Manage forwarding rules for a listener - Server Load Balancer

This topic describes how to manage forwarding rules for listeners of an Application Load Balancer (ALB) instance. You can customize forwarding rules for listeners of ALB listeners to forward client requests to backend servers in one or more server groups and forward responses to clients.

Overview

You can create multiple forwarding rules for each listener of an ALB instance. Forwarding rules are divided into inbound and outbound forwarding rules. Basic ALB instances support only inbound forwarding rules. Standard and WAF-enabled ALB instances support inbound and outbound forwarding rules. Each forwarding rule consists of conditions and actions. When a request matches the conditions specified in a forwarding rule, the actions specified in the forwarding rule are performed. You can specify one or more conditions and one or more actions in a forwarding rule.

After a standard ALB instance or a WAF-enabled ALB instance receives a request, the ALB instance distributes the request to a backend server based on an inbound forwarding rule. Then, the response from the backend server is processed based on an outbound forwarding rule of the ALB instance and returned to the client.
- When you create an inbound forwarding rule, you can specify only inbound conditions and actions.
- When you create an outbound forwarding rule, you can specify both inbound and outbound conditions. However, you can specify only outbound actions in an outbound forwarding rule.

Each forwarding rule must contain one Forward, Redirect, or Return Fixed Responses action. This ensures that the ALB instance can forward client requests without interruptions.

Note

Basic ALB instances support only inbound forwarding rules. Standard and WAF-enabled ALB instances support inbound and outbound forwarding rules.

Table 1. Forwarding rules supported by basic ALB instances

Direction	Condition	Action
Inbound forwarding rule	Domain Name, Path, and HTTP Header	Forward and Redirect

Table 2. Forwarding rules supported by standard and WAF-enabled instances

Direction	Condition	Action
Inbound forwarding rule	Domain Name, Path, HTTP Header, Query String, HTTP Request Method, Cookie, and Source IP	Forward, Redirect, Return Fixed Responses, Rewrite, Add Header, Remove Header, Throttle Traffic, Mirror Traffic, and CORS
Outbound forwarding rule	Inbound conditions (optional): Domain Name, Path, HTTP Header, Query String, HTTP Request Method, Cookie, and Source IP Outbound conditions: Response Status Code and Response Header	Return Fixed Responses, Add Header, and Remove Header

Matching policy

Matching policy: Each client request is matched against forwarding rules in descending order of priority. A smaller rule number indicates a higher priority. Once a forwarding rule is matched, the traffic is immediately forwarded based on the rule and the matching process ends.

Requests that do not match custom inbound forwarding rules are forwarded based on the default forwarding rule.
Responses that fail to match custom outbound forwarding rules are directly returned to clients by ALB.

Note

If the path is set to /*, requests to all paths are considered matches. If you want to forward unexpected requests, you can set the path in the forwarding condition to /*, set the forwarding action to Return Fixed Responses, and set the status code to 404 or 403. After you configure the forwarding rule, drag and drop the rule to the second-to-last position in the rule list.

Forwarding rule priority: Requests are matched against forwarding rules in descending order of priority. A smaller number indicates a higher priority.

Default forwarding rule: After you create a listener, the system automatically creates a default inbound forwarding rule. The forwarding condition is set to -, which indicates that all client requests are considered matches. The forwarding action is set to Forward. In this case, traffic is forwarded to the server group that is associated with the listener.

Note

You cannot delete the default forwarding rule. However, you can change the destination server group by configuring the forwarding action. The priority of the default forwarding rule is the lowest and cannot be adjusted.

Limitations

When you create a forwarding rule for a basic ALB instance, you can set the condition to Domain Name, Path, or HTTP Header and set the action to Forward or Redirect. If you want to specify other conditions and actions, upgrade the ALB instance to a standard or WAF-enabled ALB instance. For more information, see Modify the configurations of ALB instances.
Basic, standard, and WAF-enabled ALB instances have different features and service quotas.
Forwarding rules are subject to the following service quotas: the maximum number of actions, match conditions, and wildcard character matching rules that can be specified in a forwarding rule.

