servicePort: 80
            path: /tea-svc
            pathType: ImplementationSpecific

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
   alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80

    Configure forwarding rule priorities

    By default, ALB evaluates forwarding rules in the following order:

    • Across Ingresses: rules are ranked by the lexicographic order of namespace/name. The Ingress whose namespace/name comes first lexicographically has the highest priority.

    • Within an Ingress: rules are listed in the rule field in descending order of priority.

    To set explicit priorities, use the alb.ingress.kubernetes.io/order annotation. Each rule's priority within a listener must be unique.

    Valid values for alb.ingress.kubernetes.io/order are 1–1000. A smaller value indicates a higher priority. The default value is 10.

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "2"
  name: cafe-ingress
spec:
  ingressClassName: alb
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: tea-svc
              servicePort: 80
            path: /tea-svc
            pathType: ImplementationSpecific

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
   alb.ingress.kubernetes.io/order: "2"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80

    Configure canary releases

    ALB supports canary releases based on request headers, cookies, and traffic weights. Add alb.ingress.kubernetes.io/canary: "true" to an Ingress to enable the canary feature, then use the routing annotations below.

    Do not modify the original Ingress rules during a canary release. Otherwise, access to the application may be interrupted. After the new version passes validation, update the original Ingress to point to the new backend Service and remove the canary Ingress.

    Route by request header

    Use alb.ingress.kubernetes.io/canary-by-header and alb.ingress.kubernetes.io/canary-by-header-value together to route requests that match a specific header and value to the new version. Requests that don't match fall through to cookie-based or weight-based rules.

    The following example routes requests with location: hz to the new version:

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "1"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-by-header: "location"
    alb.ingress.kubernetes.io/canary-by-header-value: "hz"
  name: demo-canary
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - backend:
              serviceName: demo-service-hello
              servicePort: 80
            path: /hello
            pathType: ImplementationSpecific

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "1"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-by-header: "location"
    alb.ingress.kubernetes.io/canary-by-header-value: "hz"
  name: demo-canary
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - backend:
              service:
                name: demo-service-hello
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific

    Route by cookie

    Use alb.ingress.kubernetes.io/canary-by-cookie to route requests based on a cookie value:

    • Set the cookie to always to route matching requests to the new version.

    • Set the cookie to never to route matching requests to the old version.

    Cookie-based canary rules only support always or never as cookie values.

    The following example routes requests containing the demo=always cookie to the new version:

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "2"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-by-cookie: "demo"
  name: demo-canary-cookie
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - backend:
              serviceName: demo-service-hello
              servicePort: 80
            path: /hello
            pathType: ImplementationSpecific

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "2"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-by-cookie: "demo"
  name: demo-canary-cookie
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - backend:
              service:
                name: demo-service-hello
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific

    Route by weight

    Use alb.ingress.kubernetes.io/canary-weight to send a percentage of traffic to the new version. Valid values: 0–100.

    The following example routes 50% of traffic to the new version:

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "3"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-weight: "50"
  name: demo-canary-weight
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - backend:
              serviceName: demo-service-hello
              servicePort: 80
            path: /hello
            pathType: ImplementationSpecific

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "3"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-weight: "50"
  name: demo-canary-weight
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - backend:
              service:
                name: demo-service-hello
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific

    When multiple canary rules apply, they are evaluated in this order: canary-by-header > canary-by-cookie > canary-weight.

    Configure session persistence

    Keep client sessions on the same backend server using the following annotations:

    Annotation Description Default
    alb.ingress.kubernetes.io/sticky-session Enables session persistence. Valid values: true, false. false
    alb.ingress.kubernetes.io/sticky-session-type The cookie handling method. Insert: ALB inserts a SERVERID cookie into the first HTTP or HTTPS response and routes subsequent requests from the same client to the recorded backend server. Server: ALB overwrites an existing user-defined cookie and routes subsequent requests to the recorded backend server. This parameter takes effect only when StickySessionEnabled is set to true for the server group. Insert
    alb.ingress.kubernetes.io/cookie-timeout The cookie timeout period. Valid values: 1–86400. Unit: seconds. 1800

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-v3
  annotations:
    alb.ingress.kubernetes.io/sticky-session: "true"
    alb.ingress.kubernetes.io/sticky-session-type: "Insert"
    alb.ingress.kubernetes.io/cookie-timeout: "1800"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - path: /tea2
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee2
        backend:
          serviceName: coffee-svc
          servicePort: 80

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress-v3
  annotations:
    alb.ingress.kubernetes.io/sticky-session: "true"
    alb.ingress.kubernetes.io/sticky-session-type: "Insert"
    alb.ingress.kubernetes.io/cookie-timeout: "1800"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - path: /tea2
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee2
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

    Specify a load balancing algorithm

    Set alb.ingress.kubernetes.io/backend-scheduler to control how ALB distributes requests across backend servers.

