An Application Load Balancer (ALB) Ingress is a Kubernetes API object that provides Layer 7 load balancing for external access to Services in an ACS cluster. This topic covers advanced ALB Ingress configurations, including domain-based and path-based request forwarding, health checks, HTTPS redirects, canary releases, and more.
Prerequisites
Before you begin, ensure that you have:
An ACS cluster. For more information, see Create an ACS cluster.
An AlbConfig object. For more information, see Getting started with ALB Ingress.
Annotation quick reference
All ALB Ingress configurations use Kubernetes annotations. The following table lists the annotations covered in this topic.
| Annotation | Type | Default | Cluster version | Section |
|---|---|---|---|---|
alb.ingress.kubernetes.io/healthcheck-enabled | "true" | "false" | "false" | — | Configure health checks |
alb.ingress.kubernetes.io/healthcheck-path | string | "/" | — | Configure health checks |
alb.ingress.kubernetes.io/healthcheck-protocol | "HTTP" | "TCP" | "HTTP" | — | Configure health checks |
alb.ingress.kubernetes.io/healthcheck-method | "HEAD" | "GET" | "HEAD" | — | Configure health checks |
alb.ingress.kubernetes.io/healthcheck-httpcode | "http_2xx" | "http_3xx" | "http_4xx" | "http_5xx" | "http_2xx" | — | Configure health checks |
alb.ingress.kubernetes.io/healthcheck-timeout-seconds | integer, 1–300 | 5 | — | Configure health checks |
alb.ingress.kubernetes.io/healthcheck-interval-seconds | integer, 1–50 | 2 | — | Configure health checks |
alb.ingress.kubernetes.io/healthy-threshold-count | integer, 2–10 | 3 | — | Configure health checks |
alb.ingress.kubernetes.io/unhealthy-threshold-count | integer, 2–10 | 3 | — | Configure health checks |
alb.ingress.kubernetes.io/ssl-redirect | "true" | "false" | — | — | Redirect HTTP to HTTPS |
alb.ingress.kubernetes.io/backend-protocol | "https" | "grpc" | — | — | Set the backend protocol |
alb.ingress.kubernetes.io/use-regex | "true" | "false" | — | — | Use regular expressions |
alb.ingress.kubernetes.io/conditions.<service-name> | JSON | — | — | Use regular expressions |
alb.ingress.kubernetes.io/rewrite-target | string | — | — | Configure rewrite rules |
alb.ingress.kubernetes.io/listen-ports | JSON | — | — | Configure custom listening ports |
alb.ingress.kubernetes.io/order | integer, 1–1,000 | 10 | — | Set forwarding rule priorities |
alb.ingress.kubernetes.io/canary | "true" | "false" | — | — | Canary releases |
alb.ingress.kubernetes.io/canary-by-header | string | — | — | Canary releases |
alb.ingress.kubernetes.io/canary-by-header-value | string | — | — | Canary releases |
alb.ingress.kubernetes.io/canary-by-cookie | string | — | — | Canary releases |
alb.ingress.kubernetes.io/canary-weight | integer, 0–100 | — | — | Canary releases |
alb.ingress.kubernetes.io/sticky-session | "true" | "false" | "false" | — | Configure session persistence |
alb.ingress.kubernetes.io/sticky-session-type | "Insert" | "Server" | "Insert" | — | Configure session persistence |
alb.ingress.kubernetes.io/cookie-timeout | integer, 1–86,400 | 1000 | — | Configure session persistence |
alb.ingress.kubernetes.io/backend-scheduler | "wrr" | "wlc" | "sch" | "uch" | "wrr" | 1.19+ | Set the load balancing algorithm |
alb.ingress.kubernetes.io/backend-scheduler-uch-value | string | — | 1.19+ | Set the load balancing algorithm |
alb.ingress.kubernetes.io/enable-cors | "true" | "false" | — | — | Configure CORS |
alb.ingress.kubernetes.io/cors-allow-origin | string | "*" | — | Configure CORS |
alb.ingress.kubernetes.io/cors-allow-methods | string | "GET, PUT, POST, DELETE, PATCH, OPTIONS" | — | Configure CORS |
alb.ingress.kubernetes.io/cors-allow-headers | string | "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization" | — | Configure CORS |
alb.ingress.kubernetes.io/cors-expose-headers | string | empty | — | Configure CORS |
alb.ingress.kubernetes.io/cors-allow-credentials | "true" | "false" | "true" | — | Configure CORS |
alb.ingress.kubernetes.io/cors-max-age | integer, -1–172,800 | 172800 | — | Configure CORS |
alb.ingress.kubernetes.io/backend-keepalive | "true" | "false" | — | — | Enable backend persistent connections |
alb.ingress.kubernetes.io/traffic-limit-qps | integer, 1–100,000 | — | — | Configure QPS throttling |
Forward requests based on domain names
ALB Ingress routes incoming requests to Services based on the host field in Ingress rules. This section shows how to forward requests using a named domain and without a domain.
