All Products
Search

This Product

    Container Service for Kubernetes:Configure ALB instances with AlbConfig

    Document Center

    Container Service for Kubernetes:Configure ALB instances with AlbConfig

    Last Updated:Mar 10, 2026

    An AlbConfig is a Custom Resource Definition (CRD) that the ALB Ingress Controller uses to manage Application Load Balancer (ALB) instances and listeners. Each AlbConfig maps to exactly one ALB instance. To run multiple ALB instances, create multiple AlbConfigs.

    This topic covers how to create, update, and delete AlbConfigs, configure listeners, associate ALB instances with Ingress resources, and enable access logging.

    Prerequisites

    Before you begin, make sure that:

    To use an ALB Ingress with Services in an ACK dedicated cluster, first grant the cluster the permissions required by the ALB Ingress Controller. For more information, see Grant an ACK dedicated cluster access to the ALB Ingress controller.

    Usage notes

    • Use kubectl edit to modify AlbConfig resources directly. If you must use kubectl apply, run kubectl diff first to preview changes before applying them.

    • If your cluster uses the Flannel network plug-in, ALB Ingress backend Services support only the NodePort and LoadBalancer types.

    Create an AlbConfig

    Important

    When you install the ALB Ingress Controller and select Create New or Use Existing for ALB Cloud-native Gateway Instance Source, the Controller automatically creates an AlbConfig named alb and an IngressClass named alb.

    1. Create a file named alb.yaml with the following content:

         apiVersion: alibabacloud.com/v1
   kind: AlbConfig
   metadata:
     name: alb
   spec:
     config:
       name: alb
       addressType: Internet
       zoneMappings:
       - vSwitchId: vsw-uf6ccg2a9g71hx8go****  # vSwitch in zone A
         allocationId: eip-asdfas****             # (Optional) EIP ID
       - vSwitchId: vsw-uf6nun9tql5t8nh15****  # vSwitch in zone B
         allocationId: eip-dpfmss****             # (Optional) EIP ID
     listeners:
       - port: 80
         protocol: HTTP

    2. Run the following command to create the AlbConfig: Expected output:

         kubectl apply -f alb.yaml
         albconfig.alibabacloud.com/alb created

    3. Verify that the AlbConfig is created: Expected output:

         kubectl get AlbConfig
         NAME   ALBID        DNSNAME                                  PORT&PROTOCOL   CERTID   AGE
   alb    alb-******   alb-******.<regionID>.alb.aliyuncsslb.com                            28m
    The PORT&PROTOCOL and CERTID columns remain empty until you create an HTTPS listener and configure a certificate.

    AlbConfig parameters

    Parameter

    Description

    Immutable

    spec.config.name

    The name of the ALB instance.

    No

    spec.config.addressType

    The network type. Internet (default): public IP, accessible over the Internet. Intranet: private IP, accessible only within the VPC.

    Yes

    spec.config.zoneMappings

    The vSwitch-to-zone mappings. Specify at least two vSwitches in different zones within the same VPC as the cluster. For single-zone regions, one vSwitch is sufficient.

    Yes

    spec.config.zoneMappings[].vSwitchId

    The vSwitch ID. The vSwitch must be in a zone supported by ALB.

    Yes

    spec.config.zoneMappings[].allocationId

    The ID of an elastic IP address (EIP) to associate with the ALB instance. If omitted, a pay-as-you-go BGP (multi-line) EIP with basic security protection is automatically created. For more information, see Billing overview of ALB. Only pay-by-traffic EIPs that are not added to an Internet Shared Bandwidth instance are supported. EIPs across zones for the same ALB instance must be of the same type.

    Yes

    spec.config.addressAllocatedMode

    The IP allocation mode. Dynamic (default): dynamic IP. Fixed: fixed IP.

    Yes

    spec.config.addressIpVersion

    The IP version. Set to DualStack to enable IPv4 and IPv6 dual-stack support.

    Yes

    spec.config.edition

    The ALB edition. Default: Standard.

    No

    spec.config.billingConfig.payType

    The billing method. Default: PostPay (pay-as-you-go).

    Yes

    spec.config.deletionProtectionEnabled

    Whether deletion protection is enabled. Default: true.

