Application Load Balancers

An Application Load Balancer (ALB) serves as a single point of contact for clients and distributes incoming application traffic across multiple targets, such as containers and Lambda functions. It operates at the application layer (layer 7) and is ideal for load balancing HTTP and HTTPS traffic.

ALBs can be integrated with various compute resources, offload SSL/TLS termination, and be configured with custom domain names or fronted by a CDN.

Under the hood, Stacktape uses AWS Application Load Balancer.

When to use them

ALBs are a good fit for most modern cloud applications. They offer high throughput and low latency, making them suitable for demanding workloads.

Advantages

Predictable pricing: ALBs have a predictable pricing model, which can be more cost-effective than HTTP API Gateways for high-traffic applications.
Scalability: ALBs can handle millions of requests per second and scale automatically as traffic grows.
Health checks: When used with container workloads, an ALB periodically checks the health of each container and only routes traffic to healthy ones.
Content-based routing: ALBs can route requests to different services based on the content of the request, such as the URL path, HTTP header, or query string.
Security: You can offload SSL/TLS termination to the load balancer, encrypting traffic between the client and the ALB.

Disadvantages

Fixed cost: ALBs have a fixed monthly cost (around $20/month), even if they are idle. For low-traffic applications, an HTTP API Gateway might be a more cost-effective choice.

Basic usage

ApplicationLoadBalancer API reference

type

Required

properties.interface

Default: internet

properties.customDomains

properties.listeners

properties.cdn

properties.alarms

properties.disabledGlobalAlarms

properties.useFirewall

overrides


resources:
  myLoadBalancer:
    type: 'application-load-balancer'

  basicLambda:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: 'lambdas/js-lambda.js'
      events:
        - type: application-load-balancer
          properties:
            loadBalancerName: myLoadBalancer
            priority: 5
            paths:
              - '*'

An Application Load Balancer with a Lambda function integration.

Integrating with compute resources

You can forward requests from an ALB to your compute resources by creating an event integration on a multi-container workload, function, or batch job.

Each integration must specify:

loadBalancerName: The name of the ALB that will forward requests.
priority: A number that determines the order in which the integration rules are evaluated (from lowest to highest).
condition: A set of rules that determine which requests are forwarded to the resource. Conditions can be based on the URL path, query string, headers, and other request properties.

The following example shows two integrations:

The first integration forwards all requests (*) to a multi-container workload.
The second integration, which has a lower priority and is evaluated first, forwards any requests with a URL path prefixed with /lambda-service/ to a Lambda function.


resources:
  myLoadBalancer:
    type: 'application-load-balancer'

  mySingleContainer:
    type: 'multi-container-workload'
    properties:
      containers:
        - name: myCont
          packaging:
            type: stacktape-image-buildpack
            properties:
              entryfilePath: containers/ts-container.ts
          environment:
            - name: PORT
              value: '80'
          events:
            - type: application-load-balancer
              properties:
                loadBalancerName: myLoadBalancer
                containerPort: 80
                priority: 3
                paths:
                  - '*'
      resources:
        cpu: 0.25
        memory: 512

  myFunction:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: my-lambda.js
      events:
        - type: application-load-balancer
          properties:
            loadBalancerName: myLoadBalancer
            priority: 2
            paths:
              - '/lambda-service/*'

An ALB with integrations for both a function and a multi-container workload.

For more information, see the documentation on integrating ALBs with functions, multi-container workloads, and batch jobs.

Custom domain names

You can use a custom domain for your ALB. If you don't have one, you can register one through Stacktape.

If you already have a domain, you can either let Stacktape manage it (if you use AWS Route 53 for DNS) or use a third-party DNS provider.

For more details, see the Domains and Certificates page.

Using Stacktape to manage domains and certs

Stacktape allows you to connect your custom domain names to some of your resources (Web Service, HTTP API Gateways, Application Load Balancers and Buckets with CDNs).

Connecting a custom domain to the resource does 2 things:

Creates DNS records:
- If you use your custom domain with a resource, Stacktape automatically creates a DNS record (during deploy) pointing the specified domain name to the resource.
Adds TLS certificates
- If you do not specify custom listeners or your listeners use HTTPS, Stacktape takes care of issuing and attaching correct (free, AWS-managed) certificate to the resource. This means, you do not have to deal with TLS termination as it is handled by the connected resource.
- If you want to use your own certificates, you can configure customCertificateArns on the listener.

