AWS ALB

Links#

1. Important Points#

Application Load Balancer 是 L7 HTTP/HTTPS load balancer，适合 Web/API 流量入口、path/host routing、TLS termination、OIDC/Cognito authentication、WAF 防护和 target group health-based routing。

ALB 用来做:
    HTTP / HTTPS ingress
    TLS termination
    host-based routing
    path-based routing
    header / method / query based routing
    weighted target group routing
    ECS / EC2 / IP target traffic distribution
    Cognito / OIDC authentication at edge of app
    AWS WAF association

ALB 不适合:
    non-HTTP TCP/UDP workload
    static IP requirement without Global Accelerator
    ultra-low-latency L4 forwarding
    client IP preservation without X-Forwarded-* handling

核心原则:

public app:
    Route 53 / CloudFront / Global Accelerator
        -> internet-facing ALB
        -> private target group
        -> ECS / EC2 / IP targets

internal app:
    internal ALB
        -> private target group
        -> service targets

security:
    TLS on listener
    WAF on ALB
    SG only allows required inbound
    target SG only allows ALB SG
    access logs enabled
    alarms for 5xx, latency, unhealthy targets

2. Core Concepts#

Concept	Meaning	Production Note
Load balancer	ALB resource itself	internet-facing or internal
Listener	protocol/port entry point	usually 80 redirect to 443, 443 forwards
Listener rule	conditions + actions	host/path routing, auth, redirect, fixed response
Target group	backend targets and health check	one service usually has one target group
Target	EC2 instance, IP, Lambda	ECS Fargate usually uses IP target
Health check	target readiness detection	health check endpoint must represent readiness
Access log	request-level log to S3	required for incident and traffic audit
ALB metric	CloudWatch metric	required for alarms and dashboard

Routing mental model:

client request
    -> listener
        -> listener rule priority match
            -> optional authenticate action
            -> forward / redirect / fixed-response action
                -> target group
                    -> healthy target

3. Architecture Patterns#

public web api#

Route 53
    -> public ALB
        listener 80:
            redirect to 443
        listener 443:
            ACM certificate
            WAF attached
            access logs enabled
            forward to target group
        target group:
            ECS Fargate / EC2 / IP targets in private subnets

internal service#

internal ALB
    listener 443:
        private ACM certificate or public ACM cert for internal domain
        forward to internal target groups
    security group:
        inbound only from trusted VPC CIDR / service SG
        outbound only to target SG

multi-service routing#

Rule	Condition	Action
api.example.com	host-header	forward `api-tg`
admin.example.com	host-header	authenticate + forward `admin-tg`
`/static/*`	path-pattern	forward `static-tg`
`/old/*`	path-pattern	redirect
default	no match	fixed 404

4. Service Configuration#

Create ALB:

aws elbv2 create-load-balancer \
  --name prod-public-alb \
  --type application \
  --scheme internet-facing \
  --subnets subnet-public-a subnet-public-b \
  --security-groups sg-alb \
  --region ap-east-1

Create target group for ECS Fargate / IP targets:

aws elbv2 create-target-group \
  --name prod-order-api \
  --protocol HTTP \
  --port 8080 \
  --vpc-id vpc-xxxxxxxx \
  --target-type ip \
  --health-check-protocol HTTP \
  --health-check-path /health/ready \
  --health-check-interval-seconds 15 \
  --healthy-threshold-count 2 \
  --unhealthy-threshold-count 3 \
  --matcher HttpCode=200 \
  --region ap-east-1

Create HTTPS listener:

aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:ap-east-1:111122223333:loadbalancer/app/prod-public-alb/abc123 \
  --protocol HTTPS \
  --port 443 \
  --certificates CertificateArn=arn:aws:acm:ap-east-1:111122223333:certificate/example \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:ap-east-1:111122223333:targetgroup/prod-order-api/def456 \
  --region ap-east-1

HTTP to HTTPS redirect:

aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:ap-east-1:111122223333:loadbalancer/app/prod-public-alb/abc123 \
  --protocol HTTP \
  --port 80 \
  --default-actions '[
    {
      "Type": "redirect",
      "RedirectConfig": {
        "Protocol": "HTTPS",
        "Port": "443",
        "StatusCode": "HTTP_301"
      }
    }
  ]' \
  --region ap-east-1

Enable access logs:

aws elbv2 modify-load-balancer-attributes \
  --load-balancer-arn arn:aws:elasticloadbalancing:ap-east-1:111122223333:loadbalancer/app/prod-public-alb/abc123 \
  --attributes \
      Key=access_logs.s3.enabled,Value=true \
      Key=access_logs.s3.bucket,Value=company-prod-alb-logs \
      Key=access_logs.s3.prefix,Value=prod-public-alb \
  --region ap-east-1

5. Health Check Design#

good readiness endpoint:
    returns 200 only when app can serve real traffic
    checks critical dependencies lightly
    fast response, usually < 100ms
    no authentication
    no external expensive query

bad readiness endpoint:
    always returns 200
    uses full business transaction
    depends on third-party API
    checks a slow report query

Recommended target group settings:

Setting	Typical Value	Note
interval	10-30s	faster detection vs more health traffic
timeout	5s	must be lower than interval
healthy threshold	2	faster recovery
unhealthy threshold	2-3	avoid one-off failure
success code	200	use 200-399 only when app intentionally redirects
deregistration delay	30-60s	match graceful shutdown

6. Page Map#

Page	Goal
`Monitoring.md`	ALB CloudWatch alarms, SNS/EventBridge wiring, logs, dashboard
`Auth.md`	ALB Cognito / OIDC authentication, listener rules, headers
`Security.md`	WAF, GuardDuty response pattern, Shield, TLS, security groups

7. Production Checklist#

listener:
    HTTP listener redirects to HTTPS
    HTTPS listener uses modern TLS policy
    ACM certificate managed
    default action does not expose unintended backend

target group:
    health check path is readiness endpoint
    deregistration delay matches graceful shutdown
    slow start enabled when app needs warmup
    target type matches platform, ECS Fargate usually ip

security:
    WAF web ACL associated
    ALB access logs enabled
    target security group allows inbound only from ALB security group
    app validates X-Forwarded-Proto / Host only when needed
    auth rules protect admin/internal paths if ALB auth is used

monitoring:
    no healthy target alarm
    target 5xx rate alarm
    ALB 5xx alarm
    p95 latency alarm
    target response time dashboard
    access log query ready for incident

operations:
    listener/rule/target group config is IaC or CLI reproducible
    rollback path documented
    DNS cutover procedure documented
    quota and LCU usage reviewed