Forward requests to a named domain
Apply the following manifest to create a Deployment, a Service, and an Ingress. Requests to
demo.domain.ingress.topare forwarded todemo-service.apiVersion: v1 kind: Service metadata: name: demo-service namespace: default spec: ports: - name: port1 port: 80 protocol: TCP targetPort: 8080 selector: app: demo sessionAffinity: None type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: name: demo namespace: default spec: replicas: 1 selector: matchLabels: app: demo template: metadata: labels: app: demo spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1 imagePullPolicy: IfNotPresent name: demo ports: - containerPort: 8080 protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: demo namespace: default spec: ingressClassName: alb rules: - host: demo.domain.ingress.top http: paths: - backend: service: name: demo-service port: number: 80 path: /hello pathType: ImplementationSpecificGet the ALB instance address by running
kubectl get ing, then send a test request. Replace<ADDRESS>with the ALB instance domain name.curl -H "host: demo.domain.ingress.top" <ADDRESS>/helloExpected output:
{"hello":"coffee"}
Forward requests without a domain
Set host to an empty string to match requests regardless of the Host header.
Apply the following Ingress manifest:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: demo namespace: default spec: ingressClassName: alb rules: - host: "" http: paths: - backend: service: name: demo-service port: number: 80 path: /helloGet the ALB instance address by running
kubectl get ing, then send a test request. Replace<ADDRESS>with the ALB instance domain name.curl <ADDRESS>/helloExpected output:
{"hello":"coffee"}
Forward requests based on URL paths
Set the pathType field to control how ALB Ingress matches URL paths. Three match types are supported: Exact, ImplementationSpecific (default), and Prefix.
URL match policies can conflict with each other. When conflicts exist, requests are matched in descending order of policy priority. For details, see Set forwarding rule priorities.
Path match behavior
| Match mode | Rule | URL path | Match? |
|---|---|---|---|
| Prefix | / | (all paths) | Yes |
| Prefix | /foo | /foo | Yes |
| Prefix | /foo | /foo/ | Yes |
| Prefix | /aaa/bb | /aaa/bbb | No |
| Prefix | /aaa/bbb | /aaa/bbb | Yes |
| Prefix | /aaa/bbb/ | /aaa/bbb | Yes — trailing / in the rule is ignored |
| Prefix | /aaa/bbb | /aaa/bbb/ | Yes — trailing / in the URL path is matched |
| Prefix | /aaa/bbb | /aaa/bbb/ccc | Yes — subpath is matched |
| Prefix | / and /aaa | /aaa/ccc | Yes — matches the /aaa prefix |
| Prefix | /aaa and / | /aaa/ccc | Yes — matches the /aaa prefix |
| Prefix | /aaa and / | /ccc | Yes — matches the / prefix |
| Prefix | /aaa | /ccc | No |
| Exact or ImplementationSpecific | /foo | /foo | Yes |
| Exact or ImplementationSpecific | /foo | /bar | No |
| Exact or ImplementationSpecific | /foo | /foo/ | No |
| Exact or ImplementationSpecific | /foo/ | /foo | No |
Exact
Requests must match the path exactly.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-path
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /hello
backend:
service:
name: demo-service
port:
number: 80
pathType: ExactImplementationSpecific
In ALB Ingress, ImplementationSpecific behaves identically to Exact.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-path
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /hello
backend:
service:
name: demo-service
port:
number: 80
pathType: ImplementationSpecificPrefix
Prefix performs a case-sensitive match on path elements delimited by /. Setting path: / matches all incoming requests.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-path-prefix
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /
backend:
service:
name: demo-service
port:
number: 80
pathType: PrefixTo verify any of the above, run kubectl get ing to get <ADDRESS>, then:
curl <ADDRESS>/helloExpected output:
{"hello":"coffee"}Configure health checks
Add health check annotations to an Ingress to let ALB probe backend servers and remove unhealthy ones from the rotation automatically.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/healthcheck-enabled: "true"
alb.ingress.kubernetes.io/healthcheck-path: "/"
alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
alb.ingress.kubernetes.io/healthcheck-httpcode: "http_2xx"
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
alb.ingress.kubernetes.io/healthy-threshold-count: "3"
alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /tea
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
backend:
service:
name: coffee-svc
port:
number: 80| Annotation | Description |
|---|---|
