Q: Which operating systems does an Application Load Balancer support? An Application Load Balancer supports targets with any operating system currently supported by the Amazon EC2 service. Q: Which protocols does an Application Load Balancer support? An Application Load Balancer supports load balancing of applications using HTTP and HTTPS (Secure HTTP) protocols. Q: Is HTTP/2 Supported on an Application Load Balancer? Yes. HTTP/2 support is enabled natively on an Application Load Balancer. Clients that support HTTP/2 can connect to an Application Load Balancer over TLS. Q: What TCP ports can I use to load balance? You can perform load balancing for the following TCP ports: 1-65535 Q: Is WebSockets supported on an Application Load Balancer? Yes. WebSockets and Secure WebSockets support is available natively and ready for use on an Application Load Balancer. Q: Is Request tracing supported on an Application Load Balancer? Yes. Request tracing is enabled by default on your Application Load Balancer. Q: Will my existing load balancers (Classic Load Balancers) have the same features and benefits of an Application Load Balancer? While there is some overlap, we do not plan to maintain feature parity between the two types of load balancers. Application Load Balancers are the foundation of our application layer load-balancing platform for the future. Q: Can I configure my Amazon EC2 instances to accept traffic only from my Application Load Balancers? Yes. Q: Can I configure a security group for the front-end of an Application Load Balancer? Yes. Q: Can I use the existing APIs that I use with my Classic Load Balancer with an Application Load Balancer? No. Application Load Balancers require a new set of APIs. Q: How do I manage both Application and Classic Load Balancers simultaneously? The ELB Console will allow you to manage Application and Classic Load Balancers from the same interface. If you are using the CLI or an SDK, you will use a different ‘service’ for Application Load Balancers. For example, in the CLI you will describe your Classic Load Balancers using `aws elb describe-load-balancers` and your Application Load Balancers using `aws elbv2 describe-load-balancers`. Q: Can I convert my Classic Load Balancer to an Application Load Balancer (and vice versa)? No, you cannot convert one load balancer type into another. Q: Can I migrate to Application Load Balancer from Classic Load Balancer? Yes. You can migrate to Application Load Balancer from Classic Load Balancer using one of the options listed in this document. Q: Can I use an Application Load Balancer as a Layer-4 load balancer? No. If you need Layer-4 features, you should use Network Load Balancer. Q: Can I use a single Application Load Balancer for handling HTTP and HTTPS requests? Yes, you can add listeners for HTTP port 80 and HTTPS port 443 to a single Application Load Balancer. Q: Can I get a history of Application Load Balancing API calls made on my account for security analysis and operational troubleshooting purposes? Yes. To receive a history of Application Load Balancing API calls made on your account, use AWS CloudTrail. Q: Does an Application Load Balancer support HTTPS termination? Yes, you can terminate HTTPS connection on the Application Load Balancer. You must install an SSL certificate on your load balancer. The load balancer uses this certificate to terminate the connection and then decrypt requests from clients before sending them to targets. Q: What are the steps to get a SSL certificate? You can either use AWS Certificate Manager to provision an SSL/TLS certificate or you can obtain the certificate from other sources by creating the certificate request, getting the certificate request signed by a CA, and then uploading the certificate either using AWS Certification Manager or the AWS Identity and Access Management (IAM) service. Q: How does an Application Load Balancer integrate with AWS Certificate Manager (ACM)? An Application Load Balancer is integrated with AWS Certificate Management (ACM). Integration with ACM makes it very simple to bind a certificate to the load balancer thereby making the entire SSL offload process very easy. Purchasing, uploading, and renewing SSL/TLS certificates is a time-consuming manual and complex process. With ACM integration with Application Load Balancer, this whole process has been shortened to simply requesting a trusted SSL/TLS certificate and selecting the ACM certificate to provision it with the load balancer. Q: Is back-end server authentication supported with an Application Load Balancer? No, only encryption is supported to the back-ends with an Application Load Balancer. Q: How can I enable Server Name Indication (SNI) for my Application Load Balancer? SNI is automatically enabled when you associate more than one TLS certificate with the same secure listener on a load balancer. Similarly, SNI mode for a secure listener is automatically disabled when you have only one certificate associated to a secure listener. Q: Can I associate multiple certificates for the same domain to a secure listener? Yes, you can associate multiple certificates for the same domain to a secure listener. For example, you can asoociate