Prerequisites

A server group is created and backend servers are added to the server group. For more information, see Create and manage server groups.
A standard or WAF-enabled ALB instance is created and a listener is configured for the instance.

Create a forwarding rule

You can configure the default forwarding rule when you create a listener. You can also add forwarding rules after you create a listener.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the instance that you want to manage.
Click the Listener tab, find the listener that you want to manage, and then click View/Modify Forwarding Rule in the Actions column.
On the Forwarding Rules tab, select Inbound Forwarding Rules or Outbound Forwarding Rules, and then click Add New Rule.

In the Add Forwarding Rule section, set the following parameters and click OK.

Note

The logical operator among the actions for each condition is OR. If you specify multiple actions for a condition, requests that match one of the actions are forwarded.
The logical operator among different conditions is AND. If you specify multiple conditions in a forwarding rule, a request is forwarded when all conditions are met.

Create inbound forwarding rules

Parameter	Description
Name	Specify a name for the custom rule. If you do not enter a name, the system automatically generates one. You can specify only one name for a forwarding rule.
Condition	Specify one of the following conditions. You can also click + Add Condition to add more conditions: Domain Name: Specify one or more domain names. The domain name matching rule must be 3 to 128 characters in length. You can use asterisks () and question marks (?) as wildcard characters. The asterisks () can be a string, and the question marks (?) can be only a single string. You can specify a specific domain name, a wildcard domain name, or a regular expression as the forwarding condition in a domain name-based forwarding rule. For more information, see Domain name-based forwarding rules. In this example, `.example.com` is entered. Path: Specify one or more URLs. You can specify a URL or a regular expression. For more information, see URL-based forwarding rules. For example, if the URL is `www.example.com/test/test1?x=1&y=2`, you can set the parameter to `/test/`. HTTP Header: Specify the name of an HTTP header in the Key field and the value of the HTTP header in the Value field. The key of the HTTP header must be 1 tp 40 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The value of the HTTP header must be 1 to 128 characters in length, and can contain printable characters. It must not start or end with a space. For example, you can set the key to `user-agent` and the value to `Mozilla/4.0`. Query String: Add key-value pairs of one or more query strings. The key must be 1 to 100 characters in length and the value must be 1 to 128 characters in length. The query string can contain lowercase letters, asterisks (), and question marks (?). It cannot contain space characters or the following special characters: `# [ ] { } \ \| < > &`. For example, if the URL is `www.example.com/test/test1?x=1&y=2`, you can set the query string to `x:1` or `y:2`. HTTP Request Method: Add one or more HTTP request methods. Valid values: HEAD, GET, POST, OPTIONS, PUT, PATCH, and DELETE. Cookie: Add one or more cookies. The key must be 1 to 100 characters in length and the value must be 1 to 128 characters. The cookie can contain lowercase letters, asterisks (), and question marks (?). It cannot contain space characters or the following special characters: [ ] { } < > \ # \| &. For example, you can set the key to `key` and the value to `value`. Source IP: Add one or more IP addresses or CIDR blocks. Zero addresses (0.0.0.0/x) are not supported. Example: `192.168.1.1/32`
Action	Specify one of the following actions. You can also click + Add Action to add more actions: Forward: Select a server group from the drop-down list. The supported server group types include the Server, IP, and Function Compute types. You can add multiple server groups and enable the session persistence feature for all the added server groups. Note You can simultaneously add server groups that support HTTP and server groups that support HTTPS. Redirect: Select a protocol from the Protocol drop-down list, and then select a status code from the Status Code drop-down list. Specify the Domain Name, Port, and Path to which requests are redirected and enter a query string in the Search field. You cannot leave Protocol, Domain Name, Port, Path, and Search empty at the same time or use the default values for the parameters at the same time. Note For more information about how to configure Path for the Redirect action, see