Package software.amazon.awscdk.services.elasticloadbalancingv2


package software.amazon.awscdk.services.elasticloadbalancingv2

Amazon Elastic Load Balancing V2 Construct Library

The aws-cdk-lib/aws-elasticloadbalancingv2 package provides constructs for configuring application and network load balancers.

For more information, see the AWS documentation for Application Load Balancers and Network Load Balancers.

Defining an Application Load Balancer

You define an application load balancer by creating an instance of ApplicationLoadBalancer, adding a Listener to the load balancer and adding Targets to the Listener:

 import software.amazon.awscdk.services.autoscaling.AutoScalingGroup;
 AutoScalingGroup asg;
 Vpc vpc;
 
 
 // Create the load balancer in a VPC. 'internetFacing' is 'false'
 // by default, which creates an internal load balancer.
 ApplicationLoadBalancer lb = ApplicationLoadBalancer.Builder.create(this, "LB")
         .vpc(vpc)
         .internetFacing(true)
         .build();
 
 // Add a listener and open up the load balancer's security group
 // to the world.
 ApplicationListener listener = lb.addListener("Listener", BaseApplicationListenerProps.builder()
         .port(80)
 
         // 'open: true' is the default, you can leave it out if you want. Set it
         // to 'false' and use `listener.connections` if you want to be selective
         // about who can access the load balancer.
         .open(true)
         .build());
 
 // Create an AutoScaling group and add it as a load balancing
 // target to the listener.
 listener.addTargets("ApplicationFleet", AddApplicationTargetsProps.builder()
         .port(8080)
         .targets(List.of(asg))
         .build());
 

The security groups of the load balancer and the target are automatically updated to allow the network traffic.

One (or more) security groups can be associated with the load balancer; if a security group isn't provided, one will be automatically created.

 Vpc vpc;
 
 
 SecurityGroup securityGroup1 = SecurityGroup.Builder.create(this, "SecurityGroup1").vpc(vpc).build();
 ApplicationLoadBalancer lb = ApplicationLoadBalancer.Builder.create(this, "LB")
         .vpc(vpc)
         .internetFacing(true)
         .securityGroup(securityGroup1)
         .build();
 
 SecurityGroup securityGroup2 = SecurityGroup.Builder.create(this, "SecurityGroup2").vpc(vpc).build();
 lb.addSecurityGroup(securityGroup2);
 

Conditions

It's possible to route traffic to targets based on conditions in the incoming HTTP request. For example, the following will route requests to the indicated AutoScalingGroup only if the requested host in the request is either for example.com/ok or example.com/path:

 ApplicationListener listener;
 AutoScalingGroup asg;
 
 
 listener.addTargets("Example.Com Fleet", AddApplicationTargetsProps.builder()
         .priority(10)
         .conditions(List.of(ListenerCondition.hostHeaders(List.of("example.com")), ListenerCondition.pathPatterns(List.of("/ok", "/path"))))
         .port(8080)
         .targets(List.of(asg))
         .build());
 

A target with a condition contains either pathPatterns or hostHeader, or both. If both are specified, both conditions must be met for the requests to be routed to the given target. priority is a required field when you add targets with conditions. The lowest number wins.

Every listener must have at least one target without conditions, which is where all requests that didn't match any of the conditions will be sent.

Convenience methods and more complex Actions

Routing traffic from a Load Balancer to a Target involves the following steps:

  • Create a Target Group, register the Target into the Target Group
  • Add an Action to the Listener which forwards traffic to the Target Group.

A new listener can be added to the Load Balancer by calling addListener(). Listeners that have been added to the load balancer can be listed using the listeners property. Note that the listeners property will throw an Error for imported or looked up Load Balancers.

Various methods on the Listener take care of this work for you to a greater or lesser extent:

  • addTargets() performs both steps: automatically creates a Target Group and the required Action.
  • addTargetGroups() gives you more control: you create the Target Group (or Target Groups) yourself and the method creates Action that routes traffic to the Target Groups.
  • addAction() gives you full control: you supply the Action and wire it up to the Target Groups yourself (or access one of the other ELB routing features).

