Application Load Balancer (ALB) operates at the application layer (Layer 7) and routes requests based on domain names, URLs, HTTP headers, and other application-layer attributes. Create an ALB instance to distribute client requests across your backend servers, then manage its lifecycle — including deletion protection and release.
Prerequisites
Before you create an ALB instance, complete the following preparations:
VPC and vSwitches: Create a Virtual Private Cloud (VPC) in your target region. To ensure high availability, create vSwitches in at least two zones.
IP address planning: ALB allocates three IP addresses from each vSwitch — one virtual IP address (VIP) for public-facing services and two private IPs for backend communication. Reserve at least eight IP addresses per vSwitch to support all auto scaling features. The first one and last three IP addresses within an IPv4 vSwitch are reserved for system use. Specify a network prefix that is no longer than
/28.Security group configuration: If security groups or third-party security policies exist in the access path, allow traffic from the ALB vSwitch CIDR blocks to your backend servers.
Service-linked role: When you create an ALB instance for the first time, the system prompts you to create the
AliyunServiceRoleForAlbservice-linked role. This role authorizes ALB to access Elastic network interfaces (ENIs), security groups, Elastic IP Addresses (EIPs), and Internet Shared Bandwidth instances.
Create an ALB instance
Console
Go to the ALB Instances page and click Create ALB.
Configure the following settings and click Buy Now.
Setting
Description
Region
Select the region closest to your clients to reduce latency. For supported regions, see Regions and zones in which ALB is available.
Network Type
Internet: Assigns both a public IP address (an EIP) and a private IP address. Incurs EIP configuration and data transfer fees. By default, an Internet-facing dual-stack instance uses an IPv4 address for public network services and does not support public network access over IPv6. To enable IPv6 public network access, change the network type of the ALB instance. This incurs additional IPv6 Internet data transfer fees.
Intranet: Assigns only a private IP address for internal network access.
VPC
Select the VPC for the ALB instance. The instance and its server groups must be in the same VPC.
Zone
Select at least two zones and their corresponding vSwitches. For Internet-facing instances, you can associate an existing EIP or select Automatically assign EIP to create a pay-as-you-go (pay-by-data-transfer) EIP.
IP Version
IPv4: Supports IPv4 access only.
Dual-stack: Supports both IPv4 and IPv6 access. Enable IPv6 for the vSwitch before you select this option.
Basic: Supports routing based on domain names, URLs, and HTTP headers.
Standard: Includes all Basic features plus custom TLS security policies, Tracing Analysis, redirection, rewrite, and more.
WAF Enabled: Includes all Standard features plus integrated Web Application Firewall (WAF) 3.0 protection.
Associate with EIP Bandwidth Plan
(Internet-facing instances only) The default bandwidth for a dual-zone ALB instance is 400 Mbps. Associate the instance with an Internet Shared Bandwidth instance for higher bandwidth.
Billing Method
(Internet-facing instances only, without association with any Internet Shared Bandwidth instance) The default is Pay-by-data-transfer and cannot be changed. This bandwidth limit is a best-effort upper limit, not a guaranteed capacity.
Instance Name and Resource Group
Specify a descriptive name and resource group. You can modify these and also add tags later on the Instances page.
You cannot upgrade an existing IPv4 instance to dual-stack. To support IPv6, create a new dual-stack instance.
WAF Enabled edition details:
If no WAF instance exists, a pay-as-you-go WAF 3.0 instance is automatically activated.
If a subscription WAF 3.0 instance exists, no extra WAF fees are incurred.
If a WAF 2.0 instance exists, you must first release it or migrate to WAF 3.0. After you release the WAF 2.0 instance, enable the
X-Forwarded-Protoheader in the ALB listener to prevent issues such as infinite redirection.
EIP restrictions for Internet-facing instances:
You can associate only pay-as-you-go (pay-by-data-transfer) EIPs that are not associated with an Internet Shared Bandwidth instance.
The EIP types associated with different zones of the same ALB instance must be consistent.
API
Call the CreateLoadBalancer operation to create an ALB instance.
Next steps
After you create an ALB instance, complete the following steps to start receiving traffic:
Create a server group: Group the backend servers that receive forwarded requests.
Add a listener: Configure an HTTP, HTTPS, or QUIC listener to define how the ALB instance receives and processes requests.
Add a CNAME record: Map your custom domain name to the DNS name of the ALB instance. ALB instances created after the domain name upgrade do not support direct access by their DNS names — you must use a custom domain name with a CNAME record that resolves your custom domain name to the ALB instance DNS name.
Enable deletion protection and modification protection
Deletion protection and configuration read-only mode prevent ALB instances from being accidentally deleted or modified.
Configuration read-only mode is effective only in the console.
Console
Go to the ALB Instances page and click the target instance ID.
On the Instance Details tab, in the Instance Information section, enable or disable Deletion Protection and Configuration Read-only Mode.
API
Call EnableDeletionProtection or DisableDeletionProtection to manage deletion protection.
Call UpdateLoadBalancerAttribute and set the
ModificationProtectionConfig.Statusfield to enable or disable configuration read-only mode.
Release an ALB instance
You are charged instance fees from the time an ALB instance is created until it is released, regardless of whether the instance is in use. Release instances that you no longer need to avoid unnecessary costs.
Releasing an instance permanently deletes all its configurations. This action is irreversible.
Before you release an instance:
Make sure that your business domain name no longer resolves to this instance to avoid service interruptions.
Disable Deletion Protection for the instance.
If the instance is managed by another Alibaba Cloud service (such as Container Service for Kubernetes), releasing it causes the associated service to become unavailable and unrecoverable.
What happens when you release an Internet-facing instance:
Any associated EIPs or Anycast EIPs are automatically disassociated and released. This includes EIPs associated during instance creation, cloning, zone enablement, or network type changes.
Console
Go to the ALB Instances page. In the Actions column of the target instance, choose 
> Release and confirm.
API
Call DisableDeletionProtection to disable deletion protection.
Call DeleteLoadBalancer to release the instance.
Billing
ALB supports pay-as-you-go billing and resource plans. For details about billable items and pricing, see ALB billing overview.
Quotas
For ALB resource quotas, see ALB quotas.