alb.ingress.kubernetes.io/healthcheck-enabled | (Optional) Enable health checks. Default: false. |
alb.ingress.kubernetes.io/healthcheck-path | (Optional) URL path for health checks. Must start with / and be 1–80 characters. The URL can contain letters, digits, hyphens (-), forward slashes (/), periods (.), percent signs (%), question marks (?), number signs (#), and ampersands (&). The URL can also contain the following extended characters: _ ; ~ ! ( ) * [ ] @ $ ^ : ' , +. Default: /. By default, the ALB instance sends HTTP HEAD requests to the default application homepage configured on a backend Elastic Compute Service (ECS) instance to perform health checks. The ALB instance sends the requests to the private IP address of the ECS instance. If you do not want to use the default application homepage for health checks, you must specify a URL path. |
alb.ingress.kubernetes.io/healthcheck-protocol | (Optional) Protocol for health checks. |
alb.ingress.kubernetes.io/healthcheck-method | (Optional) HTTP method for health checks. |
alb.ingress.kubernetes.io/healthcheck-httpcode | Status codes that indicate a healthy backend. Valid values: http_2xx (default), http_3xx, http_4xx, http_5xx. |
alb.ingress.kubernetes.io/healthcheck-timeout-seconds | Timeout for a single health check. If a backend does not respond within this period, the check fails. Valid values: 1–300. Default: 5. Unit: seconds. |
alb.ingress.kubernetes.io/healthcheck-interval-seconds | Interval between consecutive health checks. Valid values: 1–50. Default: 2. Unit: seconds. |
alb.ingress.kubernetes.io/healthy-threshold-count | Number of consecutive successful checks before an unhealthy backend is considered healthy. Valid values: 2–10. Default: 3. |
alb.ingress.kubernetes.io/unhealthy-threshold-count | Number of consecutive failed checks before a healthy backend is considered unhealthy. Valid values: 2–10. Default: 3. |
Redirect HTTP to HTTPS
Set alb.ingress.kubernetes.io/ssl-redirect: "true" to redirect all HTTP requests to HTTPS port 443.
ALB Ingress cannot create listeners directly. Specify listener ports and protocols in an AlbConfig object, then associate the listeners with Services in the Ingress. For details, see Use AlbConfigs to configure ALB listeners.
apiVersion: v1
kind: Service
metadata:
name: demo-service-ssl
namespace: default
spec:
ports:
- name: port1
port: 80
protocol: TCP
targetPort: 8080
selector:
app: demo-ssl
sessionAffinity: None
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-ssl
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: demo-ssl
template:
metadata:
labels:
app: demo-ssl
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
imagePullPolicy: IfNotPresent
name: demo-ssl
ports:
- containerPort: 8080
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/ssl-redirect: "true"
name: demo-ssl
namespace: default
spec:
ingressClassName: alb
tls:
- hosts:
- ssl.alb.ingress.top
rules:
- host: ssl.alb.ingress.top
http:
paths:
- backend:
service:
name: demo-service-ssl
port:
number: 80
path: /
pathType: PrefixSet the backend protocol
ALB supports HTTPS and gRPC as backend protocols. Set the alb.ingress.kubernetes.io/backend-protocol annotation to "https" or "grpc".
The backend protocol cannot be changed after the Ingress is created. To change the protocol, delete the Ingress and recreate it.
For gRPC, the domain must have an SSL certificate and use TLS. The following example configures a gRPC backend:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/backend-protocol: "grpc"
name: lxd-grpc-ingress
spec:
ingressClassName: alb
tls:
- hosts:
- demo.alb.ingress.top
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: grpc-demo-svc
port:
number: 9080Use regular expressions
Set alb.ingress.kubernetes.io/use-regex: "true" to enable regular expression matching in the path field. Use the alb.ingress.kubernetes.io/conditions.<service-name> annotation to define custom path conditions.
The Service named in the annotation must exist in the cluster and match the Service name in the backend field of the rule.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/use-regex: "true"
alb.ingress.kubernetes.io/conditions.service-a: |
[{
"type": "Path",
"pathConfig": {
"values": [
"~*^/pathvalue1",
"/pathvalue2"
]
}
}]
name: ingress-example
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /test
pathType: Prefix
backend:
service:
name: service-a
port:
number: 88Regular expression patterns must use the~*flag prefix (for example,~*^/pathvalue1). Exact match paths do not require the~*prefix.
Configure rewrite rules
Use alb.ingress.kubernetes.io/rewrite-target together with alb.ingress.kubernetes.io/use-regex: "true" to rewrite request paths before they reach the backend.
