All Products
Search

This Product

    Container Compute Service:Configure an ALB instance using an AlbConfig

    Document Center

    Container Compute Service:Configure an ALB instance using an AlbConfig

    Last Updated:Mar 26, 2026

    An AlbConfig is a Custom Resource Definition (CRD) that the ALB Ingress Controller uses to configure Application Load Balancer (ALB) instances and listeners. This document covers how to create and update an AlbConfig, associate it with an Ingress, configure listeners, and enable access logs.

    Prerequisites

    Before you begin, ensure that you have:

    Usage notes

    • Use kubectl edit to update resource configurations directly. If you must use kubectl apply, run kubectl diff first to preview the changes and confirm they are as expected before applying them.

    • If both Nginx Ingress and ALB Ingress exist in a cluster, earlier versions of the Nginx Ingress Controller cannot recognize the spec.ingressClassName field, which may cause conflicts with or overwrite your ALB Ingress configuration. To avoid this, upgrade the Nginx Ingress Controller to the latest version, or use an annotation to specify the ingressClass for ALB Ingress. See Advanced features of ALB Ingress.

    Key concepts

    An AlbConfig corresponds to a single ALB instance but can be associated with multiple Ingresses (one-to-many). To use multiple ALB instances, create multiple AlbConfigs, each with its own IngressClass.

    The relationship is:

    AlbConfig → ALB instance
IngressClass → references AlbConfig
Ingress → references IngressClass (via spec.ingressClassName)

    Create an AlbConfig

    1. Create a file named alb-test.yaml with the following content:

      Important

      addressType and zoneMappings take effect only at creation time and cannot be updated afterward.

      ParameterRequiredDefaultDescription
      spec.config.nameNoDisplay name of the ALB instance
      spec.config.addressTypeYesInternetInternet: public IP address, accessible over the internet. Intranet: private IP address, accessible only within the VPC.
      spec.config.zoneMappingsYesvSwitch IDs for the ALB instance. In multi-zone regions, specify at least two vSwitches in different zones. In single-zone regions, one vSwitch is sufficient. The vSwitches must be in the same VPC as the cluster and in zones that support ALB. See Regions and zones that support ALB.
      spec.config.addressAllocatedModeNoDynamicIP allocation mode: Dynamic (dynamic IP) or Fixed (static IP).
      apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    name: alb-test
    addressAllocatedMode: Dynamic          # Dynamic (default) or Fixed IP mode
    addressType: Internet                  # Internet (public) or Intranet (private)
    zoneMappings:                          # Specify at least two vSwitches in different zones for high availability
    - vSwitchId: vsw-uf6ccg2a9g71hx8go****  # vSwitch ID in Zone 1
    - vSwitchId: vsw-uf6nun9tql5t8nh15****  # vSwitch ID in Zone 2 (must differ from Zone 1)
  listeners:
    - port: 80
      protocol: HTTP

      The following table describes the key parameters.

    2. Create the AlbConfig:

      kubectl apply -f alb-test.yaml

      Expected output:

      albconfig.alibabacloud.com/alb-demo created

    3. Verify the AlbConfig was created:

      kubectl -n kube-system get AlbConfig

      Expected output:

      NAME       ALBID        DNSNAME                                  PORT&PROTOCOL   CERTID                 AGE
alb-demo   alb-******   alb-******.<regionID>.alb.aliyuncs.com   443/HTTPS       11055487-cn-<regionID>  2d

      The ALBID and DNSNAME fields confirm that the ALB instance was provisioned successfully.

    Default AlbConfig: When you install the ALB Ingress Controller, an AlbConfig is created automatically with the following default configuration (except for vSwitchId, which you must set):

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    accessLogConfig:
      logProject: ""
      logStore: ""
    addressAllocatedMode: Dynamic
    addressType: Internet
    billingConfig:
      internetBandwidth: 0
      internetChargeType: ""
      payType: PostPay
    deletionProtectionEnabled: true
    edition: Standard
    forceOverride: false
    zoneMappings:
    - vSwitchId: vsw-wz92lvykqj1siwvif****   # Replace with actual vSwitch ID (Zone 1)
    - vSwitchId: vsw-wz9mnucx78c7i6iog****   # Replace with actual vSwitch ID (Zone 2)
status:
  loadBalancer:
    dnsname: alb-s2em8fr9debkg5****.cn-shenzhen.alb.aliyuncs.com
    id: alb-s2em8fr9debkg5****

    Associate an AlbConfig with an Ingress

    Use a Kubernetes IngressClass to link an AlbConfig to an Ingress.