Advanced URL-based forwarding rule settings for rewrites and redirects. If you specify ${x}, the value returned in the response is used. Otherwise, the default value specified in each request is used. For more information about HTTP status codes, see HTTP status codes. Return Fixed Responses: Specify an HTTP status code in the Response Status Code field, select a Response Content Type, and then enter the Response Content. The response status code must be one of the following numeric strings: 2xx, 4xx, and 5xx. The letter x indicates a number from 0 to 9. Rewrite: Specify Domain Name, Path, and Search. For more information about how to configure Path for the Rewrite action, see Advanced URL-based forwarding rule settings for rewrites and redirects. Add Header: Specify the key and the value of the header that you want to add to requests that match the condition. Newly added headers overwrite the existing headers. The key must to 1 to 40 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The value must be to 1 to 128 characters in length, and can contain printable characters and letters. It cannot start or end with a space character. Remove Header: Specify the key of the header that you want to remove. Then, the key and value of the specified header are both removed. Note If you set Action to Add Header or Remove Header for an inbound forwarding rule, the following headers are not supported: `slb-id`, `slb-ip`, `x-forwarded-for`, `x-forwarded-proto`, `x-forwarded-eip`, `x-forwarded-port`, `x-forwarded-client-srcport`, `x-forwarded-host`, `connection`, `upgrade`, `content-length`, `transfer-encoding`, `keep-alive`, `te`, `host`, `cookie`, `remoteip`, and `authority`. Headers are not case-sensitive. Throttle Traffic: Configure the following parameters based on your business requirements: QPS (Total): Specify a maximum number of queries per second (QPS). Valid values: 1 to 1000000. QPS (Per Client IP): Specify a maximum number of QPS for source client IP addresses. Valid values: 1 to 1000000. If you set both QPS (Total) and QPS (Per Client IP), the value of QPS (Per Client IP) must be smaller than that of QPS (Total). Note If the action is set to Throttle Traffic, you must also specify a Forward action for the destination server group. Otherwise, the configurations cannot take effect. If you set both Throttle Traffic and Forward, requests are forwarded to the specified server group before the number of queries per second (QPS) reaches the threshold. Otherwise, the HTTP 503 status code is returned to the clients. If you set Throttle Traffic, Redirect, and Forward, requests are forwarded to the specified server group before the QPS reaches the threshold. If the QPS reaches the threshold, requests are redirected to another address. If you set Throttle Traffic, Return Fixed Responses, and Forward, requests are forwarded to the specified server group before the QPS reaches the threshold. If the QPS reaches the threshold, the response configured by you is returned to the clients. If the X-Forwarded-For request header contains multiple IP addresses, such as `X-Forwarded-For: <client-ip-address>, <proxy1>, <proxy2>, …`, the leftmost IP address is the client IP address. If you want to set the match conditions in the forwarding rule to Source IP and QPS (Per Client IP), you must turn on Retrieve Client IP for the listener to allow ALB to retrieve client IP addresses from the X-Forwarded-For header. For more information, see Add an HTTP listener and Add an HTTPS listener. Mirror Traffic: Select a server group from the drop-down list. You can select a server group of the Server Type or IP type. CORS: If the response is returned from a URL, and the protocol, domain name, or port is different from the one requested by the client, cross-origin resource sharing (CORS) is enabled. Cross-origin requests are divided into simple requests and preflight requests. Trusted Origins: Specify the URLs that are allowed to access cross-region resources through a browser. Allowed Method:: Specify the HTTP methods that the specified URLs can use to access cross-origin resources. Valid values: GET, POST, PUT, DELETE, HEAD, OPTIONS, and PATCH. Trusted Request Headers: Specify the headers that can be carried in CORS requests aside from the built-in headers of browsers. Trusted Response Headers: Specify the response headers that can be parsed by a browser or JavaScript. Trusted Credentials: Specify whether to allow credentials in CORS requests. Valid values: Allow and Deny. Default value: Allow. Browser Cache Time: Specify the maximum period of time for which a preflight request that uses the OPTIONS method can be cached. Unit: seconds. Valid values: -1 to 172800.

