Manage forwarding rules for listeners of an ALB instance - Server Load Balancer

This topic describes how to manage forwarding rules for listeners of an Application Load Balancer (ALB) instance. You can customize forwarding rules for listeners of ALB listeners to forward client requests to backend servers in one or more server groups and forward responses to clients.

Overview

You can create multiple forwarding rules for each listener of an ALB instance. Forwarding rules are divided into inbound and outbound forwarding rules. Basic ALB instances support only inbound forwarding rules. Standard and WAF-enabled ALB instances support inbound and outbound forwarding rules. Each forwarding rule consists of conditions and actions. When a request matches the conditions specified in a forwarding rule, the actions specified in the forwarding rule are performed. You can specify one or more conditions and one or more actions in a forwarding rule.

After a standard ALB instance or a WAF-enabled ALB instance receives a request, the ALB instance distributes the request to a backend server based on an inbound forwarding rule. Then, the response from the backend server is processed based on an outbound forwarding rule of the ALB instance and returned to the client.
- When you create an inbound forwarding rule, you can specify only inbound conditions and actions.
- When you create an outbound forwarding rule, you can specify both inbound and outbound conditions. However, you can specify only outbound actions in an outbound forwarding rule.

Each forwarding rule must contain one Forward, Redirect, or Return Fixed Responses action. This ensures that the ALB instance can forward client requests without interruptions.

Note

Basic ALB instances support only inbound forwarding rules. Standard and WAF-enabled ALB instances support inbound and outbound forwarding rules.

Table 1. Forwarding rules supported by basic ALB instances
Direction	Condition	Action
Inbound forwarding rule	Domain Name, Path, and HTTP Header	Forward and Redirect

Table 2. Forwarding rules supported by standard and WAF-enabled instances
Direction	Condition	Action
Inbound forwarding rule	Domain Name, Path, HTTP Header, Query String, HTTP Request Method, Cookie, and Source IP	Forward, Redirect, Return Fixed Responses, Rewrite, Add Header, Remove Header, Throttle Traffic, Mirror Traffic, and CORS
Outbound forwarding rule	Inbound conditions (optional): Domain Name, Path, HTTP Header, Query String, HTTP Request Method, Cookie, and Source IP Outbound conditions: Response Status Code and Response Header	Return Fixed Responses, Add Header, and Remove Header

Matching policy

Matching policy: Each client request is matched against forwarding rules in descending order of priority. A smaller rule number indicates a higher priority. Once a forwarding rule is matched, the traffic is immediately forwarded based on the rule and the matching process ends.

Requests that do not match custom inbound forwarding rules are forwarded based on the default forwarding rule.
Responses that do not match custom outbound forwarding rules are directly returned to clients by ALB.

Note

If the path is set to /*, requests to all paths are considered matches. If you want to forward unexpected requests, you can set the path in the forwarding condition to /*, set the forwarding action to Return Fixed Responses, and then set the status code to 404 or 403. After you configure the forwarding rule, drag and drop the rule to the second-to-last position in the rule list.

Forwarding rule priority: Requests are matched against forwarding rules in descending order of priority. A smaller number indicates a higher priority.

Default forwarding rule: After you create a listener, the system automatically creates a default inbound forwarding rule. The forwarding condition is set to -, which indicates that all client requests are considered matches. The forwarding action is set to Forward. In this case, traffic is forwarded to the server group that is associated with the listener.

Note

You cannot delete the default forwarding rule. However, you can change the destination server group by configuring the forwarding action. The priority of the default forwarding rule is the lowest and cannot be adjusted.

Limits

When you create a forwarding rule for a basic ALB instance, you can set the condition to Domain Name, Path, or HTTP Header and set the action to Forward or Redirect. If you want to specify other conditions and actions, upgrade the ALB instance to a standard or WAF-enabled ALB instance. For more information, see Modify the configurations of ALB instances.
For more information about the features and quotas of basic ALB instances, standard ALB instances, and WAF-enabled ALB instances, see Functions and features and ALB quotas.
For more information about the maximum number of actions, match conditions, and wildcard character matching rules that can be specified in a forwarding rule, see Resource quotas per forwarding rule.

Prerequisites

A server group is created and backend servers are added to the server group. For more information, see Create and manage a server group.
A standard or WAF-enabled ALB instance is created and a listener is configured for the instance. For more information, see Create an ALB instance.

