Creating an L7 load balancer

Written by

Yandex Cloud

Improved by

Danila N.

Updated at November 11, 2025

To create an L7 load balancer:

Management console

CLI

Terraform

API

In the management console, select the folder where you want to create a load balancer.
From the list of services, select Application Load Balancer.
Click Create L7 load balancer and select Manual.
Specify the load balancer name.
Under Network settings, select:
1. Network whose subnets will host load balancer nodes.
2. Relevant security groups:
  - No groups: Allows any incoming and outgoing traffic for the load balancer. This is the least secure option.
  - Auto: The load balancer creation process automatically provisions a security group allowing any incoming traffic on port 80 and TCP health check traffic on port 30080. This security group also allows any outgoing traffic from the load balancer.
  - From list: For more traffic management flexibility, create your own security groups. You can assign up to five security groups to your load balancer.
  Note
  
  Security group rules must specify IP ranges in CIDR format. You cannot assign a group that uses a different security group.
Under Allocation, select the load balancer node subnets in different availability zones and enable their traffic.

If you do not want to create a load balancer node in a specific availability zone, click next to it.
Optionally, under Allocation, enable or disable incoming traffic for each availability zone using Receive traffic.
Optionally, under Autoscaling settings, set the resource unit limit.

Resource units will scale automatically depending on load balancer traffic and specified limits. The number of resource units used affects the load balancer pricing.
Optionally, under Log settings:
1. Enable Write logs.
2. Select the Yandex Cloud Logging log group where you want to store load balancer logs.
3. Click Add discard rule and configure its settings:
  - HTTP codes: Add HTTP status codes.
  - HTTP code classes: Add HTTP status code classes.
  - gRPC codes: Add gRPC codes.
  - Share of discarded logs: Set the log discard rate.
  You can add multiple rules.
Under Listeners, click Add listener. Specify listener settings:
1. Specify the listener name.
2. Optionally, enable Public IP address. Set Port to 80 and select Type:
  - Automatically.
  - List: Select an address from the drop-down list that appears on the right.
3. Optionally, enable Internal IP address. Specify Port and select Subnet from the drop-down list.
4. Under Receiving and processing traffic, select the listener type: HTTP or Stream.
  
  For HTTP, select:
  - Protocol: HTTP, HTTPS, or Redirect to HTTPS.
  - HTTP router: Select it from the drop-down list.
  For Stream, select a protocol:
  - Plain-text: Select Backend groups from the drop-down list.
  - Encrypted: Under Main listener, select Certificates and Backend groups from the drop-down lists.
Add more listeners if needed.
Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

See the description of the CLI command for creating an L7 load balancer:
```
yc alb load-balancer create --help
```

Run this command:

yc alb load-balancer create <load_balancer_name> \
  --network-name <network_name> \
  --security-group-id <list_of_security_group_IDs> \
  --location subnet-name=<subnet_name>,zone=<availability_zone>

Where:

<load_balancer_name>: New load balancer name.
--network-name: Name of the network containing the load balancer.
--security-group-id: Comma separated list of one to five security group IDs. This is an optional setting. If you skip it, the load balancer will accept all traffic.
--location: Subnet and availability zone. You can add this option multiple times to specify different availability zones and subnets.

Result:

done (1m40s)
id: a5d88ep483cm********
name: test-balancer2
folder_id: aoe197919j8e********
status: ACTIVE
region_id: ru-central1
network_id: c64l1c06d151********
allocation_policy:
  locations:
  - zone_id: ru-central1-a
    subnet_id: buc4gsmpj8hv********
log_group_id: eolul9ap0bv0********
security_group_ids:
  - enpulh2tbrep********
  - enpg05a3ck35********
created_at: "2021-04-26T12:12:13.624832586Z"

Optionally, set the resource unit limit:

See the description of the CLI command for setting up limits:
```
yc alb load-balancer autoscale --help
```

Specify limits by running this command:

yc alb load-balancer autoscale <load_balancer_name_or_ID> \
  --min-zone-size <resource_unit_minimum_per_zone> \
  --max-size <resource_unit_maximum_total>

Where:

--min-zone-size: Resource unit minimum per availability zone The default minimum is 2. You cannot set a minimum below 2.
--max-size: Resource unit maximum total. By default, it is unlimited. Make sure this value is no less than (number of load balancer availability zones) × (minimum number of resource units per zone).

You can specify one or both settings at once using this command.