Using addAction() gives you access to some of the features of an Elastic Load Balancer that the other two convenience methods don't:

  • Routing stickiness: use ListenerAction.forward() and supply a stickinessDuration to make sure requests are routed to the same target group for a given duration.
  • Weighted Target Groups: use ListenerAction.weightedForward() to give different weights to different target groups.
  • Fixed Responses: use ListenerAction.fixedResponse() to serve a static response (ALB only).
  • Redirects: use ListenerAction.redirect() to serve an HTTP redirect response (ALB only).
  • Authentication: use ListenerAction.authenticateOidc() to perform OpenID authentication before serving a request (see the aws-cdk-lib/aws-elasticloadbalancingv2-actions package for direct authentication integration with Cognito) (ALB only).

Here's an example of serving a fixed response at the /ok URL:

 ApplicationListener listener;
 
 
 listener.addAction("Fixed", AddApplicationActionProps.builder()
         .priority(10)
         .conditions(List.of(ListenerCondition.pathPatterns(List.of("/ok"))))
         .action(ListenerAction.fixedResponse(200, FixedResponseOptions.builder()
                 .contentType("text/plain")
                 .messageBody("OK")
                 .build()))
         .build());
 

Here's an example of using OIDC authentication before forwarding to a TargetGroup:

 ApplicationListener listener;
 ApplicationTargetGroup myTargetGroup;
 
 
 listener.addAction("DefaultAction", AddApplicationActionProps.builder()
         .action(ListenerAction.authenticateOidc(AuthenticateOidcOptions.builder()
                 .authorizationEndpoint("https://example.com/openid")
                 // Other OIDC properties here
                 .clientId("...")
                 .clientSecret(SecretValue.secretsManager("..."))
                 .issuer("...")
                 .tokenEndpoint("...")
                 .userInfoEndpoint("...")
 
                 // Next
                 .next(ListenerAction.forward(List.of(myTargetGroup)))
                 .build()))
         .build());
 

If you just want to redirect all incoming traffic on one port to another port, you can use the following code:

 ApplicationLoadBalancer lb;
 
 
 lb.addRedirect(ApplicationLoadBalancerRedirectConfig.builder()
         .sourceProtocol(ApplicationProtocol.HTTPS)
         .sourcePort(8443)
         .targetProtocol(ApplicationProtocol.HTTP)
         .targetPort(8080)
         .build());
 

If you do not provide any options for this method, it redirects HTTP port 80 to HTTPS port 443.

By default all ingress traffic will be allowed on the source port. If you want to be more selective with your ingress rules then set open: false and use the listener's connections object to selectively grant access to the listener.

Application Load Balancer attributes

You can modify attributes of Application Load Balancers:

 Vpc vpc;
 
 
 ApplicationLoadBalancer lb = ApplicationLoadBalancer.Builder.create(this, "LB")
         .vpc(vpc)
         .internetFacing(true)
 
         // Whether HTTP/2 is enabled
         .http2Enabled(false)
 
         // The idle timeout value, in seconds
         .idleTimeout(Duration.seconds(1000))
 
         // Whether HTTP headers with header fields thatare not valid
         // are removed by the load balancer (true), or routed to targets
         .dropInvalidHeaderFields(true)
 
         // How the load balancer handles requests that might
         // pose a security risk to your application
         .desyncMitigationMode(DesyncMitigationMode.DEFENSIVE)
 
         // The type of IP addresses to use.
         .ipAddressType(IpAddressType.IPV4)
 
         // The duration of client keep-alive connections
         .clientKeepAlive(Duration.seconds(500))
 
         // Whether cross-zone load balancing is enabled.
         .crossZoneEnabled(true)
 
         // Whether the load balancer blocks traffic through the Internet Gateway (IGW).
         .denyAllIgwTraffic(false)
 
         // Whether to preserve host header in the request to the target
         .preserveHostHeader(true)
 
         // Whether to add the TLS information header to the request
         .xAmznTlsVersionAndCipherSuiteHeaders(true)
 
         // Whether the X-Forwarded-For header should preserve the source port
         .preserveXffClientPort(true)
 
         // The processing mode for X-Forwarded-For headers
         .xffHeaderProcessingMode(XffHeaderProcessingMode.APPEND)
 
         // Whether to allow a load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
         .wafFailOpen(true)
         .build();
 

For more information, see Load balancer attributes

Setting up Access Log Bucket on Application Load Balancer

The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html

 Vpc vpc;
 
 
 Bucket bucket = Bucket.Builder.create(this, "ALBAccessLogsBucket")
         .encryption(BucketEncryption.S3_MANAGED)
         .build();
 
