Create an Application Load Balancer

A load balancer takes requests from clients and distributes them across targets in a target group.

Before you begin, ensure that you have a virtual private cloud (VPC) with at least one public subnet in each of the zones used by your targets. For more information, see Subnets for your load balancer.

To create a load balancer using the AWS CLI, see Tutorial: Create an Application Load Balancer using the AWS CLI.

To create a load balancer using the AWS Management Console, complete the following tasks.

Step 1: Configure a target group

Configuring a target group allows you to register targets such as EC2 instances. The target group that you configure in this step is used as the target group in the listener rule when you configure your load balancer. For more information, see Target groups for your Application Load Balancers.

To configure your target group

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. In the navigation pane, choose Target Groups.

3. Choose Create target group.

4. In the Basic configuration section, set the following parameters:

   1. For Choose a target type, select Instances to specify targets by instance ID or IP addresses to specify targets by only IP address. If the target type is a Lambda function, you can enable health checks by selecting Enable in the Health checks section.

   2. For Target group name, enter a name for the target group.

   3. Modify the Port and Protocol as needed.

   4. If the target type is Instances or IP addresses, choose IPv4 or IPv6 as the IP address type, otherwise skip to the next step.

      Note that only targets that have the selected IP address type can be included in this target group. The IP address type cannot be changed after the target group is created.

   5. For VPC, select a virtual private cloud (VPC) with the targets that you want to include in your target group.

   6. For Protocol version, select HTTP1 when the request protocol is HTTP/1.1 or HTTP/2; select HTTP2, when the request protocol is HTTP/2 or gRPC; and select gRPC, when the request protocol is gRPC.

5. In the Health checks section, modify the default settings as needed. For Advanced health check settings, choose the health check port, count, timeout, interval, and specify success codes. If health checks consecutively exceed the Unhealthy threshold count, the load balancer takes the target out of service. If health checks consecutively exceed the Healthy threshold count, the load balancer puts the target back in service. For more information, see Health checks for your target groups.

6. (Optional) Add one or more tags as follows:

   1. Expand the Tags section.

   2. Choose Add tag.

   3. Enter the tag Key and tag Value. Allowed characters are letters, spaces, numbers (in UTF-8), and the following special characters: + - = . _ : / @. Do not use leading or trailing spaces. Tag values are case-sensitive.

7. Choose Next.

Step 2: Register targets

You can register EC2 instances, IP addresses, or Lambda functions as targets in a target group. This is an optional step to create a load balancer. However, you must register your targets to ensure that your load balancer routes traffic to them.

1. In the Register targets page, add one or more targets as follows:

   • If the target type is Instances, select one or more instances, enter one or more ports, and then choose Include as pending below.

   • If the target type is IP addresses, do the following:

     1. Select a network VPC from the list, or choose Other private IP addresses.

     2. Enter the IP address manually, or find the IP address using instance details. You can enter up to five IP addresses at a time.

     3. Enter the ports for routing traffic to the specified IP addresses.

     4. Choose Include as pending below.

   • If the target type is Lambda, select a Lambda function, or enter a Lambda function ARN, and then choose Include as pending below.

2. Choose Create target group.

Step 3: Configure a load balancer and a listener

To create an Application Load Balancer, you must first provide basic configuration information for your load balancer, such as a name, scheme, and IP address type. Then, you provide information about your network, and one or more listeners. A listener is a process that checks for connection requests. It is configured with a protocol and a port for connections from clients to the load balancer. For more information about supported protocols and ports, see Listener configuration.

To configure your load balancer and listener

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. In the navigation pane, choose Load Balancers.

3. Choose Create Load Balancer.

4. Under Application Load Balancer, choose Create.

5. Basic configuration

   1. For Load balancer name, enter a name for your load balancer. For example, my-alb. The name of your Application Load Balancer must be unique within your set of Application Load Balancers and Network Load Balancers for the Region. Names can have a maximum of 32 characters, and can contain only alphanumeric characters and hyphens. They can not begin or end with a hyphen, or with internal-. The name of your Application Load Balancer cannot be changed after it's created.

   2. For Scheme, choose Internet-facing or Internal. An internet-facing load balancer routes requests from clients to targets over the internet. An internal load balancer routes requests to targets using private IP addresses.

   3. For IP address type, choose IPv4 or Dualstack. Use IPv4 if your clients use IPv4 addresses to communicate with the load balancer. Choose Dualstack if your clients use both IPv4 and IPv6 addresses to communicate with the load balancer.

6. Network mapping

   1. For VPC, select the VPC that you used for your EC2 instances. If you selected Internet-facing for Scheme, only VPCs with an internet gateway are available for selection.