    Value Algorithm Description
    wrr Weighted round robin Servers with higher weights receive more requests. This is the default.
    wlc Weighted least connections Requests are distributed based on weight and current connection count. When weights are equal, requests go to the server with the fewest connections.
    sch Source IP consistent hashing Requests from the same source IP always go to the same backend server.
    uch URL parameter consistent hashing Requests with the same URL parameter value always go to the same backend server. Requires alb.ingress.kubernetes.io/backend-scheduler-uch-value to specify the parameter name.

    Kubernetes earlier than 1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-scheduler: "uch"
    alb.ingress.kubernetes.io/backend-scheduler-uch-value: "test"
  name: cafe-ingress
spec:
  ingressClassName: alb
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: tea-svc
              servicePort: 80
            path: /tea-svc
            pathType: ImplementationSpecific

    Kubernetes 1.19 or later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/backend-scheduler: "uch"
    alb.ingress.kubernetes.io/backend-scheduler-uch-value: "test"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
    alb.ingress.kubernetes.io/backend-scheduler-uch-value is required only when using the uch algorithm. Omit it for wrr, sch, and wlc.

    Configure CORS

    Add the following annotations to enable Cross-Origin Resource Sharing (CORS) on an ALB Ingress:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-ingress
  annotations:
    alb.ingress.kubernetes.io/enable-cors: "true"
    alb.ingress.kubernetes.io/cors-expose-headers: ""
    alb.ingress.kubernetes.io/cors-allow-methods: "GET,POST"
    alb.ingress.kubernetes.io/cors-allow-credentials: "true"
    alb.ingress.kubernetes.io/cors-max-age: "600"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: cloud-nodeport
            port:
              number: 80
    Annotation Description Default
    alb.ingress.kubernetes.io/cors-allow-origin Origins allowed to access resources. Each URL must start with http:// or https:// and contain a valid domain or top-level wildcard domain. Separate multiple URLs with commas. Example: "https://example.com:4443, http://aliyundoc.com". *
    alb.ingress.kubernetes.io/cors-allow-methods Allowed HTTP methods. Values are not case-sensitive. Separate multiple methods with commas. Example: "PUT, GET, POST, OPTIONS". GET, PUT, POST, DELETE, PATCH, OPTIONS
    alb.ingress.kubernetes.io/cors-allow-headers Allowed request headers. Headers can contain letters, digits, underscores (_), and hyphens (-). Separate multiple headers with commas. Example: "X-Forwarded-For, X-app123-XPTO". DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
    alb.ingress.kubernetes.io/cors-expose-headers Headers that the browser can expose to client scripts. Headers can contain letters, digits, underscores (_), hyphens (-), and asterisks (*). Separate multiple headers with commas. Example: "*, X-CustomResponseHeader". Empty
    alb.ingress.kubernetes.io/cors-allow-credentials Whether to include credentials in CORS requests. true
    alb.ingress.kubernetes.io/cors-max-age How long (in seconds) the browser can cache preflight request results. Applies to complex requests that use the OPTIONS method. Valid values: -1 to 172800. 172800

    Enable persistent TCP connections

    By default, ALB uses short-lived connections, creating and closing a connection for each request. Persistent TCP connections (HTTP keep-alive) reduce connection overhead and improve throughput. Add alb.ingress.kubernetes.io/backend-keepalive: "true" to enable this feature.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-ingress
  annotations:
    alb.ingress.kubernetes.io/backend-keepalive: "true"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: cloud-nodeport
            port:
              number: 80

    Configure QPS throttling

    Limit incoming requests per second at the forwarding rule level. Valid values: 1–100000 QPS. Add alb.ingress.kubernetes.io/traffic-limit-qps to set the limit.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/traffic-limit-qps: "50"
spec:
  ingressClassName: alb
  rules:
   - host: demo.alb.ingress.top
     http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: ImplementationSpecific
        backend:
          service:
            name: coffee-svc
            port:
              number: 80