    1. Create a file named alb.yaml with the following IngressClass definition:

      apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: alb-demo

    2. Apply the IngressClass:

      kubectl apply -f alb.yaml

      Expected output:

      ingressclass.networking.k8s.io/alb created

    3. Create a file named ingress.yaml. The ingressClassName field links the Ingress to the IngressClass (and therefore to the AlbConfig).

      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: ImplementationSpecific
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

    4. Create the Ingress:

      kubectl apply -f ingress.yaml

      Expected output:

      ingress.networking.k8s.io/cafe-ingress created

    Update an AlbConfig

    kubectl apply performs an overwrite update; kubectl edit performs an incremental update. Use kubectl edit to avoid unintentional changes.

    1. Open the AlbConfig for editing:

      kubectl -n kube-system edit AlbConfig alb-demo

    2. Update the fields as needed. For example, to rename the ALB instance:

      ...
spec:
  config:
    name: test   # Updated name
...

      Save and exit. Changes take effect immediately.

    Important

    • If you must use kubectl apply to update an AlbConfig, run kubectl diff first to preview changes and confirm they are as expected.

    • When applying an AlbConfig without a listeners section, existing listeners are unaffected. If the listeners section is present, all listeners are reconciled against the new configuration — make sure to include all required listeners (such as ports 80 and 443).

    Use multiple ALB instances

    To route traffic to different ALB instances, create a separate AlbConfig and IngressClass for each instance, then reference the appropriate IngressClass in each Ingress.

    1. Create a file named alb-demo2.yaml:

      apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: demo
spec:
  config:
    name: alb-demo2
    addressType: Internet
    zoneMappings:
    - vSwitchId: vsw-uf6ccg2a9g71hx8go****
    - vSwitchId: vsw-uf6nun9tql5t8nh15****

    2. Apply the AlbConfig:

      kubectl apply -f alb-demo2.yaml

      Expected output:

      AlbConfig.alibabacloud.com/demo created

    3. Create a file named alb.yaml with a new IngressClass that references the second AlbConfig:

      apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb-demo2
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: demo

    4. Apply the IngressClass:

      kubectl apply -f alb.yaml

      Expected output:

      ingressclass.networking.k8s.io/alb-demo2 created

    5. Create a file named ingress.yaml. Use ingressClassName: alb-demo2 to send traffic to the second ALB instance:

      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb-demo2
  rules:
    - host: ""
      http:
        paths:
          - backend:
              service:
                name: demo-service
                port:
                  number: 80
            path: /hello
            pathType: ImplementationSpecific

    Reuse an existing ALB instance

    To reuse an existing ALB instance, specify its ID in the AlbConfig. Only Standard Edition or WAF-enabled Edition instances created in the Application Load Balancer console can be reused. Basic Edition instances cannot be reused. An ALB instance can be used by only one cluster.

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: reuse-alb
spec:
  config:
    id: ****   # ID of the Standard Edition or WAF-enabled Edition ALB instance
    forceOverride: false
    listenerForceOverride: false
    ParameterDescription
    idIf not specified or empty, the AlbConfig creates a new ALB instance. In this case, the forceOverride and listenerForceOverride fields do not take effect. If set to a valid instance ID, that instance is reused.
    forceOverridetrue: The AlbConfig completely replaces the existing ALB instance configuration and all listener configurations. false: The ALB instance properties are not overwritten; listener behavior is controlled by listenerForceOverride.
    listenerForceOverridetrue: The ALB Ingress Controller manages all listeners on the instance. Listener existence and configuration are fully governed by the AlbConfig. false: The ALB Ingress Controller manages only the listeners it created (named ingress-auto-listener-{port}). Other listeners remain unaffected.
    Important

    In reuse mode, do not manually rename listeners. Listeners created or updated by an AlbConfig are managed by ACS, and their names follow the format ingress-auto-listener-{port}. Listeners with other names are managed through the ALB console.

