All Products
Search

This Product

    Container Compute Service:Use annotations to configure CLB instances

    Document Center

    Container Compute Service:Use annotations to configure CLB instances

    Last Updated:Jan 30, 2026

    Configure Classic Load Balancer (CLB) instances, listeners, and backend server groups by adding annotations to the YAML file of a Kubernetes Service.

    Overview

    This topic describes how to use Service annotations to configure CLB instances in Container Compute Service (ACS). Annotations let you customize load balancing behavior without modifying the CLB console directly.

    Before you begin:

    • Annotation values are case-sensitive.

    • Check the Cloud Controller Manager (CCM) version requirements for each annotation. For CCM updates, see Manage components. For CCM release notes, see Cloud Controller Manager.

    • Since September 11, 2019, the annotation prefix changed from alicloud to alibaba-cloud. Both prefixes are supported for backward compatibility.

    Contents

    CLB instance management

    Create an Internet-facing CLB instance

    By default, a LoadBalancer Service creates an Internet-facing CLB instance:

    apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Create an internal-facing CLB instance

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type

    internet: Internet-facing CLB
    intranet: Internal-facing CLB

    internet

    1.9.3+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Create a CLB instance with specific specifications

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-charge-type

    paybytraffic: Pay by traffic
    paybybandwidth: Pay by bandwidth

    paybytraffic

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec

    CLB specification. See CreateLoadBalancer.

    slb.s1.small

    1.9.3+

    If you modify specifications in the CLB console, the CCM may restore them. Use annotations for specification changes.

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-instance-charge-type: "PayBySpec"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s1.small"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    Use an existing CLB instance

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id

    ID of an existing CLB instance

    None

    1.9.3.81+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners

    true: Overwrite existing listeners
    false: Preserve existing listeners

    false

    1.9.3.81+

    By default, existing listeners are preserved to prevent service interruptions. Use the force-override-listeners annotation only when the listener ports are no longer in use.

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: "${YOUR_LOADBALANCER_ID}"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    To forcefully overwrite listeners:

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: "${YOUR_LOADBALANCER_ID}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners: "true"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    Specify primary and secondary zones

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-master-zoneid

    Primary zone ID

    None

    1.9.3.10+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-slave-zoneid

    Secondary zone ID

    None

    1.9.3.10+

    Zones cannot be changed after the CLB instance is created. Not all regions support primary/secondary zones.

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-master-zoneid: "cn-hangzhou-k"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-slave-zoneid: "cn-hangzhou-j"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Create a pay-by-bandwidth CLB instance

    Both annotations are required:

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-charge-type

    Set to paybybandwidth

    paybytraffic

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-bandwidth

    Maximum bandwidth (Mbps). Internet-facing only.

    50

    1.9.3.10+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-charge-type: "paybybandwidth"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-bandwidth: "2"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    Specify a vSwitch for internal CLB

    Both annotations are required:

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type

    Must be intranet

    internet

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-vswitch-id

    vSwitch ID (must be in same VPC as cluster)

    None

    1.9.3+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-vswitch-id: "${YOUR_VSWITCH_ID}"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    Specify an IP address for internal CLB

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip

    IP address within vSwitch CIDR. IPv4 only. Cannot be changed after creation.

    None

    2.7.0+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-vswitch-id: "${YOUR_VSWITCH_ID}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip: "192.168.x.x"
  name: nginx
  namespace: default
spec:
  type: LoadBalancer
  ports:
  - port: 80
    targetPort: 80
    name: http
  selector:
    app: nginx

    Add tags to a CLB instance

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-additional-resource-tags

    Tags in key1=value1,key2=value2 format

    None

    1.9.3+

    Cannot be used with existing CLB instances.