 ApplicationLoadBalancer lb = ApplicationLoadBalancer.Builder.create(this, "LB").vpc(vpc).build();
 lb.logAccessLogs(bucket);
 

Defining a Network Load Balancer

Network Load Balancers are defined in a similar way to Application Load Balancers:

 Vpc vpc;
 AutoScalingGroup asg;
 ISecurityGroup sg1;
 ISecurityGroup sg2;
 
 
 // Create the load balancer in a VPC. 'internetFacing' is 'false'
 // by default, which creates an internal load balancer.
 NetworkLoadBalancer lb = NetworkLoadBalancer.Builder.create(this, "LB")
         .vpc(vpc)
         .internetFacing(true)
         .securityGroups(List.of(sg1))
         .build();
 lb.addSecurityGroup(sg2);
 
 // Add a listener on a particular port.
 NetworkListener listener = lb.addListener("Listener", BaseNetworkListenerProps.builder()
         .port(443)
         .build());
 
 // Add targets on a particular port.
 listener.addTargets("AppFleet", AddNetworkTargetsProps.builder()
         .port(443)
         .targets(List.of(asg))
         .build());
 

You can indicate whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink. The evaluation is enabled by default.

 Vpc vpc;
 
 
 NetworkLoadBalancer nlb = NetworkLoadBalancer.Builder.create(this, "LB")
         .vpc(vpc)
         .enforceSecurityGroupInboundRulesOnPrivateLinkTraffic(true)
         .build();
 

One thing to keep in mind is that network load balancers do not have security groups, and no automatic security group configuration is done for you. You will have to configure the security groups of the target yourself to allow traffic by clients and/or load balancer instances, depending on your target types. See Target Groups for your Network Load Balancers and Register targets with your Target Group for more information.

Dualstack Network Load Balancer

You can create a dualstack Network Load Balancer using the ipAddressType property:

 Vpc vpc;
 
 
 NetworkLoadBalancer lb = NetworkLoadBalancer.Builder.create(this, "LB")
         .vpc(vpc)
         .ipAddressType(IpAddressType.DUAL_STACK)
         .build();
 

You cannot add UDP or TCP_UDP listeners to a dualstack Network Load Balancer.

Network Load Balancer attributes

You can modify attributes of Network Load Balancers:

 Vpc vpc;
 
 
 NetworkLoadBalancer lb = NetworkLoadBalancer.Builder.create(this, "LB")
         .vpc(vpc)
         // Whether deletion protection is enabled.
         .deletionProtection(true)
 
         // Whether cross-zone load balancing is enabled.
         .crossZoneEnabled(true)
 
         // Whether the load balancer blocks traffic through the Internet Gateway (IGW).
         .denyAllIgwTraffic(false)
 
         // Indicates how traffic is distributed among the load balancer Availability Zones.
         .clientRoutingPolicy(ClientRoutingPolicy.AVAILABILITY_ZONE_AFFINITY)
         .build();
 

Targets and Target Groups

Application and Network Load Balancers organize load balancing targets in Target Groups. If you add your balancing targets (such as AutoScalingGroups, ECS services or individual instances) to your listener directly, the appropriate TargetGroup will be automatically created for you.

If you need more control over the Target Groups created, create an instance of ApplicationTargetGroup or NetworkTargetGroup, add the members you desire, and add it to the listener by calling addTargetGroups instead of addTargets.

addTargets() will always return the Target Group it just created for you:

 NetworkListener listener;
 AutoScalingGroup asg1;
 AutoScalingGroup asg2;
 
 
 NetworkTargetGroup group = listener.addTargets("AppFleet", AddNetworkTargetsProps.builder()
         .port(443)
         .targets(List.of(asg1))
         .build());
 
 group.addTarget(asg2);
 

Sticky sessions for your Application Load Balancer

By default, an Application Load Balancer routes each request independently to a registered target based on the chosen load-balancing algorithm. However, you can use the sticky session feature (also known as session affinity) to enable the load balancer to bind a user's session to a specific target. This ensures that all requests from the user during the session are sent to the same target. This feature is useful for servers that maintain state information in order to provide a continuous experience to clients. To use sticky sessions, the client must support cookies.

Application Load Balancers support both duration-based cookies (lb_cookie) and application-based cookies (app_cookie). The key to managing sticky sessions is determining how long your load balancer should consistently route the user's request to the same target. Sticky sessions are enabled at the target group level. You can use a combination of duration-based stickiness, application-based stickiness, and no stickiness across all of your target groups.

