HTTP routers

An HTTP router defines the routing rules for HTTP requests to backend groups.

You can only set HTTP routers for listeners of the HTTP type. If a listener accepts pure TCP traffic (Stream type), a backend group is explicitly specified for it.

You cannot delete an HTTP router used in a load balancer. First, you need to remove it from all load balancers.

Using HTTP router settings, you can modify request and response headers and generate small static responses directly in the load balancer. You can create an empty HTTP router and then add routes to it.

Routes inside an HTTP router are combined in virtual hosts. Routing is a two-step process.

1. The most suitable virtual host is selected based on the Host header (:authority if using HTTP/2).

2. The first route whose predicate matches the request is selected. The order of virtual hosts inside the router does not matter. However, the order of routes inside the virtual host matters: the most specific routes must be at the top of the list.

Virtual hostsVirtual hosts

Virtual hosts consolidate routes belonging to the same set of domains, i.e., the Host (:authority) header values of an HTTP request. Both exact matches and wildcards are supported. When an incoming request is received, the balancer checks route predicates one-by-one and selects the first predicate matching the request.

The load balancer routes traffic to the backend that refers to various resources. These resources may be vulnerable to external threats. You can protect your resources using Yandex Smart Web Security by connecting a security profile to the virtual host. You can also limit the number of requests to the virtual host using the Global RateLimit module.

When an Application Load Balancer Ingress controller manages the load balancer, connect the security profile using an Ingress resource annotation.

The modifications of the HTTP headers of requests and responses are also configured at the virtual host level.

RoutesRoutes

Routes are sets of conditions (predicates) that are used by the load balancer to select a route for the request and actions on the request. Possible conditions and actions depend on the route type.

Route typesRoute types

HTTP routers support two types of routes, HTTP and gRPC:

1. HTTP routes process HTTP requests over HTTP/1.1 and HTTP/2.

   You can specify a full request path or its beginning, an RE2 regular expression, or a request method (GET, POST, etc.) as a route condition.

   You can perform one of the actions with the request that satisfies the conditions:

   • Send the request to a HTTP backend group for processing. In this case, you can change the Host header to the specified value or configure its automatic replacement with the target VM address.

     In addition to the Host header, you can configure request processing timeouts, add WebSocket support, specify protocols for a group of backends to switch to within a TCP connection at the client's request, and change the URI before forwarding the request to the backends.

   • Redirect the request to another address with the selected response code and request URI modifications. In this case, you can modify the path (completely or partially), delete query parameters, and change the host, port, and schema.

     If the full request path is specified as a route condition, you will not be able to replace only the beginning of the path. The entire path will be replaced, even if the settings indicate to modify only the beginning.

     If the original URI uses the http (https) schema and specifies port 80 (443), changing the schema will delete the port.

   • Immediately return a load balancer's static response to the request received via this route.

2. gRPC routes are designed for processing gRPC requests (remote procedure calls) over HTTP/2.

   You can specify the beginning of a method, or the full method name (FQMN, fully qualified method name), or a RE2 regular expression as a condition for a gRPC route. The value must start with a slash (/).

   You can perform one of the actions with the request that satisfies the conditions:

   • Send the request to a gRPC backend group for processing. In this case, you can configure the request processing timeouts and change the Host header to the specified value or configure its automatic replacement with the target VM address.

   • Immediately return a static response.

TimeoutsTimeouts

A request satisfying the route conditions can be forwarded to a backend group for processing. In this case, you can configure the timeouts:

• Timeout, s: Maximum lifetime of an HTTP connection between a load balancer node and the backend. This option is only available for HTTP backend groups. The default value is 60.

• Maximum timeout, sec.: Maximum period for which a connection between a load balancer node and a backend can be established. This option is only available for gRPC backend groups. The client can specify a grpc-timeout HTTP header with a shorter timeout in the request. The default value is 60.

• Idle timeout, seconds: Maximum connection lifetime with no data being transferred. There is no default value. If the timeout is not specified, it is ignored. You can use the idle timeout in streaming scenarios (e.g., for long polls or server-sent events). In some cases, when no primary timeout is specified, the idle timeout may be set automatically.

If a connection for HTTP backend groups times out, the load balancer will return the 504 Gateway Timeout code.

Use casesUse cases

• Setting up virtual hosting
• Terminating TLS connections using the management console
• Creating an L7 load balancer with DDoS protection using the management console or CLI
• Migrating services from an NLB load balancer to an L7 ALB load balancer for DDoS protection using Yandex Smart Web Security
• Integrating an L7 load balancer with Cloud CDN and Object Storage
• Enabling blue-green and canary deployment of web service versions
• Writing load balancer logs to PostgreSQL
• Creating an L7 load balancer in Application Load Balancer with a Yandex Smart Web Security profile