(a) ECDSA and RSA certificates
(b) Certificates with different key sizes (e.g. 2K and 4K) for SSL/TLS certificates
(c) Single-Domain, Multi-Domain (SAN) and Wildcard certificates Q: Is IPv6 supported with an Application Load Balancer? Yes, IPv6 is supported with an Application Load Balancer. Q: How do you set up rules on an Application Load Balancer? You can configure rules for each of your listeners you configure for the load balancer. The rules include a condition and a corresponding action if the condition is satisfied. The condition will be a path URL path of a service (e.g. /img) and action is forward. Once you have set this up, the load balancer will use the rules to determine the service to which the request must be routed. Q: Are there limits on the resources for an Application Load Balancer? Your AWS account has these limits for an Application Load Balancer. Q. How can I protect my web applications behind a load balancer from web attacks? You can integrate your Application Load Balancer with AWS WAF, a web application firewall that helps protect web applications from attacks by allowing you to configure rules based on IP addresses, HTTP headers, and custom URI strings. Using these rules, AWS WAF can block, allow, or monitor (count) web requests for your web application. Please see AWS WAF Developer Guide for more information. Q: Can I load balance to any arbitrary IP address? You can use any IP address from the load balancer’s VPC CIDR for targets within load balancer’s VPC and any IP address from RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) or RFC 6598 range (100.64.0.0/10) for targets located outside the load balancer’s VPC (for example, targets in Peered VPC, EC2-Classic and on-premises locations reachable over AWS Direct Connect or VPN connection). Q: How can I load balance applications distributed across a VPC and on-premises location? There are various ways to achieve hybrid load balancing. If an application runs on targets distributed between a VPC and an on-premises location, you can add them to the same target group using their IP addresses. To migrate to AWS without impacting your application, gradually add VPC targets to the target group and remove on-premises targets from the target group. If you have two different applications such that the targets for one application are in a VPC and the targets for other applications are in on-premises location, you can put the VPC targets in one target group and the on-premises targets in another target group and use content based routing to route traffic to each target group. You can also use separate load balancers for VPC and on-premises targets and use DNS weighting to achieve weighted load balancing between VPC and on-premises targets. Q: How can I load balance to EC2-Classic instances? You cannot load balance to EC2-Classic Instances when registering their Instance IDs as targets. However if you link these EC2-Classic instances to the load balancer's VPC using ClassicLink and use the private IPs of these EC2-Classic instances as targets, then you can load balance to the EC2-Classic instances. If you are using EC2 Classic instances today with a Classic Load Balancer, you can easily migrate to an Application Load Balancer. Q: How do I enable cross-zone load balancing in Application Load Balancer? Cross-zone load balancing is already enabled by default in Application Load Balancer. Q: When should I authenticate users using the Application Load Balancer’s integration with Amazon Cognito vs. the Application Load Balancers’ native support for OpenID Connect (IODC) identity providers (IdPs)? You should use authentication through Amazon Cognito if: a. You want to provide flexibility to your users to authenticate via social network identities (Google, Facebook, and Amazon) or enterprise identities (SAML) or via your own user directories provided by Amazon Cognito’s User Pool. b. You are managing multiple identity providers including OpenID Connect and want to create a single authentication rule in ALB, that can use Amazon Cognito to federate your multiple identity providers. c. You have a need to actively manage user profiles with one or more social or OpenID Connect identity providers from one central place. For example, you can put users in groups and add custom attributes to represent user status and control access for paid users. Alternatively, if you have invested in developing custom IdP solutions and simply want to authenticate with a single identity provider that is OpenID Connect-compatible, you may prefer using Application Load Balancer’s native OIDC solution. Q: What type of redirects does ALB support ? The following three types of redirects are supported.