AWS Elastic Beanstalk
Developer Guide (API Version 2010-12-01)

Configuring an Application Load Balancer

When you launch a load-balanced environment, you can choose to use an application load balancer instead of a classic load balancer. An application load balancer inspects traffic to identify the request's path so that it can direct requests for different paths to different destinations.

By default, an application load balancer performs the same function as a classic load balancer. The default listener accepts HTTP requests on port 80 and distributes them to the instances in your environment. You can add a secure listener on port 443 with a certificate to decrypt HTTPS traffic, configure health check behavior, and push access logs from the load balancer to an Amazon Simple Storage Service (Amazon S3) bucket.


Unlike a classic load balancer, an application load balancer cannot have non-HTTP TCP or SSL/TLS listeners, and cannot use backend authentication to authenticate HTTPS connections between the load balancer and backend instances.

In an AWS Elastic Beanstalk environment, you can use an application load balancer to direct traffic for certain paths to a different port on your web server instances. With a classic load balancer, all traffic to a listener is routed to a single port on the backend instances. With an application load balancer, you can configure multiple rules on the listener to route requests to certain paths to different backend ports.

For example, you could run a login process separate from your main application. While your main application accepts the majority of requests and listens on port 80, your login process listens on port 5000 and accepts requests to the /login path. With an application load balancer, you can configure a single listener with two rules to route traffic to either port 80 or port 5000, depending on the path in the request. One rule routes traffic to /login to port 5000, while the default rule routes all other traffic to port 80.

An application load balancer rule maps a request to a target group. In Elastic Beanstalk, a target group is represented by a process, which you can configure with a protocol, port, and health check settings. The process represents the process running on the instances in your environment. The default process is a listener on port 80 of the reverse proxy (nginx or Apache) that runs in front of your application.


Outside of Elastic Beanstalk, a target group maps to a group of instances, and a listener can use rules and target groups to route traffic to different instances based on the path. Within Elastic Beanstalk, all of your instances in your environment are identical, so the distinction is made between processes listening on different ports.

Instead of a single health check path for the entire environment, each process has a separate health check path that is monitored by the load balancer and Elastic Beanstalk enhanced health monitoring.

To use an application load balancer, your environment must be in a default or custom VPC, and must have a service role with the standard set of permissions. If you have an older service role, you may need to update the permissions on it to include elasticloadbalancing:DescribeTargetHealth and elasticloadbalancing:DescribeLoadBalancers. For more information about application load balancers, see What Is an Application Load Balancer? in the Application Load Balancer Guide.

Getting Started


You can set the load balancer type only during environment creation using the EB CLI or the Elastic Beanstalk APIs; the console does not support this functionality.

The EB CLI prompts you to choose a load balancer type when you run eb create:

$ eb create Enter Environment Name (default is my-app): test-env Enter DNS CNAME prefix (default is my-app): test-env-DLW24ED23SF Select a load balancer type 1) classic 2) application (default is 1): 2

You can also specify a load balancer type with the --elb-type option:

$ eb create test-env --elb-type application

Application Load Balancer Namespaces

Settings related to application load balancers are spread across the following namespaces:

  • aws:elasticbeanstalk:environment – Choose between an application load balancer and classic load balancer.

  • aws:elbv2:loadbalancer – Configure access logs and other settings that apply to the application load balancer as a whole.

  • aws:elbv2:listener – Configure listeners on the application load balancer. These settings map to the settings in aws:elb:listener for classic load balancers.

  • aws:elbv2:listenerrule – Configure rules that route traffic to different processes, depending on the request path. Rules are unique to application load balancers.

  • aws:elasticbeanstalk:environment:process – Configure health checks and specify the port and protocol for the processes that run on your environment's instances. The port and protocol settings map to the instance port and instance protocol settings in aws:elb:listener for a listener on a classic load balancer. Health check settings map to the settings in aws:elb:healthcheck and aws:elasticbeanstalk:application namespaces.

Example .ebextensions/application-load-balancer.config

To get started with an application load balancer, use a configuration file to set the load balancer type to application:

option_settings: aws:elasticbeanstalk:environment: LoadBalancerType: application


You can only set the load balancer type during environment creation.

Example .ebextensions/alb-access-logs.config

The following configuration file enables access log uploads for an environment with an application load balancer:

option_settings: aws:elbv2:loadbalancer: AccessLogsS3Bucket: my-bucket AccessLogsS3Enabled: 'true' AccessLogsS3Prefix: beanstalk-alb

Example .ebextensions/alb-default-process.config

The following configuration file modifies health check and stickiness settings on the default process:

option_settings: aws:elasticbeanstalk:environment:process:default: DeregistrationDelay: '20' HealthCheckInterval: '15' HealthCheckPath: / HealthCheckTimeout: '5' HealthyThresholdCount: '3' UnhealthyThresholdCount: '5' MatcherHTTPCode: null Port: '80' Protocol: HTTP StickinessEnabled: 'true' StickinessLBCookieDuration: '43200'

Example .ebextensions/alb-secure-listener.config

The following configuration file adds a secure listener and matching process on port 443:

option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' Protocol: HTTPS SSLCertificateArns: arn:aws:acm:us-east-1:0123456789012:certificate/21324896-0fa4-412b-bf6f-f362d6eb6dd7 aws:elasticbeanstalk:environment:process:https: Port: '443' Protocol: HTTPS

Example .ebextensions/alb-admin-rule.config

The following configuration file adds a secure listener with a rule that routes traffic with a request path of /admin to a process named admin that listens on port 4443:

option_settings: aws:elbv2:listener:443: DefaultProcess: https ListenerEnabled: 'true' Protocol: HTTPS Rules: admin SSLCertificateArns: arn:aws:acm:us-east-1:0123456789012:certificate/21324896-0fa4-412b-bf6f-f362d6eb6dd7 aws:elasticbeanstalk:environment:process:admin: HealthCheckPath: /admin Port: '4443' Protocol: HTTPS aws:elbv2:listenerrule:admin: PathPatterns: /admin/* Priority: 1 Process: admin