Create a forwarding rule

You can configure the default forwarding rule when you create a listener. You can also add forwarding rules after you create a listener.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the instance that you want to manage.
Click the Listener tab, find the listener that you want to manage, and then click View/Modify Forwarding Rule in the Actions column.
On the Forwarding Rules tab, select Inbound Forwarding Rules or Outbound Forwarding Rules, and then click Add New Rule.

In the Add Forwarding Rule section, set the following parameters and click OK.

Note

The logical operator among the actions for each condition is OR. If you specify multiple actions for a condition, requests that match one of the actions are forwarded.
The logical operator among different conditions is AND. If you specify multiple conditions in a forwarding rule, a request is forwarded when all conditions are met.

Create inbound forwarding rules

Parameter	Description
Rule Name	Specify a name for the custom rule. If you do not enter a name, the system automatically generates one. You can specify only one name for a forwarding rule.
Condition	Specify one of the following conditions. You can also click + Add Condition to add more conditions: Domain Name: Specify one or more domain names. The domain name matching rule must be 3 to 128 characters in length. You can use asterisks () and question marks (?) as wildcard characters. The asterisks () can be a string, and the question marks (?) can be only a single string. You can specify a specific domain name, a wildcard domain name, or a regular expression as the forwarding condition in a domain name-based forwarding rule. For more information, see Domain name-based forwarding rules. In this example, `.example.com` is entered. Path: Specify one or more URLs. You can specify a URL or a regular expression. For more information, see URL-based forwarding rules. For example, if the URL is `www.example.com/test/test1?x=1&y=2`, you can set the parameter to `/test/`. HTTP Header: Specify the name of an HTTP header in the Key field and the value of the HTTP header in the Value field. The key of the HTTP header must be 1 to 40 characters in length, and can contain only letters, digits, hyphens (-), and underscores (_). The value of the HTTP header must be 1 to 128 characters in length, and can contain printable characters. It must not start or end with a space. In this example, the key `user-agent` and the value `Mozilla/4.0` are specified. Query String: Add key-value pairs of one or more query strings. The key must be 1 to 100 characters in length. The value must be 1 to 128 characters in length. The key and the value can contain lowercase letters and other printable characters. You can use asterisks () and question marks (?) as wildcards. The key and the value cannot contain space characters or the following special characters: `# [ ] { } \ \| < > &`. For example, if the URL is `www.example.com/test/test1?x=1&y=2`, you can set the parameter to `x:1` or `y:2`. HTTP Request Method: Add one or more HTTP request methods. Valid values: HEAD, GET, POST, OPTIONS, PUT, PATCH, and DELETE. Cookie: Add one or more cookies. The key must be 1 to 100 characters in length. The value must be 1 to 128 characters in length. The key and the value can contain lowercase letters and other printable characters. You can use asterisks () and question marks (?) as wildcards. The key and the value cannot contain space characters or the following special characters: `# [ ] { } \ \| < > &`. In this example, the key `key` and the value `value` are specified. Source IP: Add one or more IP addresses or CIDR blocks. Zero addresses (0.0.0.0/x) are not supported. Example: `192.168.1.1/32`
Action	Specify one of the following actions. You can also click + Add Action to add more actions: Forward: Select a server group from the drop-down list. The supported server group types include the Server, IP, and Function Compute types. You can add multiple server groups and enable the session persistence feature for all the added server groups. Redirect: Select a protocol from the Protocol drop-down list, and then select a status code from the Status Code drop-down list. Specify the Domain Name, Port, and Path to which requests are redirected and enter a query string in the Search field. You cannot leave Protocol, Domain Name, Port, Path, and Search empty at the same time or use the default values for the parameters at the same time. Note For more information about how to configure Path for the Redirect action, see Advanced URL-based forwarding rule settings for rewrites and redirects. If you specify ${x}, the value returned in the response is used. Otherwise, the default value specified in each request is used. For more information about HTTP status codes, see Common HTTP status codes. Return Fixed Responses: Specify an HTTP status code in the Response Status Code field, select a Response Content Type, and then enter the Response Content. The response status code must be one of the following numeric strings: 