 Vpc vpc;
 
 
 // Target group with duration-based stickiness with load-balancer generated cookie
 ApplicationTargetGroup tg1 = ApplicationTargetGroup.Builder.create(this, "TG1")
         .targetType(TargetType.INSTANCE)
         .port(80)
         .stickinessCookieDuration(Duration.minutes(5))
         .vpc(vpc)
         .build();
 
 // Target group with application-based stickiness
 ApplicationTargetGroup tg2 = ApplicationTargetGroup.Builder.create(this, "TG2")
         .targetType(TargetType.INSTANCE)
         .port(80)
         .stickinessCookieDuration(Duration.minutes(5))
         .stickinessCookieName("MyDeliciousCookie")
         .vpc(vpc)
         .build();
 

Slow start mode for your Application Load Balancer

By default, a target starts to receive its full share of requests as soon as it is registered with a target group and passes an initial health check. Using slow start mode gives targets time to warm up before the load balancer sends them a full share of requests.

After you enable slow start for a target group, its targets enter slow start mode when they are considered healthy by the target group. A target in slow start mode exits slow start mode when the configured slow start duration period elapses or the target becomes unhealthy. The load balancer linearly increases the number of requests that it can send to a target in slow start mode. After a healthy target exits slow start mode, the load balancer can send it a full share of requests.

The allowed range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).

 Vpc vpc;
 
 
 // Target group with slow start mode enabled
 ApplicationTargetGroup tg = ApplicationTargetGroup.Builder.create(this, "TG")
         .targetType(TargetType.INSTANCE)
         .slowStart(Duration.seconds(60))
         .port(80)
         .vpc(vpc)
         .build();
 

For more information see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html#application-based-stickiness

Setting the target group protocol version

By default, Application Load Balancers send requests to targets using HTTP/1.1. You can use the protocol version to send requests to targets using HTTP/2 or gRPC.

 Vpc vpc;
 
 
 ApplicationTargetGroup tg = ApplicationTargetGroup.Builder.create(this, "TG")
         .targetType(TargetType.IP)
         .port(50051)
         .protocol(ApplicationProtocol.HTTP)
         .protocolVersion(ApplicationProtocolVersion.GRPC)
         .healthCheck(HealthCheck.builder()
                 .enabled(true)
                 .healthyGrpcCodes("0-99")
                 .build())
         .vpc(vpc)
         .build();
 

Using Lambda Targets

To use a Lambda Function as a target, use the integration class in the aws-cdk-lib/aws-elasticloadbalancingv2-targets package:

 import software.amazon.awscdk.services.lambda.*;
 import software.amazon.awscdk.services.elasticloadbalancingv2.targets.*;
 
 Function lambdaFunction;
 ApplicationLoadBalancer lb;
 
 
 ApplicationListener listener = lb.addListener("Listener", BaseApplicationListenerProps.builder().port(80).build());
 listener.addTargets("Targets", AddApplicationTargetsProps.builder()
         .targets(List.of(new LambdaTarget(lambdaFunction)))
 
         // For Lambda Targets, you need to explicitly enable health checks if you
         // want them.
         .healthCheck(HealthCheck.builder()
                 .enabled(true)
                 .build())
         .build());
 

Only a single Lambda function can be added to a single listener rule.

Using Application Load Balancer Targets

To use a single application load balancer as a target for the network load balancer, use the integration class in the aws-cdk-lib/aws-elasticloadbalancingv2-targets package:

 import software.amazon.awscdk.services.elasticloadbalancingv2.targets.*;
 import software.amazon.awscdk.services.ecs.*;
 import software.amazon.awscdk.services.ecs.patterns.*;
 
 Vpc vpc;
 
 
 FargateTaskDefinition task = FargateTaskDefinition.Builder.create(this, "Task").cpu(256).memoryLimitMiB(512).build();
 task.addContainer("nginx", ContainerDefinitionOptions.builder()
         .image(ContainerImage.fromRegistry("public.ecr.aws/nginx/nginx:latest"))
         .portMappings(List.of(PortMapping.builder().containerPort(80).build()))
         .build());
 
 ApplicationLoadBalancedFargateService svc = ApplicationLoadBalancedFargateService.Builder.create(this, "Service")
         .vpc(vpc)
         .taskDefinition(task)
         .publicLoadBalancer(false)
         .build();
 
