An Application Load Balancer (ALB) instance distributes requests from clients to backend server groups based on listeners and forwarding rules. To use ALB to balance loads, create an ALB instance and create listeners and backend server groups for the ALB instance. This topic describes the key terms and usage notes of ALB instances.
ALB instances distribute requests across zones by default. After an ALB instance in a region receives requests, the ALB instance distributes the requests to the backend servers in all the available zones of the region, including zones that are not assigned virtual IP addresses (VIPs). Cross-zone load balancing cannot be disabled for ALB instances.
ALB provides services through domain names. ALB is interfaced with Alibaba Cloud DNS, which allows you to customize domain name resolution. We recommend that you use CNAME records to map custom domain names to the domain name of your ALB instance and use the ALB instance to manage resource access. For more information, see Add a CNAME record to an ALB instance.
The following table describes the different states of an ALB instance and whether the operations are supported.
Why the ALB instance is locked
Whether the ALB instance can be deleted
Whether configurations can be changed
The ALB instance is running as expected.
Based on whether delete protection is enabled.
Based on whether the configuration read-only mode is enabled.
The ALB instance is being created.
The configuration of the ALB instance is being updated.
The ALB instance failed to be created.
The ALB instance stops running.
Locked (Overdue Payment): The ALB instance is locked due to overdue payments. Renew your ALB instance at the earliest opportunity. The ALB instance resumes after it is unlocked.
Locked (Associated Resources in Abnormal State): The elastic IP addresses (EIPs) or Internet Shared Bandwidth instances that are associated with the ALB instance are locked due to overdue payments. Renew the EIPs or Internet Shared Bandwidth instances at the earliest opportunity. The ALB instance resumes after the associated resources are unlocked.
Locked (Associated Resources Overdue and Released): The EIPs or Internet Shared Bandwidth instances that are associated with the ALB instance are released due to overdue payments and the ALB instance is unavailable. We recommend that you release the ALB instance.
Locked (Security Risks): The ALB instance is locked due to security risks. You can go to the Penalties List page in the Security Control console to apply for unlocking.
Alibaba Cloud provides Internet-facing and internal-facing ALB instances.
You can switch the network type of an ALB instance between Internet-facing and internal-facing. For more information, see Change the network type of an ALB instance.
Internet-facing ALB instances
When you create an Internet-facing ALB instance, it is assigned a public IP address and a private IP address.
Internet-facing ALB instances distribute requests that are sent over the Internet. By default, Internet-facing ALB instances use elastic IP addresses (EIPs) to support Internet access and distribute requests from the Internet to backend servers based on forwarding rules. You can also associate an Anycast EIP with your ALB instance to route requests to the nearest access point. For more information, see Associate Anycast EIPs with an ALB instance to enable access through the nearest access point.
An Internet-facing ALB is also assigned a private IP address, which can be used to access Elastic Compute Service (ECS) instances in virtual private clouds (VPCs).
Internal-facing ALB instances
An internal-facing ALB instance is assigned a private IP address.
An internal-facing ALB instance can forward requests that are only from the same VPC as the ALB instance to backend servers based on listeners and forwarding rules.
Internal-facing ALB instances do not support Internet access.
IPv4 and dual-stack
ALB supports IPv4 and dual-stack networking.
Clients can use only IPv4 addresses, such as 192.0.2.1, to access IPv4 ALB instances.
IPv4 ALB instances forward requests from IPv4 clients only to IPv4 backend servers. You can specify ECS instances, elastic network interfaces (ENIs), elastic container instances, IP addresses, and Function Compute functions as backend servers.
Clients can use IPv4 addresses, such as 192.168.0.1, and IPv6 addresses, such as 2001:db8:1:1:1:1:1:1, to access dual-stack ALB instances.
Dual-stack ALB instances can forward requests from IPv4 clients and IPv6 clients to backend IPv4 services and IPv6 services.
The network type of a dual-stack ALB instance is determined by the IPv4 address. If the IPv4 address is a private IP address, the ALB instance is internal-facing. If the IPv4 IP address is a public IP address, the ALB instance is Internet-facing.
Usage notes on dual-stack ALB instances
IPv4 ALB instances cannot be upgraded to dual-stack instances. You can create dual-stack ALB instances as needed.
Access control lists (ACLs) support only IPv4 addresses.
Regions that support dual-stack ALB instances
China (Hangzhou), China (Shanghai), China (Shenzhen), China (Chengdu), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Hong Kong), China (Guangzhou), and China (Heyuan)
Europe & Americas
Germany (Frankfurt) and US (Virginia)
Integration with Web Application Firewall (WAF)
ALB is interfaced with WAF 3.0. If you want your ALB instances to be protected by WAF, purchase a WAF-enabled ALB instance. When you purchase WAF-enabled ALB instances, take note of the following information:
If your Alibaba Cloud account does not have a WAF 2.0 instance or has not activated WAF: You can enable WAF 3.0 for Internet-facing and internal-facing ALB instances by purchasing WAF-enabled ALB instances. This way, ALB is interfaced with WAF on the service level. For more information, see Activate and manage WAF-enabled ALB instances.
Regions that support WAF-enabled ALB instances (Regions in which ALB is interfaced with WAF 3.0)
China (Chengdu), China (Qingdao), China (Beijing), China (Guangzhou), China (Hangzhou), China (Ulanqab), China (Shanghai), China (Shenzhen), China (Zhangjiakou), and China (Hong Kong)
Philippines (Manila), Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), Australia (Sydney), Singapore, and India (Mumbai)
Europe & Americas
Germany (Frankfurt), US (Silicon Valley), and US (Virginia)
SAU (Riyadh - Partner Region)
If your Alibaba Cloud account already has a WAF 2.0 instance: You can enable WAF 2.0 for Basic Edition Internet-facing ALB instance and Standard Edition Internet-facing ALB instances in transparent proxy mode. Internal-facing ALB instances do not support WAF 2.0.
Only ALB instances in the following regions can be interfaced with WAF 2.0 in transparent proxy mode: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Chengdu), China (Beijing), and China (Zhangjiakou).Note
If you want to enable WAF 3.0 for your ALB instance, release the WAF 2.0 instance first or migrate to WAF 3.0.
After you release the WAF 2.0 instance, service errors may arise because the X-Forwarded-Proto header is disabled for ALB by default. You must enable the X-Forwarded-Proto header for the listeners of the ALB instance to prevent errors. For more information, see Manage listeners.
For more information about how to release a WAF 2.0 instance, see Terminate the WAF service.
For more information about how to migrate to WAF 3.0, see Migrate a WAF 2.0 instance to WAF 3.0.
For more information about how to modify the specifications of an ALB instance, see Modify the configurations of ALB instances.