logoStacktape docs
Application Load BalancersWork in progress
Work in progress

Overview and basic concepts

  • Application Load balancer is an entry-point to your application. Load balancer routes traffic to your application and integrates easily with workloads of your stack: functions, batch-jobs or container-workloads.
  • Application load balancers are used to communicate with your workloads using the HTTP protocol.
  • You can offload SSL/TLS (HTTPS) termination to the load-balancer instead of handling it as a part of your application.
  • You can easily configure custom domain names or put CDN in front of your application-load-balancer.

When to use

An application load balancer is a good fit for many cloud applications. Whether your backend is running on container-workloads or functions thanks to high throughput and low latency, an application load balancer is ideal for high load fast performing applications.

Advantages

  • Predictable pricing - Application load balancers have a predictable pricing model which can be found here. Even though application-load-balancers have fixed base price per month (as opposed to http-api-gateways, where you only pay for requests), when traffic is high application-load-balancer can be cheaper.
  • Scaling - Application load balancer is designed to handle traffic as it grows and can load balance millions of requests/sec.
  • Health checks - When an application load balancer is used with container-workloads, the load balancer periodically checks the health of target containers. It only sends requests to healthy ones and automatically notifies container-workload to replace unhealthy containers.
  • Content based routing - If your application is composed of several individual services, application-load-balancer can route a request to a service based on the content of the request such as Host field, Path URL, HTTP header, HTTP method, Query string or Source IP address (see section Integrating with workloads).
  • Ease of use - Integrate with workloads of your stack with few lines of config
  • Security - You can offload SSL/TLS (HTTPS) termination to the load-balancer instead of handling it as a part of your application. This means that any communication between load-balancer and client can be encrypted.

Disadvantages

  • Fixed price base - You are paying ~20$/month for application-load-balancer even if it is sitting idle. When you have low traffic application or do NOT need the advantages that application-load-balancer offers, you might try using http-api-gateway

Simple usage

ApplicationLoadBalancer  API reference
type
Required

No description

Type: string "application-load-balancer"

properties.interface
Default: internet

Configures accessibility of the Load balancer

Type: string ENUM

Possible values: internalinternet

  • internet: Load balancer is accessible from the internet
  • internal: Load balancer is accessible only from within the same VPC network To learn more about VPCs, refer to Stacktape docs
properties.customDomains

Configures custom domains for this Load balancer

Type: Array of string

Stacktape allows you to connect your custom domain names to some of your resources (HTTP API Gateways, Application Load Balancers and Buckets with CDNs).

Connecting a custom domain to the resource does 2 things:

  • Creates DNS records:
    • If you use your custom domain with a resource, Stacktape automatically creates a DNS record (during deploy) pointing the specified domain name to the resource.
  • Adds TLS certificates
    • If the origin resource (HTTP API Gateway, Application Load Balancer or CDN) uses HTTPS protocol, Stacktape takes care of issuing and attaching correct (free, AWS-managed) certificate to the resource. This means, you do not have to deal with TLS termination as it is handled by the connected resource.
    • If you want to use your own certificates, you can configure customCertificateArns property on the load balancers listener.

To manage a custom domain, it first needs to be added to your AWS account. This means that a hosted zone (collection of records managed together for a given domain) for your domain exists in your AWS account and your domain registrar's name servers are pointing to it. To learn more, refer to Adding a domain guide.

properties.listeners

Configures custom listeners (combinations of port and protocol) for this load balancer

Type: Array of ApplicationLoadBalancerListener

  • Listeners are used to expose specific ports of the Load balancer.
  • If you do not specify any listeners:
    • If property useHttps is set to true, then two listeners are created:
      • HTTPS listener (port 443) - all traffic is routed to this listener
      • HTTP listener (port 80) - automatically redirects to HTTPS listener
    • If property useHttps is not set or is set to false, one listener is created:
      • HTTP listener (port 80) - all traffic is routed to this listener
properties.cdn

Configures AWS Cloudfront CDN (Content Delivery Network) to be in front of your Application Load Balancer