    Yes

    Important

    Parameters marked as Immutable are applied only when the ALB instance is first created. Subsequent changes to these parameters are ignored.

    Default AlbConfig configuration

    When you install the ALB Ingress Controller with a default AlbConfig, the following settings are applied (except for vSwitchId, which you must specify):

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    accessLogConfig:
      logProject: ""
      logStore: ""
    addressAllocatedMode: Dynamic
    addressType: Internet
    billingConfig:
      internetBandwidth: 0
      internetChargeType: ""
      payType: PostPay
    deletionProtectionEnabled: true
    edition: Standard
    forceOverride: false
    zoneMappings:
    - vSwitchId: #...
    - vSwitchId: #...
status:
  loadBalancer:
    dnsname: alb-s2em8fr9debkg5****.cn-shenzhen.alb.aliyuncsslb.com
    id: alb-s2em8fr9debkg5****

    Reuse an existing ALB instance

    To reuse an ALB instance that was created in the ALB console, specify its ID in the AlbConfig. Only Standard or WAF-enabled instances can be reused. Basic instances are not supported. An ALB instance can be reused by only one cluster.

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: reuse-alb
spec:
  config:
    id: ****  # ALB instance ID (Standard or WAF-enabled)
    forceOverride: false
    listenerForceOverride: false

    Override behavior

    Parameter

    Description

    id

    The ALB instance ID. If empty or missing, the instance is not reused and the forceOverride and listenerForceOverride fields are ignored.

    forceOverride

    true: overwrites both the ALB instance properties and listener configurations with the AlbConfig settings. false: preserves the ALB instance properties. Listener behavior is determined by listenerForceOverride.

    listenerForceOverride

    true: the ALB Ingress Controller manages all listeners. Their configurations are determined by the AlbConfig. false: the ALB Ingress Controller manages only auto-created listeners (named ingress-auto-listener-{port}). Other listeners remain self-managed through the ALB console.

    Important

    Do not manually rename listeners on a reused ALB instance. Listeners created or updated by the AlbConfig follow the ingress-auto-listener-{port} naming convention. Renaming them can cause listeners to become unmanaged.

    Associate an AlbConfig with Ingress resources

    The ALB Ingress uses a Kubernetes IngressClass to link an AlbConfig to Ingress resources.

    Step 1: Create an IngressClass

    Create a file named ingress_class.yaml with the following content:

    Clusters v1.19 and later

    apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: alb  # Name of the AlbConfig to associate

    Clusters earlier than v1.19

    apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
  name: alb
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: alb

    Run the following command to create the IngressClass:

    kubectl apply -f ingress_class.yaml

    Expected output:

    ingressclass.networking.k8s.io/alb created

    Step 2: Create an Ingress that references the IngressClass

    Create a file named ingress.yaml with the following content. The ingressClassName field links this Ingress to the AlbConfig through the IngressClass.

    Clusters v1.19 and later

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: ImplementationSpecific
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

    Clusters earlier than v1.19

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

    Run the following command to create the Ingress:

    kubectl apply -f ingress.yaml

    Expected output:

    ingress.networking.k8s.io/cafe-ingress created

    Use multiple ALB instances

    To route traffic through multiple ALB instances, create separate AlbConfig, IngressClass, and Ingress resources for each ALB instance. Use distinct ingressClassName values to associate each Ingress with its corresponding ALB instance.

    1. Create a second AlbConfig:

         apiVersion: alibabacloud.com/v1
   kind: AlbConfig
   metadata:
     name: alb-2
   spec:
     config:
       name: alb-2
       addressType: Internet
       zoneMappings:
       - vSwitchId: vsw-uf6ccg2a9g71hx8go****
       - vSwitchId: vsw-uf6nun9tql5t8nh15****
         kubectl apply -f alb-2.yaml

    2. Create a second IngressClass that references the new AlbConfig:

      Clusters v1.19 and later

         apiVersion: networking.k8s.io/v1
   kind: IngressClass
   metadata:
     name: alb-2
   spec:
     controller: ingress.k8s.alibabacloud/alb
     parameters:
       apiGroup: alibabacloud.com
       kind: AlbConfig
       name: alb-2