    Configure listeners

    In a reuse scenario, you can add a listener or edit the settings of an existing listener. Listeners are identified by their port and protocol combination. To add or modify a listener, run:

    kubectl edit albconfig <AlbConfig_name>

    Then update the listeners section:

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    ...
  listeners:
    - port: 80
      protocol: HTTP   # Valid values: HTTP, HTTPS, QUIC
    Note

    If you change a listener's port or protocol, the original listener is deleted and a new one is created. HTTP automatically supports WebSocket — no additional configuration is required.

    Listener configuration options

    Enable IPv6

    To enable dual-stack IPv4/IPv6 support, set addressIpVersion to DualStack when creating the AlbConfig:

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    addressIpVersion: DualStack
    ...
    Important

    addressIpVersion can only be set at creation time and cannot be changed afterward.

    Set a TLS security policy

    For HTTPS listeners, set securityPolicyId to apply a TLS security policy. Both custom and system default policies are supported. See TLS security policies.

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    ...
  listeners:
  - port: 443
    protocol: HTTPS
    securityPolicyId: tls_cipher_policy_1_1

    Set the request timeout

    Set the connection request timeout (in seconds) for a listener. If a backend server does not respond within the timeout, ALB returns HTTP 504 to the client.

    SettingValue
    Valid range1–180 seconds
    Default60 seconds
    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    requestTimeout: 60

    Enable data compression

    Set gzipEnabled to control response compression on a per-listener basis.

    • true: Compress supported file types.

    • false: Disable compression.

    null

    Gzip supports text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json. Brotli compresses all file types.

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    gzipEnabled: false

    Configure X-Forwarded headers

    All xForwardedForConfig parameters apply to HTTP and HTTPS listeners only. Set the relevant field to true to enable or false to disable.

    ParameterHeader fieldWhat it retrieves
    XForwardedForEnabledX-Forwarded-ForOriginating IP address of the client
    XForwardedForProtoEnabledListener protocol of the instance
    XForwardedForSLBIdEnabledSLB-IDID of the load balancer instance
    XForwardedForSLBPortEnabledX-Forwarded-PortListener port of the instance
    XForwardedForClientSrcPortEnabledX-Forwarded-Client-srcportClient port of the load balancer instance

    Example — enable client IP forwarding:

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForEnabled: true

    Configure ACL-based access control

    Use aclConfig to allow or deny inbound traffic by IP address or CIDR block. See Access control.

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTPS
    aclConfig:
      aclEntries:
      - 127.0.0.1/32
      aclType: White
    ParameterDescription
    aclTypeWhite: allow only the listed IPs (whitelist). Black: block the listed IPs (blacklist).
    aclEntriesIP addresses or CIDR blocks to include in the ACL, for example 127.0.0.1/32.

    Enable access logs

    To collect ALB Ingress access logs in Simple Log Service, specify logProject and logStore in the AlbConfig:

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    accessLogConfig:
      logProject: "k8s-log-xz92lvykqj1siwvif****"
      logStore: "alb_****"
    ...
    null

    • You must create the log project manually before referencing it here. See Manage a project.

    • The log store name must start with alb_. If the specified log store does not exist, it is created automatically.

    After saving, go to the Simple Log Service console and open the log store to view access logs.

    Delete an ALB instance

    An ALB instance is tied to its AlbConfig. To delete the instance, delete the AlbConfig — but first delete all associated Ingresses.

    kubectl delete -n kube-system AlbConfig alb-demo

    Replace alb-demo with the name of the AlbConfig you want to delete.

    Delete the AlbConfig of a reused ALB instance

    1. Delete all Ingresses associated with the AlbConfig:

      kubectl delete -n <NAMESPACE> ingress <INGRESS_NAME>

    2. If the ALB Ingress Controller version installed in your cluster is v2.10.0-aliyun.1 or earlier, use kubectl edit to remove all entries under spec.listeners before proceeding. Skip this step for later versions.

    3. Delete the AlbConfig:

      kubectl -n kube-system delete AlbConfig alb-demo

      Replace alb-demo with the name of the AlbConfig you want to delete.