Type: ApplicationLoadBalancerCdnConfiguration

  • CDN is a globally distributed network that can cache responses from your Application Load Balancer at the edge - close to your users.
  • AWS Cloudfront has 205 edge locations on 6 continents.
  • The CDN is used to:
    • reduce latency & improve load times
    • reduce bandwidth costs
    • reduce the amount of traffic coming to the origin
    • improve security
  • The "origin" is the resource (Application Load Balancer) to which CDN is attached. CDN caches responses from the origin at the edge for specified amount of time.
  • If the content requested by the client is in the CDN cache, the CDN immediately returns it to the client without making a request to the origin.
  • If the content is NOT in the cache, the CDN makes a request to the Origin. The response from the origin is then forwarded to the client, and cached at the edge.
  • The CDN has its own URL endpoint.
properties.useHttps

Enables HTTPS on the load balancer (default load balancer listener)

Type: boolean

  • If set to true:
    • load balancer uses HTTPS protocol for the incoming connection
    • all incoming HTTP protocol connections are redirected to the HTTPS
  • To use this property, you also need to specify custom domain in customDomains property
overrides

Overrides one or more properties of the specified child resource.

Type: Object

  • Child resources are specified using their cloudformation logical id (e.g. MyBucketBucket).
  • To see all configurable child resources for given Stacktape resource, use stacktape stack-info --detailed command.
  • To see the list of properties that can be overridden, refer to AWS Cloudformation docs.

Copy
serviceName: posts-api-pg


resources:
  myLoadBalancer:
    type: 'application-load-balancer'


  basicLambda:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: 'lambdas/js-lambda.js'
      events:
        - type: application-load-balancer
          properties:
            loadBalancerName: customLb
            priority: 5
            paths:
              - '*'

Application load balancer with function integration

Using HTTPS(TLS)

  • In order to use HTTPS(TLS) with your load balancers you can use property useHttps.
  • To use this property, your load balancer must have custom domain name specified. Stacktape will attach correct TLS certificate to the load balancer during deployment. See section Custom domain names to see how to use custom domain names with load balancer.
  • If you are using custom listeners you cannot use useHttps property (see section Configure custom listeners) .

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com
      useHttps: true

Integrating with workloads

By creating event integration on a workload(container-workload, function, batch-job), you are telling application load balancer to forward requests to the workload.

Each integration must specify:

  • loadBalancerName (and listenerPort if your load balancer uses custom listeners) that will forward requests to the integration
  • priority
    • priority determines order in which the integrations are evaluated by load balancer.
    • load balancer evaluates integrations from lowest value to highest value.
    • load balancer forwards the request to the first integration whose condition matches the request.
  • condition
    • condition determines which requests can be forwarded to the integration.
    • condition can be composed of path, queryString, headers and other parts of request.

Following example shows two integrations:

  • integration attached to mySingleContainer which forwards all requests (wildcard path *) to the container-workload.
  • integration attached to myFunction which forwards requests with URL prefixed with /lambda-service/ to the function.
  • since integration on myFunction has lower priorty it is evaluated before integration on mySingleContainer

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'


  mySingleContainer:
    type: 'container-workload'
    properties:
      containers:
        - name: myCont
          packaging:
            type: stacktape-image-buildpack
            properties:
              entryfilePath: containers/ts-container.ts
          environment:
            - name: PORT
              value: '80'
          events:
            - type: application-load-balancer
              properties:
                loadBalancerName: myLoadBalancer
                containerPort: 80
                priority: 3
                paths:
                  - '*'
      resources:
        cpu: 0.25
        memory: 512


  myFunction:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: my-lambda.js
      events:
        - type: application-load-balancer
          properties:
            loadBalancerName: myLoadBalancer
            priority: 2
            paths:
              - '/lambda-service/*'

Application load balancer with function and container-workload integrations.

More information on integrating workloads with application load balancer can be found:

Custom domain names

Stacktape allows you to connect your custom domain names to some of your resources (HTTP API Gateways, Application Load Balancers and Buckets with CDNs).