      Clusters earlier than v1.19

         apiVersion: networking.k8s.io/v1beta1
   kind: IngressClass
   metadata:
     name: alb-2
   spec:
     controller: ingress.k8s.alibabacloud/alb
     parameters:
       apiGroup: alibabacloud.com
       kind: AlbConfig
       name: alb-2
         kubectl apply -f ingress_class2.yaml

    3. Create an Ingress that uses the second IngressClass:

      Clusters v1.19 and later

         apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: cafe-ingress2
   spec:
     ingressClassName: alb-2
     rules:
     - http:
         paths:
         - path: /tea
           pathType: ImplementationSpecific
           backend:
             service:
               name: tea-svc
               port:
                 number: 80
         - path: /coffee
           pathType: ImplementationSpecific
           backend:
             service:
               name: coffee-svc
               port:
                 number: 80

      Clusters earlier than v1.19

         apiVersion: networking.k8s.io/v1beta1
   kind: Ingress
   metadata:
     name: cafe-ingress2
   spec:
     ingressClassName: alb-2
     rules:
     - http:
         paths:
         - path: /tea
           backend:
             serviceName: tea-svc
             servicePort: 80
         - path: /coffee
           backend:
             serviceName: coffee-svc
             servicePort: 80
         kubectl apply -f ingress2.yaml

    Configure network settings

    Enable IPv6 dual-stack

    Set addressIpVersion to DualStack to enable both IPv4 and IPv6:

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    addressIpVersion: DualStack
    ...
    Important

    The addressIpVersion parameter is applied only when the AlbConfig is first created. Changes after creation are ignored.

    Associate an Internet Shared Bandwidth instance

    To share bandwidth across ALB instances, specify the bandWidthPackageId in the billingConfig section. This setting applies only to Internet-facing ALB instances (addressType: Internet).

    For more information about Internet Shared Bandwidth, see Create and manage an Internet Shared Bandwidth instance.
    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    name: alb
    addressType: Internet
    edition: Standard
    zoneMappings:
    - vSwitchId: vsw-2vcqeyvwsnd***
    - vSwitchId: vsw-2vcbhjlqu7y***
    billingConfig:
      bandWidthPackageId: cbwp-2vcjucp49otd8qolhm***

    Configure listeners

    Listeners define the ports and protocols that an ALB instance uses to accept client traffic. An ALB instance can serve traffic only after at least one listener is configured. Modifying a listener's port, protocol, or other properties deletes the original listener and creates a replacement.

    ALB supports three application-layer protocols: HTTP, HTTPS, and QUIC.

    Important

    To use multiple listeners with different protocols simultaneously, add an annotation to the Ingress resource. For more information, see Configure custom listening ports.

    HTTP listener

    listeners:
  - port: 80
    protocol: HTTP
    HTTP listeners are automatically compatible with WebSocket. No additional configuration is required.

    HTTPS listener

    listeners:
  - port: 443
    protocol: HTTPS
    Important

    HTTPS listeners require a certificate. For more information, see Configure an HTTPS certificate for encrypted communication.

    QUIC listener

    listeners:
  - port: 443
    protocol: QUIC
    Important

    QUIC listeners enable clients to access services over HTTP/3. For more information, see Use a QUIC listener to support the HTTP/3 protocol.

    Specify a certificate

    Set the certificates field in the listener configuration to bind a certificate to an HTTPS listener. The first certificate is the default certificate.

    If no certificate is specified, the listener is not created at ALB creation time. Instead, the listener is created only after an Ingress is associated and a certificate is auto-discovered based on the domain name.

    For more information, see Configure an HTTPS certificate for encrypted communication.

    Important

    ALB treats the first certificate as the default. Other certificates are used only if the default certificate expires or is no longer in use.

    listeners:
- caEnabled: false
  certificates:
  - CertificateId: 756****-cn-hangzhou
    IsDefault: true
  port: 443
  protocol: HTTPS

    Specify a TLS security policy

    For HTTPS listeners, specify a TLS security policy using the securityPolicyId field. Both custom and system default policies are supported. For more information, see TLS security policies.

    listeners:
- port: 443
  protocol: HTTPS
  securityPolicyId: tls_cipher_policy_1_1

    Set the request timeout

    The requestTimeout field specifies how long (in seconds) the ALB instance waits for a backend response. Valid values: 1 to 600. Default: 60 seconds. If the backend does not respond within the timeout, ALB returns an HTTP 504 error to the client.

    listeners:
- port: 80
  protocol: HTTP
  requestTimeout: 40

    Enable data compression

    Set gzipEnabled to true to compress responses. When the client supports both Brotli and Gzip, ALB prioritizes Brotli for better compression.