 NetworkLoadBalancer nlb = NetworkLoadBalancer.Builder.create(this, "Nlb")
         .vpc(vpc)
         .crossZoneEnabled(true)
         .internetFacing(true)
         .build();
 
 NetworkListener listener = nlb.addListener("listener", BaseNetworkListenerProps.builder().port(80).build());
 
 listener.addTargets("Targets", AddNetworkTargetsProps.builder()
         .targets(List.of(new AlbTarget(svc.getLoadBalancer(), 80)))
         .port(80)
         .build());
 
 CfnOutput.Builder.create(this, "NlbEndpoint").value(String.format("http://%s", nlb.getLoadBalancerDnsName())).build();
 

Only the network load balancer is allowed to add the application load balancer as the target.

Configuring Health Checks

Health checks are configured upon creation of a target group:

 ApplicationListener listener;
 AutoScalingGroup asg;
 
 
 listener.addTargets("AppFleet", AddApplicationTargetsProps.builder()
         .port(8080)
         .targets(List.of(asg))
         .healthCheck(HealthCheck.builder()
                 .path("/ping")
                 .interval(Duration.minutes(1))
                 .build())
         .build());
 

The health check can also be configured after creation by calling configureHealthCheck() on the created object.

No attempts are made to configure security groups for the port you're configuring a health check for, but if the health check is on the same port you're routing traffic to, the security group already allows the traffic. If not, you will have to configure the security groups appropriately:

 ApplicationLoadBalancer lb;
 ApplicationListener listener;
 AutoScalingGroup asg;
 
 
 listener.addTargets("AppFleet", AddApplicationTargetsProps.builder()
         .port(8080)
         .targets(List.of(asg))
         .healthCheck(HealthCheck.builder()
                 .port("8088")
                 .build())
         .build());
 
 asg.connections.allowFrom(lb, Port.tcp(8088));
 

Using a Load Balancer from a different Stack

If you want to put your Load Balancer and the Targets it is load balancing to in different stacks, you may not be able to use the convenience methods loadBalancer.addListener() and listener.addTargets().

The reason is that these methods will create resources in the same Stack as the object they're called on, which may lead to cyclic references between stacks. Instead, you will have to create an ApplicationListener in the target stack, or an empty TargetGroup in the load balancer stack that you attach your service to.

For an example of the alternatives while load balancing to an ECS service, see the ecs/cross-stack-load-balancer example.

Protocol for Load Balancer Targets

Constructs that want to be a load balancer target should implement IApplicationLoadBalancerTarget and/or INetworkLoadBalancerTarget, and provide an implementation for the function attachToXxxTargetGroup(), which can call functions on the load balancer and should return metadata about the load balancing target:

 public class MyTarget implements IApplicationLoadBalancerTarget {
     public LoadBalancerTargetProps attachToApplicationTargetGroup(ApplicationTargetGroup targetGroup) {
         // If we need to add security group rules
         // targetGroup.registerConnectable(...);
         return LoadBalancerTargetProps.builder()
                 .targetType(TargetType.IP)
                 .targetJson(Map.of("id", "1.2.3.4", "port", 8080))
                 .build();
     }
 }
 

targetType should be one of Instance or Ip. If the target can be directly added to the target group, targetJson should contain the id of the target (either instance ID or IP address depending on the type) and optionally a port or availabilityZone override.

Application load balancer targets can call registerConnectable() on the target group to register themselves for addition to the load balancer's security group rules.

If your load balancer target requires that the TargetGroup has been associated with a LoadBalancer before registration can happen (such as is the case for ECS Services for example), take a resource dependency on targetGroup.loadBalancerAttached as follows:

 Resource resource;
 ApplicationTargetGroup targetGroup;
 
 
 // Make sure that the listener has been created, and so the TargetGroup
 // has been associated with the LoadBalancer, before 'resource' is created.
 
 Node.of(resource).addDependency(targetGroup.getLoadBalancerAttached());
 

Looking up Load Balancers and Listeners

You may look up load balancers and load balancer listeners by using one of the following lookup methods:

  • ApplicationLoadBalancer.fromlookup(options) - Look up an application load balancer.
  • ApplicationListener.fromLookup(options) - Look up an application load balancer listener.
  • NetworkLoadBalancer.fromLookup(options) - Look up a network load balancer.
  • NetworkListener.fromLookup(options) - Look up a network load balancer listener.