Connecting a custom domain to the resource does 2 things:

  • Creates DNS records:
    • If you use your custom domain with a resource, Stacktape automatically creates a DNS record (during deploy) pointing the specified domain name to the resource.
  • Adds TLS certificates
    • If the origin resource (HTTP API Gateway, Application Load Balancer or CDN) uses HTTPS protocol, Stacktape takes care of issuing and attaching correct (free, AWS-managed) certificate to the resource. This means, you do not have to deal with TLS termination as it is handled by the connected resource.
    • If you want to use your own certificates, you can configure customCertificateArns property on the load balancers listener.

To manage a custom domain, it first needs to be added to your AWS account. This means that a hosted zone (collection of records managed together for a given domain) for your domain exists in your AWS account and your domain registrar's name servers are pointing to it. To learn more, refer to Adding a domain guide.

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com
      useHttps: true

Configure custom listeners

  • Listeners provide a way to expose ports of application-load-balancer. They makes application-load-balancer accessible from the outside.

  • Listeners are listening on specified ports and forward traffic to workloads through event integrations(functions, container-workloads or batch-jobs).

  • Listeners are used to expose specific ports of the Load balancer.
  • If you do not specify any listeners:
    • If property useHttps is set to true, then two listeners are created:
      • HTTPS listener (port 443) - all traffic is routed to this listener
      • HTTP listener (port 80) - automatically redirects to HTTPS listener
    • If property useHttps is not set or is set to false, one listener is created:
      • HTTP listener (port 80) - all traffic is routed to this listener
ApplicationLoadBalancerListener  API reference
Parent API reference: ApplicationLoadBalancer
protocol
Required

Protocol used for the listener

Type: string ENUM

Possible values: HTTPHTTPS

  • If HTTPS protocol is used, listener needs to have SSL/TLS certificates configured. This can be achieved in 2 ways:
    • Configure customDomains to make Stacktape automatically generate and use SSL/TLS certificates.
    • Configure customCertificateArns to use custom certificate (referenced by their ARN - Amazon Resource Name)
port
Required

Port number on which the listener is accessible

Type: number

  • By default, HTTPS connections use port 443 and HTTP connections use port 80.
customCertificateArns

Used to configure custom SSL/TLS certificates

Type: Array of string

  • Configuring certificates is not necessary, if you specify customDomains or you don't use HTTPS protocol for this listener.
whitelistIps

Limits accessibility of the listener to only specific IP addresses

Type: Array of string

  • By default all IP addresses are whitelisted.
defaultAction

Configures the behavior of the listener for request that cannot be matched to any integration.

Type: LbRedirect

  • At the moment, only default action supported is redirect.

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      listeners:
        - port: 80
          protocol: HTTP


  myFunction:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: my-lambda.js
      events:
        - type: application-load-balancer
          properties:
            loadBalancerName: myLoadBalancer
            # you need to specify listener port when referencing load balancer with custom listeners
            listenerPort: 80
            priority: 5
            paths:
              - '*'

Application load balancer with single listener and function integration.

Using HTTPS with custom listeners

If you are using custom listeners, you can configure listener to use HTTPS. In order to do that you can either:

  1. Have custom domain name specified. Stacktape will attach correct TLS certificates (for the domain) to the listener during deployment. See section Custom domain names to see how to use custom domain names with load balancer.

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com
      listeners:
        - protocol: HTTPS
          port: 443

  1. Set customCertificateArns property to make the listener use custom certificate of your choice (you can create certificate in AWS console). In this case you also need to handle DNS records for your domain, i.e point correct domain name to the load balancer (if you use custom domains Stacktape can handle DNS records for you).

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      listeners:
        - port: 443
          protocol: HTTPS
          customCertificateArns:
            - arn:aws:acm:eu-west-1:999999999999:certificate/8ab817b5-c4fa-4b1d-8b72-d6082cb40351

Default listener action

Default listener action determines what to do with a request that does not match any event integration associated with this listener (see integrating with workloads).