    Compression is applied when both of the following conditions are met:

    • The Content-Length response header exceeds 1024 bytes.

    • The Accept-Encoding request header includes a supported algorithm.

    Brotli compresses all file types. Gzip compresses the following types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

    listeners:
- port: 80
  protocol: HTTP
  gzipEnabled: true

    Configure X-Forwarded-For headers

    Add client and ALB metadata to HTTP request headers forwarded to backend services.

    Field

    Description

    XForwardedForEnabled

    Adds the client's originating IP address to the X-Forwarded-For header. Cannot be disabled once enabled. HTTP/HTTPS only.

    XForwardedForClientSrcPortEnabled

    Adds the client port. HTTP/HTTPS only.

    XForwardedForProtoEnabled

    Adds the listener protocol.

    XForwardedForSLBIdEnabled

    Adds the ALB instance ID.

    XForwardedForSLBPortEnabled

    Adds the listener port.

    listeners:
- port: 80
  protocol: HTTP
  xForwardedForConfig:
    XForwardedForEnabled: true
    XForwardedForClientSrcPortEnabled: true
    XForwardedForProtoEnabled: true
    XForwardedForSLBIdEnabled: true
    XForwardedForSLBPortEnabled: true

    Specify trusted proxy IP addresses

    Use XForwardedForClientSourceIpsEnabled and XForwardedForClientSourceIpsTrusted to extract the client's actual IP from the X-Forwarded-For header when requests pass through known proxies. ALB traverses the IP list in X-Forwarded-For in reverse order and selects the first IP that is not in the trusted list.

    For example, if X-Forwarded-For is <client IP, proxy-1, proxy-2>, set XForwardedForClientSourceIpsTrusted to proxy-1;proxy-2 to extract the client IP.

    Important

    This setting applies only to HTTP and HTTPS listeners.

    listeners:
- port: 80
  protocol: HTTP
  xForwardedForConfig:
    XForwardedForClientSourceIpsEnabled: true
    XForwardedForClientSourceIpsTrusted: 192.168.x.x;192.168.x.x/16  # Separate IPs/CIDRs with semicolons. No spaces.

    Configure ACL-based access control

    Control which clients can access your ALB listener by configuring an access control list (ACL). For more information, see Configure an ACL to implement access control.

    Field

    Description

    aclType

    White: allow only the specified CIDR blocks (whitelist). Black: deny the specified CIDR blocks (blacklist).

    aclEntries

    CIDR blocks for the access control entries, such as 127.0.0.1/32.

    listeners:
- port: 80
  protocol: HTTP
  aclConfig:
    aclEntries:
    - 127.0.0.1/32
    aclType: White

    Enable access logs with Simple Log Service

    Specify logProject and logStore in the AlbConfig to collect ALB access logs.

    The cluster must have an associated Simple Log Service project. To find the project name, go to the ACK console, navigate to Clusters > your cluster name > Cluster Information > Basic Information, and check the Log Service Project field.
    The logStore name must start with alb_. If the specified logStore does not exist, it is created automatically.
    To enable access logs on a reused ALB instance, set forceOverride to true. See Reuse an existing ALB instance.
    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    accessLogConfig:
      logProject: "k8s-log-xz92lvykqj1siwvif****"
      logStore: "alb_****"
    #...

    To view the collected access logs, go to the Basic Information tab and click the link next to Log Service Project.

    Update an AlbConfig

    Use kubectl edit to modify the configuration of an existing AlbConfig.