   2. For Mappings, enable zones for your load balancer by selecting subnets as follows:

      • Subnets from two or more Availability Zones

      • Subnets from one or more Local Zones

      • One Outpost subnet

      For more information, see Subnets for your load balancer.

      For internal load balancers, the IPv4 and IPv6 addresses are assigned from the subnet CIDR.

      If you enabled Dualstack mode for the load balancer, select subnets with both IPv4 and IPv6 CIDR blocks.

7. For Security groups, select an existing security group, or create a new one.

   The security group for your load balancer must allow it to communicate with registered targets on both the listener port and the health check port. The console can create a security group for your load balancer on your behalf with rules that allow this communication. You can also create a security group and select it instead. For more information, see Recommended rules.

   (Optional) To create a new security group for your load balancer, choose Create a new security group.

8. For Listeners and routing, the default listener accepts HTTP traffic on port 80. You can keep the default protocol and port, or choose different ones. For Default action, choose the target group that you created. You can optionally choose Add listener to add another listener (for example, an HTTPS listener).

9. (Optional) If using an HTTPS listener

   For Security policy, we recommend that you always use the latest predefined security policy.

   1. For Default SSL/TLS certificate, the following options are available:

      • If you created or imported a certificate using AWS Certificate Manager, select From ACM, then select the certificate from Select a certificate.

      • If you imported a certificate using IAM, select From IAM, and then select your certificate from Select a certificate.

      • If you have a certificate to import but ACM is not available in your Region, select Import, then select To IAM. Type the name of the certificate in the Certificate name field. In Certificate private key, copy and paste the contents of the private key file (PEM-encoded). In Certificate body, copy and paste the contents of the public key certificate file (PEM-encoded). In Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.

   2. (Optional) To enable mutual authentication, under Client certificate handling enable Mutual authentication (mTLS).

      When enabled, the default mutual TLS mode is passthrough.

      If you select Verify with Trust Store:

      • By default, connections with expired client certificates are rejected. To change this behavior expand Advanced mTLS settings, then under Client certificate expiration select Allow expired client certificates.

      • Under Trust Store choose an existing trust store, or choose New trust store.

        • If you chose New trust store, provide a Trust store name, the S3 URI Certificate Authority location, and optionally an S3 URI Certificate revocation list location.

10. (Optional) You can integrate other services with your load balancer during creation, under Optimize with service integrations.

    • You can choose to include AWS WAF security protections for your load balancer, with an existing or automatically created web ACL. After creation, web ACLs can be managed in the AWS WAF console. For more information, see Associating or disassociating a web ACL with an AWS resource in the AWS WAF Developer Guide.

    • You can choose to have AWS Global Accelerator create an accelerator for you and associate your load balancer with the accelerator. The accelerator name can have the following characters (up to 64 characters): a-z, A-Z, 0-9, . (period), and - (hyphen). After the accelerator is created, you can manage it in the AWS Global Accelerator console. For more information, see Add an accelerator when you create a load balancer in the AWS Global Accelerator Developer Guide.

11. Tag and create

    1. (Optional) Add a tag to categorize your load balancer. Tag keys must be unique for each load balancer. Allowed characters are letters, spaces, numbers (in UTF-8), and the following special characters: + - = . _ : / @. Do not use leading or trailing spaces. Tag values are case-sensitive.

    2. Review your configuration, and choose Create load balancer. A few default attributes are applied to your load balancer during creation. You can view and edit them after creating the load balancer. For more information, see Load balancer attributes.

Step 4: Test the load balancer

After creating your load balancer, you can verify that your EC2 instances pass the initial health check. You can then check that the load balancer is sending traffic to your EC2 instance. To delete the load balancer, see Delete an Application Load Balancer.

To test the load balancer

1. After the load balancer is created, choose Close.

2. In the navigation pane, choose Target Groups.

3. Select the newly created target group.

4. Choose Targets and verify that your instances are ready. If the status of an instance is initial, it's typically because the instance is still in the process of being registered. This status can also indicate that the instance has not passed the minimum number of health checks to be considered healthy. After the status of at least one instance is healthy, you can test your load balancer. For more information, see Target health status.

5. In the navigation pane, choose Load Balancers.

6. Select the newly created load balancer.

7. Choose Description and copy the DNS name of the internet facing or internal load balancer (for example, my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com).

   • For internet facing load balancers, paste the DNS name into the address field of an internet connected web browser.

   • For internal load balancers, paste the DNS name into the address field of a web browser which has private connectivity to the VPC.

   If everything is configured correctly, the browser displays the default page of your server.

8. If the web page does not display, refer to the following documents for additional configuration help and troubleshooting steps.

   • For DNS related issues, see Routing traffic to an ELB load balancer in the Amazon Route 53 Developer Guide.

   • For Load Balancer related issues, see Troubleshoot your Application Load Balancers.