Redirect

LbRedirect  API reference
Parent API reference: ApplicationLoadBalancerListener
type
Required

Type of the default action

Type: string "redirect"

properties.statusCode
Required

HTTP redirect code

Type: string ENUM

Possible values: HTTP_301HTTP_302

  • Use HTTP_301 for permanent redirect
  • Use HTTP_302 for temporary redirect
properties.path

Absolute path to redirect to.

Type: string

  • Starting with the leading "/".
  • Not percent-encoded.
properties.query

Query parameters for the redirect.

Type: string

  • URL-encoded when necessary, but not percent-encoded.
  • Do not include the leading "?", as it is automatically added.
  • Use
properties.port

Port for the redirect.

Type: number

  • You can specify a value from 1 to 65535 or #{port}.
properties.host

Hostname for the redirect.

Type: string

  • Not percent-encoded.
properties.protocol

Protocol for the redirect.

Type: string ENUM

Possible values: HTTPHTTPS

  • Must be HTTP, HTTPS, or #{protocol}.
  • You cannot redirect HTTPS to HTTP.

The following example shows application-load-balancer with two listeners:

  • HTTPS listener at port 443
  • HTTP listener at port 80. HTTP listener has default redirect action configured. This means that any HTTP request is automatically redirected to its HTTPS version.

Copy
resources:
  myLoadBalancer:
    type: 'application-load-balancer'
    properties:
      customDomains:
        - my-app.mydomain.com
      listeners:
        - port: 443
          protocol: HTTPS
        - port: 80
          protocol: HTTP
          defaultAction:
            type: redirect
            properties:
              statusCode: HTTP_301
              protocol: HTTPS
              port: 443

CDN

You can configure AWS Cloudfront CDN (Content Delivery Network) to be in front of your application-load-balancer.

  • CDN is a globally distributed network that can cache responses from your Application Load Balancer at the edge - close to your users.
  • AWS Cloudfront has 205 edge locations on 6 continents.
  • The CDN is used to:
    • reduce latency & improve load times
    • reduce bandwidth costs
    • reduce the amount of traffic coming to the origin
    • improve security
  • The "origin" is the resource (Application Load Balancer) to which CDN is attached. CDN caches responses from the origin at the edge for specified amount of time.
  • If the content requested by the client is in the CDN cache, the CDN immediately returns it to the client without making a request to the origin.
  • If the content is NOT in the cache, the CDN makes a request to the Origin. The response from the origin is then forwarded to the client, and cached at the edge.
  • The CDN has its own URL endpoint.

For information about using CDN refer to our CDN docs.

Referenceable parameters

The following parameters can be easily referenced using $ResourceParam directive directive.

To learn more about referencing parameters, refer to referencing parameters.

domain

  • default domain name of load balancer

  • Usage: $ResourceParam('<<resource-name>>', 'domain')
customDomains

  • Comma-separated list of custom domain names assigned to the Load balancer (only available if you use custom domain names)

  • Usage: $ResourceParam('<<resource-name>>', 'customDomains')
cdnDomain

  • Default domain of the CDN distribution (only available if you DO NOT configure custom domain names for the CDN).

  • Usage: $ResourceParam('<<resource-name>>', 'cdnDomain')
cdnUrl

  • Default url of the CDN distribution (only available if you DO NOT configure custom domain names for the CDN).

  • Usage: $ResourceParam('<<resource-name>>', 'cdnUrl')
cdnCustomDomains

  • Comma-separated list of custom domain names assigned to the CDN (only available if you configure custom domain names for the CDN).

  • Usage: $ResourceParam('<<resource-name>>', 'cdnCustomDomains')
cdnCustomDomainUrls

  • Comma-separated list of custom domain name URLs of the CDN (only available if you configure custom domain names for the CDN).

  • Usage: $ResourceParam('<<resource-name>>', 'cdnCustomDomainUrls')
Need help? Ask a question on SlackDiscord or info@stacktape.com.