For example:

yc alb load-balancer autoscale test-balancer2 \
  --min-zone-size 3 \
  --max-size 10

Result:

id: a5d88ep483cm********
name: test-balancer2
folder_id: aoe197919j8e********
status: ACTIVE
region_id: ru-central1
network_id: c64l1c06d151********
allocation_policy:
  locations:
    - zone_id: ru-central1-a
      subnet_id: buc4gsmpj8hv********
created_at: "2022-06-02T12:12:13.624832586Z"
auto_scale_policy:
  min_zone_size: 3
  max_size: 10

Optionally, configure Yandex Cloud Logging settings:

See the description of the CLI command for enabling load balancer logging:
```
yc alb load-balancer logging --help
```

Specify the load balancer log group and set up a log discard rule:

yc alb load-balancer logging <load_balancer_name> \
  --log-group-id <log_group_ID> \
  --enable \
  --discard codes=[<HTTP_code>,<HTTP_code_class>,<gRPC_code>],percent=<discarded_log_percentage>

Where:

--log-group-id: Log group ID.
--discard: Log discard rule. Rule options:
- codes: HTTP codes, HTTP code classes, or gRPC codes.
- percent: Log discard rate.

You can add multiple rules.

Result:

done (42s)
id: ds76g83js9gf********
name: test-load-balancer
...
log_options:
  log_group_id: e23p9bfjvsgr********
  discard_rules:
    - http_codes:
        - "200"
      http_code_intervals:
        - HTTP_3XX
      grpc_codes:
        - OK
      discard_percent: "90"

Add a listener to an L7 load balancer:

HTTP listener.

See the description of the CLI command for adding an HTTP listener to an L7 load balancer:
```
yc alb load-balancer add-listener --help
```

Add a listener by running this command:

yc alb load-balancer add-listener <load_balancer_name> \
  --listener-name <listener_name> \
  --http-router-id <HTTP_router_ID> \
  --external-ipv4-endpoint port=<listener_port>

Stream listener.

See the description of the CLI command for adding a Stream listener to an L7 load balancer:
```
yc alb load-balancer add-stream-listener --help
```

Add a listener by running this command:

yc alb load-balancer add-stream-listener <load_balancer_name> \
  --listener-name=<listener_name> \
  --backend-group-id=<backend_group_ID> \
  --external-ipv4-endpoint port=<listener_port>

The result of adding two listeners:

done (42s)
id: ds76g8b2op3f********
name: test-load-balancer
folder_id: b1gu6g9ielh6********
status: ACTIVE
network_id: enp0uulja5s3********
listeners:
- name: tslistener
  endpoints:
  - addresses:
    - external_ipv4_address:
        address: 51.250.64.197
    ports:
    - "80"
  http:
    handler:
      http_router_id: ds7d7b14b3fs********
- name: teststreamlistener
  endpoints:
  - addresses:
    - external_ipv4_address:
        address: 51.250.64.197
    ports:
    - "443"
  stream:
    handler:
      backend_group_id: ds77tero4f5h********
allocation_policy:
  locations:
  - zone_id: ru-central1-a
    subnet_id: e9bs1hp7lgdl********
log_group_id: ckgs4u5km3u8********
security_group_ids:
- enp49ot04g63********
created_at: "2022-04-04T02:12:40.160629110Z"
log_options:
  log_group_id: e23p9bfjvsgr********
  discard_rules:
    - http_codes:
        - "200"
      http_code_intervals:
        - HTTP_3XX
      grpc_codes:
        - OK
      discard_percent: "90"