Create outbound forwarding rules

Parameter	Description
Name	Specify a name for the custom rule. If you do not enter a name, the system automatically generates a name. You can specify only one name for a forwarding rule.
Inbound Conditions (Optional)	Select an inbound condition. You can click + Add Inbound Condition to add more inbound conditions. For more information about how to configure conditions in inbound forwarding rules, see Create a forwarding rule.
Outbound Conditions	Select an outbound condition. You can click + Add Outbound Condition to add more outbound conditions. Response Status Code: Specify the response status code to return to the client. Valid values: 100 to 599. You can specify code ranges and separate multiple codes and code ranges with commas (,), such as 200-233,301. Response Header: Specify the HTTP headers carried in the response. Enter the name of the HTTP header in the Key field and the value of the HTTP header in the Value field. You can specify multiple HTTP headers.
Action	Select an outbound action. You can click + Add Action to add more outbound actions. Return Fixed Responses: Specify an HTTP status code in the Response Status Code field, select a Response Content Type, and then enter the Response Content. The response status code must be one of the following numeric strings: 2xx, 4xx, and 5xx. The letter x indicates a number from 0 to 9. Add Header: Specify the name and the value of the header that you want to add to the response. Newly added headers overwrite the existing headers. Remove Header: Specify the key of the header that you want to remove. Then, the key and value of the specified header are both removed. Note You cannot set Add Header or Remove Header to the following header keys in outbound forwarding rules: `connection`, `upgrade`, `content-length`, and `transfer-encoding`. Header keys are not case-sensitive.

Create scripts by using AScript
You can click + Add Script After Forwarding Rule Is Applied to add a script. For more information, see Step 2: Create scripts to customize forwarding rules.
Note
Only standard and WAF-enabled ALB instances support AScript. Basic ALB instances do not support AScript.

Modify a forwarding rule

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the instance that you want to manage.
Click the Listener tab, find the listener that you want to manage, and then click View/Modify Forwarding Rule in the Actions column.
On the Forwarding Rules tab, click Inbound Forwarding Rules or Outbound Forwarding Rules, select the rule that you want to edit, and then click Edit in the upper-right corner.
After you modify the rule, click Save.

Modify the priority of a forwarding rule

Forwarding rules are evaluated in descending order of priority. A lower value specifies a higher priority. You can modify the priority of a custom forwarding rule anytime. You cannot modify the priority of the default forwarding rule.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the instance that you want to manage.
Click the Listener tab, find the listener that you want to manage, and then click View/Modify Forwarding Rule in the Actions column.
On the Forwarding Rules tab, click Inbound Forwarding Rules or Outbound Forwarding Rules, move the forwarding rule that you want to manage to the desired position, and then click Save Priority Changes.

Delete a forwarding rule

You can delete the custom forwarding rules of a listener anytime. The default forwarding rule cannot be deleted. If you delete a listener, all forwarding rules of the listener are deleted.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the instance that you want to manage.
Click the Listener tab, find the listener that you want to manage, and then click View/Modify Forwarding Rule in the Actions column.
On the Forwarding Rules tab, click Inbound Forwarding Rules or Outbound Forwarding Rules, select the rule that you want to delete, and then click Delete in the upper-right corner.
In the message that appears, click OK.

References

User guides

For more information about how to configure domain names and paths in forwarding conditions and advanced URL-based forwarding rules for rewrites and redirects, see Configure domain name- and URL path-based forwarding rules.
Typical use cases of ALB forwarding rules:

API references

CreateRule: creates a forwarding rule.
CreateRules: batch creates forwarding rules.
DeleteRule: deletes a forwarding rule.
DeleteRules: batch deletes forwarding rules.
ListRules: queries forwarding rules.
UpdateRuleAttribute: updates a forwarding rule.
UpdateRulesAttribute: batch updates forwarding rules.