Rules:
Variables in
${number}format must be used on apathwhosepathTypeisPrefix.Up to three capture group variables are supported:
${1},${2}, and${3}.The
pathmust start with/.By default,
*and?are not allowed in thepathfield. Enableuse-regexto use them.
The following example rewrites paths matching /something(/|$)(.*):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/use-regex: "true"
alb.ingress.kubernetes.io/rewrite-target: /path/${2}
name: rewrite-ingress
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /something(/|$)(.*)
pathType: Prefix
backend:
service:
name: rewrite-svc
port:
number: 9080The ${2} variable captures the path segment after /something/. The backend receives the following paths:
| Client request | Backend receives |
|---|---|
/something | /path/ |
/something/ | /path/ |
/something/new | /path/new |
For multi-group rewrites, consider this example: path set to /sys/(.*)/(.*)/aaa and rewrite-target set to /${1}/${2}. A request to /sys/ccc/bbb/aaa matches the pattern — ${1} is replaced with ccc and ${2} with bbb — so the backend receives /ccc/bbb.
Configure custom listening ports
Set alb.ingress.kubernetes.io/listen-ports to expose a Service on multiple ports simultaneously — for example, HTTP on port 80 and HTTPS on port 443.
ALB Ingress cannot create listeners directly. Specify listener ports and protocols in an AlbConfig object, then associate the listeners with Services in the Ingress. For details, see Use AlbConfigs to configure ALB listeners.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
spec:
ingressClassName: alb
tls:
- hosts:
- demo.alb.ingress.top
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /tea
pathType: ImplementationSpecific
backend:
service:
name: tea-svc
port:
number: 80Set forwarding rule priorities
By default, ALB Ingress prioritizes forwarding rules as follows:
Ingresses are ranked by the lexicographical order of
namespace/name. A lower value means higher priority.Within the same Ingress, rules are matched top-to-bottom in the order they appear in the
rulesfield.
To override the default ranking without renaming an Ingress, use the alb.ingress.kubernetes.io/order annotation.
Priorities must be unique within the same listener. The value must be an integer from 1 to 1,000. A lower value means higher priority. The default is 10.apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/order: "2"
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /tea
pathType: ImplementationSpecific
backend:
service:
name: tea-svc
port:
number: 80Canary releases
ALB Ingress supports canary releases that route a subset of traffic to a new version of your Service. Three traffic-splitting methods are available: header-based, cookie-based, and weight-based.
Enable canary releases on an Ingress by setting alb.ingress.kubernetes.io/canary: "true", then add the appropriate routing annotations.
Canary rule priority: header-based > cookie-based > weight-based.
During canary testing, do not modify the original Ingress rules — doing so may interrupt traffic. After the new version passes testing, update the backend Service in the original Ingress and delete the canary Ingress.
Header-based canary
canary-by-header specifies the request header name to match. canary-by-header-value specifies the required header value and must be used together with canary-by-header. Requests where the header matches are routed to the canary Service; all other requests fall through to the next canary rule by priority.
In the following example, requests with the header location: hz go to the canary Service:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/order: "1"
alb.ingress.kubernetes.io/canary: "true"
alb.ingress.kubernetes.io/canary-by-header: "location"
alb.ingress.kubernetes.io/canary-by-header-value: "hz"
name: demo-canary
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- backend:
service:
name: demo-service-hello
port:
number: 80
path: /hello
pathType: ImplementationSpecificCookie-based canary
canary-by-cookie splits traffic based on a cookie name. Set the cookie to always to route requests to the canary Service, or never to exclude them.
Onlyalwaysandneverare supported. Custom cookie values are not supported.
In the following example, requests with the cookie demo=always go to the canary Service:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/order: "2"
alb.ingress.kubernetes.io/canary: "true"
alb.ingress.kubernetes.io/canary-by-cookie: "demo"
name: demo-canary-cookie
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- backend:
service:
name: demo-service-hello
port:
number: 80
path: /hello
pathType: ImplementationSpecificWeight-based canary
canary-weight sets the percentage of requests routed to the canary Service. The value must be an integer from 0 to 100.