Load Balancer lookup options

You may look up a load balancer by ARN or by associated tags. When you look a load balancer up by ARN, that load balancer will be returned unless CDK detects that the load balancer is of the wrong type. When you look up a load balancer by tags, CDK will return the load balancer matching all specified tags. If more than one load balancer matches, CDK will throw an error requesting that you provide more specific criteria.

Look up a Application Load Balancer by ARN

 IApplicationLoadBalancer loadBalancer = ApplicationLoadBalancer.fromLookup(this, "ALB", ApplicationLoadBalancerLookupOptions.builder()
         .loadBalancerArn("arn:aws:elasticloadbalancing:us-east-2:123456789012:loadbalancer/app/my-load-balancer/1234567890123456")
         .build());
 

Look up an Application Load Balancer by tags

 IApplicationLoadBalancer loadBalancer = ApplicationLoadBalancer.fromLookup(this, "ALB", ApplicationLoadBalancerLookupOptions.builder()
         .loadBalancerTags(Map.of(
                 // Finds a load balancer matching all tags.
                 "some", "tag",
                 "someother", "tag"))
         .build());
 

Load Balancer Listener lookup options

You may look up a load balancer listener by the following criteria:

  • Associated load balancer ARN
  • Associated load balancer tags
  • Listener ARN
  • Listener port
  • Listener protocol

The lookup method will return the matching listener. If more than one listener matches, CDK will throw an error requesting that you specify additional criteria.

Look up a Listener by associated Load Balancer, Port, and Protocol

 IApplicationListener listener = ApplicationListener.fromLookup(this, "ALBListener", ApplicationListenerLookupOptions.builder()
         .loadBalancerArn("arn:aws:elasticloadbalancing:us-east-2:123456789012:loadbalancer/app/my-load-balancer/1234567890123456")
         .listenerProtocol(ApplicationProtocol.HTTPS)
         .listenerPort(443)
         .build());
 

Look up a Listener by associated Load Balancer Tag, Port, and Protocol

 IApplicationListener listener = ApplicationListener.fromLookup(this, "ALBListener", ApplicationListenerLookupOptions.builder()
         .loadBalancerTags(Map.of(
                 "Cluster", "MyClusterName"))
         .listenerProtocol(ApplicationProtocol.HTTPS)
         .listenerPort(443)
         .build());
 

Look up a Network Listener by associated Load Balancer Tag, Port, and Protocol

 INetworkListener listener = NetworkListener.fromLookup(this, "ALBListener", NetworkListenerLookupOptions.builder()
         .loadBalancerTags(Map.of(
                 "Cluster", "MyClusterName"))
         .listenerProtocol(Protocol.TCP)
         .listenerPort(12345)
         .build());
 

Metrics

You may create metrics for Load Balancers and Target Groups through the metrics attribute:

Load Balancer:

 IApplicationLoadBalancer alb;
 
 
 IApplicationLoadBalancerMetrics albMetrics = alb.getMetrics();
 Metric metricConnectionCount = albMetrics.activeConnectionCount();
 

Target Group:

 IApplicationTargetGroup targetGroup;
 
 
 IApplicationTargetGroupMetrics targetGroupMetrics = targetGroup.getMetrics();
 Metric metricHealthyHostCount = targetGroupMetrics.healthyHostCount();
 

Metrics are also available to imported resources:

 Stack stack;
 
 
 IApplicationTargetGroup targetGroup = ApplicationTargetGroup.fromTargetGroupAttributes(this, "MyTargetGroup", TargetGroupAttributes.builder()
         .targetGroupArn(Fn.importValue("TargetGroupArn"))
         .loadBalancerArns(Fn.importValue("LoadBalancerArn"))
         .build());
 
 IApplicationTargetGroupMetrics targetGroupMetrics = targetGroup.getMetrics();
 

Notice that TargetGroups must be imported by supplying the Load Balancer too, otherwise accessing the metrics will throw an error:

 Stack stack;
 
 IApplicationTargetGroup targetGroup = ApplicationTargetGroup.fromTargetGroupAttributes(this, "MyTargetGroup", TargetGroupAttributes.builder()
         .targetGroupArn(Fn.importValue("TargetGroupArn"))
         .build());
 
 IApplicationTargetGroupMetrics targetGroupMetrics = targetGroup.getMetrics();