2xx, 4xx, and 5xx. The letter x indicates a number from 0 to 9. Rewrite: Specify Domain Name, Path, and Search. For more information about how to configure Path for the Rewrite action, see Advanced URL-based forwarding rule settings for rewrites and redirects. Add Header: Specify the key and the value of the header that you want to add to requests that match the condition. Newly added headers overwrite the existing headers. The key of the header must be 1 to 40 characters in length and can contain letters, digits, underscores (_), and hyphens (-). The value of the header must be 1 to 128 characters in length and can contain letters and other printable characters. The value cannot start or end with a space. Remove Header: Specify the key of the header that you want to remove. Then, the key and value of the specified header are both removed. Note You cannot set Add Header or Remove Header to the following header keys in inbound forwarding rules: `slb-id`, `slb-ip`, `x-forwarded-for`, `x-forwarded-proto`, `x-forwarded-eip`, `x-forwarded-port`, `x-forwarded-client-srcport`, `connection`, `upgrade`, `content-length`, `transfer-encoding`, `keep-alive`, `te`, `host`, `cookie`, `remoteip`, `authority`. Header keys are not case-sensitive. Throttle Traffic: Configure the following parameters based on your business requirements: QPS (Total): Specify a maximum number of queries per second (QPS). Valid values: 1 to 1000000. If the number of requests reaches the specified limit, new requests are dropped and the 503 status code is returned to the client. QPS (Per Client IP): Specify a maximum number of QPS for source client IP addresses. Valid values: 1 to 1000000. If you set both QPS (Total) and QPS (Per Client IP), the value of QPS (Per Client IP) must be smaller than that of QPS (Total). If the number of requests reaches the specified limit, new requests are dropped and the 503 status code is returned to the client. Note If the action is set to Throttle Traffic, you must also specify a Forward action for the destination server group. Otherwise, the configurations cannot take effect. If the X-Forwarded-For request header contains multiple IP addresses, such as `X-Forwarded-For: <client-ip-address>, <proxy1>, <proxy2>, …`, the leftmost IP address is the client IP address. If you want to set the match conditions in the forwarding rule to Source IP and QPS (Per Client IP), you must turn on Retrieve Client IP for the listener to allow ALB to retrieve client IP addresses from the X-Forwarded-For header. For more information, see Add an HTTP listener and Add an HTTPS listener. Mirror Traffic: Select a server group from the drop-down list. You can select a server group of the Server Type or IP type. If you choose an IP type server group, take note of the following items: You can add only internal-facing servers and cannot add Internet-facing servers. You cannot add a backend server of the IP type to an ALB instance, a Network Load Balancer (NLB) instance, or a Classic Load Balancer (CLB) instance in the same VPC. Make sure that no loops exist. ALB adds the ALICLOUD-ALB-TRACE HTTP header to each request to detect loops. When a loop is detected, ALB stops forwarding requests to backend servers and returns the 463 status code in case a network storm arises and exhausts all resources. You can use Enterprise Edition transit routers and Express Connect circuits for cross-region forwarding. Basic Edition transit routers are not supported. For the same CEN instance, each region can have only one VPC in which one or more ALB instances use backend servers deployed in different regions. ALB instances in different VPCs within the same region cannot use the same transit router to access backend servers. ALB instances in different VPCs within the same region cannot use different transit routers to access the same backend server. Network traffic between an ALB instance and its backend servers can be routed only based on the system route table. VPC custom route tables are not supported. CORS: If the response is returned from a URL, and the protocol, domain name, or port is different from the one requested by the client, cross-origin resource sharing (CORS) is enabled. Cross-origin requests are divided into simple requests and preflight requests. Trusted Origins: Specify the URLs that are allowed to access cross-region resources through a browser. Trusted Method:: Specify the HTTP methods that the specified URLs can use to access cross-origin resources. Valid values: GET, POST, PUT, DELETE, HEAD, OPTIONS, and PATCH. Trusted Request Headers: Specify the headers that can be carried in CORS requests aside from the built-in headers of browsers. Trusted Response Headers: Specify the response headers that can be parsed by a browser or JavaScript. Trusted Credentials: Specify whether to allow credentials in CORS requests. Valid values: Allow and Deny. Default value: Allow. Browser Cache Time: Specify the maximum period of time for which a preflight request that uses the OPTIONS method can be cached. Unit: seconds. Valid values: -1 to 172800.

