Configuring an Application Load Balancer
When you launch a load-balanced environment, you can choose to use an application load balancer instead of a classic load balancer. An application load balancer inspects traffic to identify the request's path so that it can direct requests for different paths to different destinations.
By default, an application load balancer performs the same function as a classic load balancer. The default listener accepts HTTP requests on port 80 and distributes them to the instances in your environment. You can add a secure listener on port 443 with a certificate to decrypt HTTPS traffic, configure health check behavior, and push access logs from the load balancer to an Amazon Simple Storage Service (Amazon S3) bucket.
Unlike a classic load balancer, an application load balancer cannot have non-HTTP TCP or SSL/TLS listeners, and cannot use backend authentication to authenticate HTTPS connections between the load balancer and backend instances.
In an AWS Elastic Beanstalk environment, you can use an application load balancer to direct traffic for certain paths to a different port on your web server instances. With a classic load balancer, all traffic to a listener is routed to a single port on the backend instances. With an application load balancer, you can configure multiple rules on the listener to route requests to certain paths to different backend ports.
For example, you could run a login process separate from your main application. While your
main application accepts the majority of requests and listens on port 80, your login process
listens on port 5000 and accepts requests to the
/login path. With an application load balancer, you
can configure a single listener with two rules to route traffic to either port 80 or port 5000,
depending on the path in the request. One rule routes traffic to
/login to port
5000, while the default rule routes all other traffic to port 80.
An application load balancer rule maps a request to a target group. In Elastic Beanstalk, a target group is represented by a process, which you can configure with a protocol, port, and health check settings. The process represents the process running on the instances in your environment. The default process is a listener on port 80 of the reverse proxy (nginx or Apache) that runs in front of your application.
Outside of Elastic Beanstalk, a target group maps to a group of instances, and a listener can use rules and target groups to route traffic to different instances based on the path. Within Elastic Beanstalk, all of your instances in your environment are identical, so the distinction is made between processes listening on different ports.
Instead of a single health check path for the entire environment, each process has a separate health check path that is monitored by the load balancer and Elastic Beanstalk enhanced health monitoring.
To use an application load balancer, your environment must be in a default or custom VPC,
and must have a service role with the standard set of permissions. If you have an older service
role, you may need to update the permissions
on it to include
elasticloadbalancing:DescribeLoadBalancers. For more information about
application load balancers, see What Is an
Application Load Balancer? in the Application Load Balancer
You can set the load balancer type only during environment creation using the EB CLI or the Elastic Beanstalk APIs; the console does not support this functionality.
The EB CLI prompts you to choose a load balancer type when you run
eb createEnter Environment Name (default is my-app):
test-envEnter DNS CNAME prefix (default is my-app):
test-env-DLW24ED23SFSelect a load balancer type 1) classic 2) application (default is 1):
You can also specify a load balancer type with the
eb create test-env --elb-type application
Application Load Balancer Namespaces
Settings related to application load balancers are spread across the following namespaces:
aws:elasticbeanstalk:environment– Choose between an application load balancer and classic load balancer.
aws:elbv2:loadbalancer– Configure access logs and other settings that apply to the application load balancer as a whole.
aws:elbv2:listener– Configure listeners on the application load balancer. These settings map to the settings in
aws:elb:listenerfor classic load balancers.
aws:elbv2:listenerrule– Configure rules that route traffic to different processes, depending on the request path. Rules are unique to application load balancers.
aws:elasticbeanstalk:environment:process– Configure health checks and specify the port and protocol for the processes that run on your environment's instances. The port and protocol settings map to the instance port and instance protocol settings in
aws:elb:listenerfor a listener on a classic load balancer. Health check settings map to the settings in
To get started with an application load balancer, use a configuration file to set the load balancer type to application:
option_settings: aws:elasticbeanstalk:environment: LoadBalancerType: application
You can only set the load balancer type during environment creation.
The following configuration file enables access log uploads for an environment with an application load balancer:
option_settings: aws:elbv2:loadbalancer: AccessLogsS3Bucket: my-bucket AccessLogsS3Enabled: 'true' AccessLogsS3Prefix: beanstalk-alb
The following configuration file modifies health check and stickiness settings on the default process:
option_settings: aws:elasticbeanstalk:environment:process:default: DeregistrationDelay: '20' HealthCheckInterval: '15' HealthCheckPath: / HealthCheckTimeout: '5' HealthyThresholdCount: '3' UnhealthyThresholdCount: '5' MatcherHTTPCode: null Port: '80' Protocol: HTTP StickinessEnabled: 'true' StickinessLBCookieDuration: '43200'
The following configuration file adds a secure listener and matching process on port 443:
option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' Protocol: HTTPS SSLCertificateArns: arn:aws:acm:us-east-1:0123456789012:certificate/21324896-0fa4-412b-bf6f-f362d6eb6dd7 aws:elasticbeanstalk:environment:process:https: Port: '443' Protocol: HTTPS
The following configuration file adds a secure listener with a rule that routes traffic
with a request path of
/admin to a process named
listens on port 4443:
option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' Protocol: HTTPS Rules: admin SSLCertificateArns:
arn:aws:acm:us-east-1:0123456789012:certificate/21324896-0fa4-412b-bf6f-f362d6eb6dd7aws:elasticbeanstalk:environment:process:admin: HealthCheckPath: /admin Port: '4443' Protocol: HTTPS aws:elbv2:listenerrule:admin: PathPatterns: /admin/* Priority: 1 Process: admin