To manage a custom domain, it first needs to be added to your AWS account. This means that a hosted zone (collection of records managed together for a given domain) for your domain exists in your AWS account and your domain registrar's name servers are pointing to it. To learn more, refer to Adding a domain guide.


resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com

Using a 3rd-party DNS

To use a domain from a provider like GoDaddy or Cloudflare:

Create or import a TLS certificate for your domain in the AWS Certificate Manager console and copy its ARN.
Configure a listener on your load balancer to use the custom certificate.
After deploying, find the ALB's domain name in the Stacktape Console.
In your DNS provider's dashboard, create a CNAME or ALIAS record pointing to the ALB's domain name.


resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      listeners:
        - port: 443
          protocol: HTTPS
          customCertificateArns:
            - arn:aws:acm:eu-west-1:999999999999:certificate/8ab817b5-c4fa-4b1d-8b72-d6082cb40351
        - port: 80
          protocol: HTTP
          defaultAction:
            type: redirect
            properties:
              statusCode: HTTP_301
              protocol: HTTPS

A custom HTTPS listener with a custom certificate and an automatic redirect from HTTP to HTTPS.

Custom listeners

Listeners check for connection requests from clients, using the protocol and port that you configure. You can define rules for a listener that determine how the load balancer routes requests to its registered targets.

Listeners are used to expose specific ports of the Load balancer.
If you do not specify any listeners, by default, two listeners are created:
- HTTPS listener (port 443) - all traffic is routed to this listener
- HTTP listener (port 80) - automatically redirects to HTTPS listener

ApplicationLoadBalancerListener API reference

Parent:ApplicationLoadBalancer

protocol

Required

port

Required

customCertificateArns

whitelistIps

defaultAction


resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      listeners:
        - port: 80
          protocol: HTTP

  myFunction:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: my-lambda.js
      events:
        - type: application-load-balancer
          properties:
            loadBalancerName: myLoadBalancer
            # you need to specify listener port when referencing load balancer with custom listeners
            listenerPort: 80
            priority: 5
            paths:
              - '*'

An ALB with a single listener and a function integration.

Default listener action

The default action for a listener determines what to do with a request that doesn't match any of the listener's rules.

Redirect

You can configure a listener to redirect incoming requests to a different URL. For example, you can redirect all HTTP requests on port 80 to an HTTPS listener on port 443.

LbRedirect API reference

Parent:ApplicationLoadBalancerListener

type

Required

properties.statusCode

Required

properties.path

properties.query

properties.port

properties.host

properties.protocol


resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com
      listeners:
        - port: 443
          protocol: HTTPS
        - port: 80
          protocol: HTTP
          defaultAction:
            type: redirect
            properties:
              statusCode: HTTP_301
              protocol: HTTPS
              port: 443

CDN

You can place an AWS CloudFront CDN in front of your ALB to cache content and reduce latency.

CDN is a globally distributed network that can cache responses from your Application Load Balancer at the edge - close to your users.
AWS Cloudfront has 205 edge locations on 6 continents.
The CDN is used to:
- reduce latency & improve load times
- reduce bandwidth costs
- reduce the amount of traffic coming to the origin
- improve security
The "origin" is the resource (Application Load Balancer) to which CDN is attached. CDN caches responses from the origin at the edge for specified amount of time.
If the content requested by the client is in the CDN cache, the CDN immediately returns it to the client without making a request to the origin.
If the content is NOT in the cache, the CDN makes a request to the Origin. The response from the origin is then forwarded to the client, and cached at the edge.
The CDN has its own URL endpoint.

For more information, see the CDN documentation.

Using a firewall

You can protect your ALB with a web application firewall (WAF).

You can use web-app-firewall to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.
Web app firewall protects your application by filtering dangerous requests coming to your app. You can read more about the firewall in our docs.

To learn more, see the Web Application Firewall documentation.


resources:
  myFirewall:
    type: web-app-firewall
    properties:
      scope: regional
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      useFirewall: myFirewall

Referenceable parameters

The following parameters can be easily referenced using $ResourceParam directive directive.

To learn more about referencing parameters, refer to referencing parameters.

domain

default domain name of load balancer
Usage: $ResourceParam('<<resource-name>>', 'domain')

customDomains

Comma-separated list of custom domain names assigned to the Load balancer (only available if you use custom domain names)
Usage: $ResourceParam('<<resource-name>>', 'customDomains')

cdnDomain

Default domain of the CDN distribution (only available if you DO NOT configure custom domain names for the CDN).
Usage: $ResourceParam('<<resource-name>>', 'cdnDomain')

cdnUrl

Default url of the CDN distribution (only available if you DO NOT configure custom domain names for the CDN).
Usage: $ResourceParam('<<resource-name>>', 'cdnUrl')

cdnCustomDomains

Comma-separated list of custom domain names assigned to the CDN (only available if you configure custom domain names for the CDN).
Usage: $ResourceParam('<<resource-name>>', 'cdnCustomDomains')

cdnCustomDomainUrls

Comma-separated list of custom domain name URLs of the CDN (only available if you configure custom domain names for the CDN).
Usage: $ResourceParam('<<resource-name>>', 'cdnCustomDomainUrls')