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-additional-resource-tags: "Key1=Value1,Key2=Value2"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Create an IPv6 CLB instance

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version

    ipv4 or ipv6. Requires IPVS kube-proxy mode. Cannot be changed after creation.

    ipv4

    1.9.3.220+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "ipv6"
  name: nginx
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer

    Enable deletion protection

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-delete-protection

    on or off

    on

    1.9.3.313+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-delete-protection: "on"
  name: nginx
spec:
  externalTrafficPolicy: Local
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer

    Enable configuration read-only mode

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-modification-protection

    ConsoleProtection or NonProtection

    ConsoleProtection

    1.9.3.313+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-modification-protection: "ConsoleProtection"
  name: nginx
spec:
  externalTrafficPolicy: Local
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer

    Specify the CLB instance name

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-name

    2-128 characters: letters, digits, periods, underscores, hyphens. Must start with a letter.

    None

    1.9.3.313+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-name: "your-svc-name"
  name: nginx
spec:
  externalTrafficPolicy: Local
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer

    Specify the resource group

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-resource-group-id

    Resource group ID. Cannot be changed after creation.

    None

    1.9.3.313+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-resource-group-id: "rg-xxxx"
  name: nginx
spec:
  externalTrafficPolicy: Local
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer

    Specify a hostname for a Service

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-hostname

    Domain name for the Service

    None

    2.3.0+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port

    Protocol and port mapping (e.g., http:80)

    None

    1.9.3+

    This annotation changes the external IP to your service name. For TCP/UDP listeners, a loop occurs when requests from within the cluster are forwarded to the CLB IP address. You must separately purchase and configure the domain name.

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-hostname: "${your_service_hostname}"
  name: nginx-svc
  namespace: default
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer

    Create a pay-by-LCU CLB instance

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-instance-charge-type

    PayBySpec: Pay by specification
    PayByCLCU: Pay by Loadbalancer Capacity Units

    PayBySpec

    2.4.0+

    You cannot specify both PayByCLCU and a CLB specification annotation.

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-instance-charge-type: "PayByCLCU"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Retain CLB instance when deleting a Service

    Annotation

    Description

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-preserve-lb-on-delete

    Any non-empty value enables retention. The CLB instance and backend servers are preserved when the Service is deleted.

    2.10.0+

    Delete the Service rather than changing its type. Otherwise, the Service will be re-associated with the original CLB instance.

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-preserve-lb-on-delete: "true"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Listener configuration

    TCP session persistence

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-persistence-timeout

    Session persistence timeout (0-3600 seconds). TCP listeners only. 0 disables persistence.

    0

    1.9.3+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-persistence-timeout: "1800"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    HTTP/HTTPS session persistence with cookies

    For HTTP and HTTPS listeners only:

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session

    on or off

    off

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session-type

    insert: Insert cookie
    server: Rewrite cookie

    None

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cookie-timeout

    Cookie timeout (1-86400 seconds). Required when type is insert.

    None

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cookie

    Cookie name (1-200 ASCII characters). Required when type is server.

    None

    1.9.3+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session-type: "insert"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cookie-timeout: "1800"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Configure an ACL

    Before using these annotations, create an ACL in the CLB console.

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-status

    on or off

    off

    1.9.3.164+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-id

    ACL ID

    None

    1.9.3.164+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-type

    white: Whitelist (allow only listed IPs)
    black: Blacklist (deny listed IPs)

    None

    1.9.3.164+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-status: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-id: "${YOUR_ACL_ID}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-type: "white"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    Configure HTTP to HTTPS port forwarding

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port

    Protocol-port mappings (e.g., https:443,http:80)

    None

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id

    Certificate ID from CLB console

    None

    1.9.3.164+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-forward-port

    Forward HTTP to HTTPS (e.g., 80:443)

    None

    1.9.3.164+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443,http:80"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-forward-port: "80:443"
  name: nginx
  namespace: default
spec:
  ports:
  - name: https
    port: 443
    protocol: TCP
    targetPort: 80
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Specify the scheduling algorithm

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-scheduler

    wrr: Weighted Round Robin
    rr: Round Robin

    rr

    1.9.3+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-scheduler: "wrr"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    Create listener types

    UDP listener

    apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: UDP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    HTTP listener

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    HTTPS listener

    HTTPS listeners decrypt requests and forward them as HTTP to backend pods.

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    TCP and UDP on the same port

    Requires Kubernetes 1.24 or later.

    apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: default
spec:
  ports:
  - name: tcp
    port: 80
    protocol: TCP
    targetPort: 80
  - name: udp
    port: 80
    protocol: UDP
    targetPort: 81
  selector:
    app: nginx
  sessionAffinity: None
  type: LoadBalancer

    Health check settings

    TCP health checks

    Health checks are enabled by default for TCP ports.