In the following example, 50% of requests go to the canary Service:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/order: "3"
alb.ingress.kubernetes.io/canary: "true"
alb.ingress.kubernetes.io/canary-weight: "50"
name: demo-canary-weight
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- backend:
service:
name: demo-service-hello
port:
number: 80
path: /hello
pathType: ImplementationSpecificConfigure session persistence
ALB Ingress routes requests from the same client to the same backend server across multiple connections. Configure session persistence using the following annotations:
| Annotation | Description |
|---|---|
alb.ingress.kubernetes.io/sticky-session | Enable session persistence. Valid values: true, false. Default: false. |
alb.ingress.kubernetes.io/sticky-session-type | Cookie handling method. Insert (default): Server Load Balancer inserts a SERVERID cookie into the response and uses it to pin subsequent requests to the same backend. Server: Server Load Balancer rewrites a user-defined cookie for the same purpose. Takes effect only when StickySessionEnabled is true for the server group. |
alb.ingress.kubernetes.io/cookie-timeout | Cookie timeout in seconds. Valid values: 1–86,400. Default: 1000. |
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress-v3
annotations:
alb.ingress.kubernetes.io/sticky-session: "true"
alb.ingress.kubernetes.io/sticky-session-type: "Insert"
alb.ingress.kubernetes.io/cookie-timeout: "1800"
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /tea2
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee2
backend:
service:
name: coffee-svc
port:
number: 80Set the load balancing algorithm
Use alb.ingress.kubernetes.io/backend-scheduler to set the load balancing algorithm for a backend server group. The cluster version must be 1.19 or later.
Four algorithms are supported:
| Value | Algorithm | How it works |
|---|---|---|
wrr (default) | Weighted round robin | Distributes requests proportionally to each server's weight. |
wlc | Weighted least connections | Distributes requests to backend servers based on their weights and the number of existing connections. If backend servers have the same weight, the server with the fewest connections is selected. |
sch | Source IP hashing | Routes requests from the same source IP to the same backend server. |
uch | URL-based consistent hashing | Routes requests with the same URL parameter to the same backend server. Requires alb.ingress.kubernetes.io/backend-scheduler-uch-value to specify the parameter name. |
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/backend-scheduler: "uch"
alb.ingress.kubernetes.io/backend-scheduler-uch-value: "test"
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /tea
pathType: ImplementationSpecific
backend:
service:
name: tea-svc
port:
number: 80Configure CORS
Set alb.ingress.kubernetes.io/enable-cors: "true" to enable Cross-Origin Resource Sharing (CORS) on an ALB Ingress.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: alb-ingress
annotations:
alb.ingress.kubernetes.io/enable-cors: "true"
alb.ingress.kubernetes.io/cors-expose-headers: ""
alb.ingress.kubernetes.io/cors-allow-methods: "GET,POST"
alb.ingress.kubernetes.io/cors-allow-credentials: "true"
alb.ingress.kubernetes.io/cors-max-age: "600"
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cloud-nodeport
port:
number: 80| Annotation | Description | Default |
|---|---|---|
alb.ingress.kubernetes.io/cors-allow-origin | URLs allowed to access resources via a browser. Each URL must start with http:// or https:// and use a valid domain or top-level wildcard. Separate multiple URLs with commas. Example: "https://example.com:4443, http://aliyundoc.com". | * |
alb.ingress.kubernetes.io/cors-allow-methods | HTTP methods allowed for CORS requests. Values are not case-sensitive. Separate multiple methods with commas. Example: "PUT, GET, POST, OPTIONS". | GET, PUT, POST, DELETE, PATCH, OPTIONS |
alb.ingress.kubernetes.io/cors-allow-headers | Request headers allowed in CORS requests. Headers can contain letters, digits, underscores, and hyphens. Separate multiple headers with commas. Example: "X-Forwarded-For, X-app123-XPTO". | DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization |
alb.ingress.kubernetes.io/cors-expose-headers | Headers that clients can access in the response. Headers can contain letters, digits, underscores, hyphens, and asterisks. Separate multiple headers with commas. Example: "*, X-CustomResponseHeader". | empty |
alb.ingress.kubernetes.io/cors-allow-credentials | Whether to include credentials in CORS requests. | true |
alb.ingress.kubernetes.io/cors-max-age | Maximum cache duration for preflight OPTIONS request results. Valid values: -1 to 172,800. Unit: seconds. | 172800 |
Enable backend persistent connections
By default, ALB uses short-lived connections to backend server groups — each request opens and then closes a TCP connection. Persistent connections reuse existing TCP connections across multiple requests, reducing connection overhead and improving throughput under high load.
Set alb.ingress.kubernetes.io/backend-keepalive: "true" to enable this feature:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: alb-ingress
annotations:
alb.ingress.kubernetes.io/backend-keepalive: "true"
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cloud-nodeport
port:
number: 80Configure QPS throttling
Set alb.ingress.kubernetes.io/traffic-limit-qps to limit the number of queries per second (QPS) for a forwarding rule. The value must be an integer from 1 to 100,000.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/traffic-limit-qps: "50"
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /tea
pathType: ImplementationSpecific
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: ImplementationSpecific
backend:
service:
name: coffee-svc
port:
number: 80