Create outbound forwarding rules

Parameter	Description
Rule Name	Specify a name for the custom rule. If you do not enter a name, the system automatically generates a name. You can specify only one name for a forwarding rule.
Inbound Conditions (Optional)	Select an inbound condition. You can click + Add Inbound Condition to add more inbound conditions. For more information about how to configure conditions in inbound forwarding rules, see the "Create inbound forwarding rules" section of Create a forwarding rule.
Outbound Conditions	Select an outbound condition. You can click + Add Outbound Condition to add more outbound conditions. Response Status Code: Specify the response status code to return to the client. Valid values: 100 to 599. You can specify ranges or specific status codes. Separate multiple values with commas (,). Example: 200-233,301. Response Header: Specify the HTTP headers carried in the response. Enter the name of the HTTP header in the Key field and the value of the HTTP header in the Value field. You can specify multiple HTTP headers.
Action	Select an outbound action. You can click + Add Action to add more outbound actions. Return Fixed Responses: Specify an HTTP status code in the Response Status Code field, select a Response Content Type, and then enter the Response Content. The response status code must be one of the following numeric strings: 2xx, 4xx, and 5xx. The letter x indicates a number from 0 to 9. Add Header: Specify the name and the value of the header that you want to add to the response. Newly added headers overwrite the existing headers. Remove Header: Specify the key of the header that you want to remove. Then, the key and value of the specified header are both removed. Note You cannot set Add Header or Remove Header to the following header keys in outbound forwarding rules: `connection`, `upgrade`, `content-length`, and `transfer-encoding`. Header keys are not case-sensitive.

Create scripts by using AScript
You can click + Add Script After Forwarding Rule Is Applied to add a script. For more information, see Configure scripts for forwarding rules.
Note
To use the AScript feature, make sure that the following requirements are met:
A standard or WAF-enabled ALB instance is created.
By default, the AScript feature is unavailable. To use this feature, log on to the Quota Center console. On the Privileges page, enter the quota ID slb_user_visible_gray_label/ascript and click Apply in the Actions column. For more information, see Manage ALB quotas.

Modify a forwarding rule

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the instance that you want to manage.
Click the Listener tab, find the listener that you want to manage, and then click View/Modify Forwarding Rule in the Actions column.
On the Forwarding Rules tab, select Inbound Forwarding Rule or Outbound Forwarding Rule, select the rule that you want to edit, and then click the icon in the upper-right corner.
After you modify the rule, click Save.

Modify the priority of a forwarding rule

Forwarding rules are evaluated in descending order of priority. A lower value specifies a higher priority. You can modify the priority of a custom forwarding rule anytime. You cannot modify the priority of the default forwarding rule.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the instance that you want to manage.
Click the Listener tab, find the listener that you want to manage, and then click View/Modify Forwarding Rule in the Actions column.
On the Forwarding Rules tab, select Inbound Forwarding Rules or Outbound Forwarding Rules, move the forwarding rule that you want to manage to the desired position, and then click Save Priority Changes.

Delete a forwarding rule

You can delete the custom forwarding rules of a listener anytime. The default forwarding rule cannot be deleted. If you delete a listener, all forwarding rules of the listener are deleted.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the instance that you want to manage.
Click the Listener tab, find the listener that you want to manage, and then click View/Modify Forwarding Rule in the Actions column.
On the Forwarding Rules tab, select Inbound Forwarding Rule or Outbound Forwarding Rule, select the rule that you want to delete, and then click the icon.
In the message that appears, click OK.

References

For more information about how to configure domain names and paths in forwarding conditions and advanced URL-based forwarding rules for rewrites and redirects, see Create a domain name-based or URL-based forwarding rule.
For more information about how to redirect HTTP requests to an HTTPS listener, see Redirect HTTP requests to an HTTPS listener.
For more information about how to mirror production traffic to a staging environment, see Mirror production traffic to a staging environment.
For more information about how to use ALB to implement canary releases, see Use ALB to implement canary releases.
CreateRule: creates a forwarding rule.
CreateRules: creates forwarding rules.
DeleteRule: deletes a forwarding rule.
DeleteRules: deletes forwarding rules.
ListRules: queries the forwarding rules in a region.
UpdateRuleAttribute: updates the configurations of a forwarding rule, such as the conditions, actions, and name.
UpdateRulesAttribute: updates the configurations of multiple forwarding rules.