Skip to content

Overview

Application Load Balancer (ALB) is a network service that distributes incoming public web traffic between virtual servers to provide fault tolerance for websites and applications.

How it works:
The Load Balancer (ALB) allows to easily configure web or TLS traffic to virtual machines, belonging to the same Compute service based on a domain name in the HTTP protocol or the Server Name Indication (SNI) extension of TLS.
When the volume of incoming traffic changes dramatically, the balancer evenly distributes the entire volume of requests between resources according to the Round-robin algorithm. ALB provides automatic renewal of LetsEncrypt certificates and the ability to upload your own certificates. Forwarding through ALB does not require opening virtual machine destination ports in the Network Security Group in the Firewall tab. ALB provides access on the main public address of the account only on ports 80 and 443. These ports can be reassigned in the Port-Forwarding application.

The Health Check feature allows to exclude unhealthy servers from the load balancing rotation. ALB monitors the status of the virtual machines responsible for handling the web traffic route, and will consider VMs healthy as long as they return status codes between 2XX and 3XX to the health check requests (carried out every interval). If a VM is found to be unavailable (powered off or broken), the HealthCheck ensures that web traffic is not directed to that particular VM.

Note

ALB management is only available to users with the Account Admin role.

The Web Routes tab contains a list of ALB web traffic routes. The user can create, edit, view and delete routes.

Creating and Configuring a Route

Preparation

Before creating a new route, the user has to configure a DNS CNAME record pointing to the ALB's public host name to allow Internet traffic to access the ALB instance, and then prepare the virtual machine.

Note

By default we mean a prepared virtual machine with a web server on port 80.

Route creation

  1. On the Web Routes tab, click Create Route.
  2. In the popped-up modal window, enter:

    • Name - the name for the route within the project;
    • Hostname - public host name for the route;
    • The Path that the router watches to route traffic to the service (optional);
    • Target port for traffic (optional).

  3. In the Target Services, select the Service(s) for load balancing (each service has a weight that determines the amount of traffic received).

  4. Select IP interface type: IPv4/IPv6.
  5. Select Security settings for the routes by enabling the Secure Route checkbox, or you can leave it disabled.
    If Secure Route is enabled, specify the TLS termination type:

    • edge
      With edge termination, the encrypted TLS traffic is terminated on the ALB, then the already decrypted traffic is proxied to the internal IP addresses of the virtual machines on the HTTP port (80/TCP). To terminate TLS traffic, the downloaded certificate is used if it matches the Hostname field of the Web route, otherwise, an attempt is made to issue a LetsEncrypt certificate. If the issue of the LetsEncrypt certificate fails for any reason (for example, the DNS record is not set to the ALB public hostname, the request limit has expired), then the default self-signed certificate will be used.
    • passthrough
      With passthrough termination, encrypted traffic is sent directly to the destination without decrypting the traffic. In this case, the balancer only allocates traffic between services according to weights. This is currently the only method that supports client certificate authentication (also known as two-way authentication).
    • re-encrypt
      This is a case of edge termination where the TLS protocol is terminated at the ALB with a certificate and then re-encrypts its connection to an endpoint on the HTTPS port (443/TCP), which may have a different certificate. Therefore, the full connection path is encrypted even on the internal network. ALB uses performance checks to determine host availability.

    Note

    Re-encrypt ALB does not currently validate the destination host certificate, so self-signed certificates can be used.

  6. Select a policy for traffic on insecure schemes:

    • allow - allows HTTP traffic to pass through;
    • redirect - automatically redirects the client from HTTP to HTTPS (using HTTP code 301).
  7. Select one of the TLS Certificates associated with this route.

  8. Click Create.

The new route will appear in the general list, where you can edit its settings or delete it using the side menu or by clicking the corresponding buttons in the Details. To view the details of the created route, simply click on it.

Certificates

Users can add TLS certificates for edge and re-encrypted termination on the Certificates tab. Certificates must be in PEM format. Users can add, edit, view, and delete certificates.

Adding Certificates

Users can upload certificates by dragging, selecting, or pasting them from the clipboard.

  1. Click Add certificate on the Certificates tab;
  2. Enter a Name for the certificates;
  3. Click Browse and add the needed certificates (or drag and drop, paste from clipboard);
  4. Click Add to complete.

The certificate will appear on the list. Click its name to view the details.
There are two ways to edit and delete certificates. Users can do this by using the side menu (icon with three dots) or by pressing the corresponding button in the Details.

Note

When using your own certificates, only one certificate related to the domain name must be loaded into the system for correct operation. For example, if the downloaded certificate has expired, you need to delete it and download the current one.

Roles and permissions

Action Member Admin Billing Operator Owner
Web Routes
View Web Route only own
Create Web Route
Edit Web Route only own
Delete Web Route only own
Certificates
View Certificates only own
Create Certificates
Edit Certificates only own
Delete Certificates only own