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-switch

    on or off

    on

    2.6.0+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-type

    tcp or http

    tcp

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-timeout

    Timeout (1-300 seconds)

    5

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-healthy-threshold

    Consecutive successes to mark healthy (2-10)

    3

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-unhealthy-threshold

    Consecutive failures to mark unhealthy (2-10)

    3

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval

    Check interval (1-50 seconds)

    2

    1.9.3+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-switch: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-type: "tcp"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-timeout: "8"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-healthy-threshold: "4"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-unhealthy-threshold: "4"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval: "3"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    HTTP health checks

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-flag

    on or off (for HTTP listeners)

    off

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-uri

    Health check URI

    None

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-httpcode

    Success codes: http_2xx, http_3xx, http_4xx, http_5xx

    http_2xx

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-domain

    Domain for health checks ($_ip for backend IP)

    None

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-timeout

    Timeout (1-300 seconds)

    None

    1.9.3+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-method

    head or get

    None

    2.3.0+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-flag: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-type: "http"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-uri: "/test/index.html"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-healthy-threshold: "4"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-unhealthy-threshold: "4"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-timeout: "10"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval: "3"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Disable health checks

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-switch: "off"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    Advanced listener options

    Connection draining

    TCP and UDP listeners only.

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain

    on or off

    None

    2.0.1+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout

    Timeout (10-900 seconds)

    None

    2.0.1+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout: "30"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Additional request headers

    HTTP and HTTPS listeners only.

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-xforwardedfor-proto

    Add X-Forwarded-Proto header

    off

    2.1.0+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-xforwardedfor-slbport

    Add XForwardedFor_SLBPORT header

    off

    2.9.1+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-xforwardedfor-clientsrcport

    Add XForwardedFor_ClientSrcPort header

    off

    2.9.1+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-xforwardedfor-proto: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-xforwardedfor-slbport: "on"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-xforwardedfor-clientsrcport: "on"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Timeout settings

    Annotation

    Description

    Listeners

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-idle-timeout

    Idle connection timeout (1-60 seconds)

    HTTP, HTTPS

    15

    2.1.0+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-request-timeout

    Request timeout (1-180 seconds)

    HTTP, HTTPS

    60

    2.3.0+

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-established-timeout

    Connection timeout (10-900 seconds)

    TCP

    None

    2.3.0+

    Disable HTTP/2

    HTTPS listeners only.

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-http2-enabled

    on or off

    on

    2.1.0+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-http2-enabled: "off"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    TLS security policies

    HTTPS listeners only.

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-tls-cipher-policy

    TLS policy: tls_cipher_policy_1_0, tls_cipher_policy_1_1, tls_cipher_policy_1_2, tls_cipher_policy_1_2_strict, tls_cipher_policy_1_2_strict_with_1_3

    tls_cipher_policy_1_0

    2.4.0+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443,http:80"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-tls-cipher-policy: "tls_cipher_policy_1_2"
  name: nginx
  namespace: default
spec:
  ports:
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx
  type: LoadBalancer

    Proxy protocol

    TCP and UDP listeners only.

    Annotation

    Description

    Default

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-proxy-protocol

    on or off. Enables passing client IP to backend servers.

    off

    2.6.0+

    Enabling proxy protocol may cause service interruptions. Stop and update your applications before enabling.

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-proxy-protocol: "on"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    Skip backend server weight updates

    Annotation

    Description

    CCM Version

    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ignore-weight-update

    on or off. Skip weight updates to allow manual weight management.

    2.11.1+

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ignore-weight-update: "on"
  name: nginx
  namespace: default
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 443
  selector:
    run: nginx
  type: LoadBalancer

    References

    • For more information about the considerations for configuring a LoadBalancer Service and the policies that are used by the CCM to update CLB resources, see Considerations for configuring a LoadBalancer Service.

    • For more information about how to troubleshoot ACS Services issues, such as the annotations of a Service do not take effect, see Service FAQ.