    1. Find the AlbConfig name: Expected output:

         kubectl get AlbConfig
         NAME       ALBID        DNSNAME                                  PORT&PROTOCOL   CERTID   AGE
   alb        alb-******   alb-******.<regionID>.alb.aliyuncsslb.com                            28m

    2. Edit the AlbConfig: Replace <ALBCONFIG_NAME> with the name of your AlbConfig. For example, change the ALB instance name:

         kubectl edit albconfig <ALBCONFIG_NAME>
         ...
    spec:
      config:
        name: new_alb  # Updated name
   ...

    How the listeners field is updated

    The listeners field is an array that is updated by replacement. When you apply a new configuration, the system compares three states to determine the result:

    #

    In new config

    In existing config

    In last-applied-configuration

    Result

    1

    Yes

    Yes

    -

    Updated with the new config values.

    2

    Yes

    No

    -

    Created as a new listener.

    3

    No

    -

    Yes

    Deleted from the existing config. May reset to default.

    4

    No

    Yes

    No

    Removed from the existing config.

    Example:

    Given the following three states:

    # New config (object configuration file)
listeners:
- port: 8001
  protocol: HTTP
- port: 8003
  protocol: HTTP
- port: 8005    # New
  protocol: HTTP

# Existing config
listeners:
- port: 8001
  protocol: HTTP
- port: 8002    # To be deleted
  protocol: HTTP
- port: 8003
  protocol: HTTP
- port: 8004    # To be deleted
  protocol: HTTP

# last-applied-configuration
listeners:
- port: 8001
  protocol: HTTP
- port: 8002    # To be deleted
  protocol: HTTP
- port: 8003
  protocol: HTTP

    The resulting listeners configuration:

    listeners:
- port: 8001    # Retained (rule 1)
  protocol: HTTP
- port: 8003    # Retained (rule 1)
  protocol: HTTP
- port: 8005    # Added (rule 2)
  protocol: HTTP

    • Ports 8001 and 8003: retained (rule 1).

    • Port 8005: added (rule 2).

    • Port 8002: deleted (rule 3 -- present in last-applied-configuration).

    • Port 8004: deleted (rule 4 -- not in last-applied-configuration, but absent from new config).

    Delete an AlbConfig

    Important

    Before deleting an AlbConfig, delete all Ingress resources associated with it.

    Delete an AlbConfig that created the ALB instance

    Deleting the AlbConfig also deletes the associated ALB instance.

    kubectl delete AlbConfig <AlbConfig_NAME>

    Replace <AlbConfig_NAME> with the name of the AlbConfig.

    Delete an AlbConfig for a reused ALB instance

    Deleting the AlbConfig does not delete the ALB instance itself, because the instance was not created by the AlbConfig.

    1. (ALB Ingress Controller v2.10.0-aliyun.1 or earlier only) Edit the AlbConfig and remove all entries under spec.listeners: Skip this step if your ALB Ingress Controller version is later than v2.10.0-aliyun.1.

         kubectl edit albconfig <AlbConfig_NAME>

    2. Delete the AlbConfig:

      Important

      Delete all associated Ingress resources before running this command.

         kubectl delete AlbConfig <AlbConfig_NAME>

    Delete a listener

    Remove the listener entry from spec.listeners using kubectl edit. An ALB instance can have multiple listeners; remove only the ones you no longer need.

    Important

    Remove all Ingresses associated with the listener before deleting it. Otherwise, the deletion fails.

    # Before: two listeners
listeners:
- port: 8001
  protocol: HTTP
- port: 8002    # Remove this listener
  protocol: HTTP

# After: one listener
listeners:
- port: 8001
  protocol: HTTP

    FAQ

    Error: alb: listener port number must between [1:65535], or you should set listen port explicitly in listener config

    This typically happens when an extra - (dash) is placed before certificates in the YAML file, which creates a separate listener entry without a port.

    Incorrect:

    listeners:
- port: 80
  protocol: HTTP
- port: 443
  protocol: HTTPS
- certificates:           # Extra "-" creates a new listener without a port
  - CertificateId: 756****-cn-hangzhou
    IsDefault: true

    Correct:

    listeners:
- port: 80
  protocol: HTTP
- port: 443
  protocol: HTTPS
  certificates:           # No "-" -- certificates belongs to the port 443 listener
  - CertificateId: 756****-cn-hangzhou
    IsDefault: true

    Remove the - before certificates so that the certificate configuration is part of the HTTPS listener on port 443.