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

In the configuration file, describe the resources you want to create:
```
resource "yandex_alb_load_balancer" "test-balancer" {
  name        = "<L7_load_balancer_name>"
  network_id  = "<network_ID>"
  security_group_ids = ["<list_of_security_group_IDs>"]

  allocation_policy {
    location {
      zone_id   = "<availability_zone>"
      subnet_id = "<subnet_ID>" 
    }
  }

  # HTTP listener
  listener {
    name = "<HTTP_listener_name>"
    endpoint {
      address {
        external_ipv4_address {
        }
      }
      ports = [<port>]
    }
    http {
      handler {
        http_router_id = "<HTTP_router_ID>"
      }
    }
  }

  # Stream listener
  listener {
    name = "<Stream_listener_name>"
    endpoint {
      address {
        external_ipv4_address {
        }
      }
      ports = [<port>]
    }
    stream {
      handler {
        backend_group_id = "<backend_group_ID>"
        idle_timeout     = "<timeout>"
      }
    }
  }

  # TLS listener
  listener {
    name = "<TLS_listener_name>"
    endpoint {
      address {
        external_ipv4_address {
        }
      }
      ports = [<port>]
    }
    tls {
      default_handler {
        certificate_ids = ["<certificate_IDs>"]
        stream_handler {
          backend_group_id = "<backend_group_ID>"
          idle_timeout     = "<timeout>"
        }
      }
      sni_handler {
        name         = "SNI_listener_name"
        server_names = [“server_names"]
        handler {
          certificate_ids = ["<certificate_IDs>"]
          stream_handler {
            backend_group_id = "<backend_group_ID>"
            idle_timeout     = "<timeout>"
          }
        }
      }
    }
  }

  log_options {
    log_group_id = "<log_group_ID>"
    discard_rule {
      http_codes          = ["<HTTP_code>"]
      http_code_intervals = ["<HTTP_code_class>"]
      grpc_codes          = ["<gRPC_code>"]
      discard_percent     = <discarded_log_percentage>
    }
  }
}
```
Where:
- name: L7 load balancer name. Follow these naming requirements:
  - It must be from 2 to 63 characters long.
  - It can only contain lowercase Latin letters, numbers, and hyphens.
  - It must start with a letter and cannot end with a hyphen.
- network_id: ID of the network that will host your load balancer.
- security_group_ids: Comma separated list of one to five security group IDs. This is an optional setting.
  
  If you skip it, the load balancer will accept all traffic.
- allocation_policy: L7 load balancer's node location. Specify the availability zones and subnet IDs.
- listener: Description of parameters for the L7 load balancer listener. This is an optional setting. You can specify one or multiple listeners.
  - name: Listener name. Follow these naming requirements:
    - It must be from 2 to 63 characters long.
    - It can only contain lowercase Latin letters, numbers, and hyphens.
    - It must start with a letter and cannot end with a hyphen.
  - endpoint: Listener addresses and ports. Specify the external IPv4 address and port for receiving traffic. If the external_ipv4_address setting is not specified, a public IP address will be assigned automatically.
  - ports: One or multiple ports. Listener ports must not match.
  - http: Listener HTTP endpoint description.
    - http_router_id: HTTP router ID.
  - stream: Listener Stream endpoint description.
    - backend_group_id: ID of the Stream-type backend group to forward the incoming TCP connections to.
    - idle_timeout: Idle timeout to close the connection when it expires. This is an optional setting. The possible values are, e.g., "10s", "5m", or "1h". Set "0" to have no timeout. The default value is one hour.
  - tls: TLS listener description.
    - default_handler: Default TLS listener.
      - certificate_ids: List of Yandex Certificate Manager certificate IDs.
      - stream_handler: Stream listener settings.
        
        backend_group_id: ID of the Stream-type backend group.
        
        idle_timeout: Idle timeout to close the connection when it expires. This is an optional setting. The possible values are, e.g., "10s", "5m", or "1h". Set "0" to have no timeout. The default value is one hour.
    - sni_handler: SNI listener description.
      - name: Listener name. Follow these naming requirements:
        
        It must be from 2 to 63 characters long.
        
        It can only contain lowercase Latin letters, numbers, and hyphens.
        
        It must start with a letter and cannot end with a hyphen.
      - server_names: Names of servers that the SNI listener is mapped to.
      - handler: SNI listener settings:
        
        certificate_ids: List of Yandex Certificate Manager certificate IDs.
        
        stream_handler: Stream listener settings.
        
        backend_group_id: ID of the Stream-type backend group.
        
        idle_timeout: Idle timeout to close the connection when it expires. This is an optional setting. The possible values are, e.g., "10s", "5m", or "1h". Set "0" to have no timeout. The default value is one hour.
- log_options: Optional logging settings for Yandex Cloud Logging:
  - log_group_id: Log group ID.
  - discard_rule: Log discard rule.
    - http_codes: HTTP codes.
    - http_code_intervals: HTTP code classes.
    - grpc_codes: gRPC codes.
    - discard_percent: Log discard rate.
    You can add multiple rules.
For more information about yandex_alb_load_balancer properties in Terraform, see this Terraform article.
Make sure the configuration files are correct.
1. In the command line, navigate to the directory where you created the configuration file.
2. Run a check using this command:
```
terraform plan
```
If the configuration description is correct, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.
Deploy the cloud resources.
1. If the configuration does not contain any errors, run this command:
```
terraform apply
```
2. Confirm creating the resources: type yes in the terminal and press Enter.
  
  This will create all the resources you need in the specified folder. You can check your new resources and their settings in the management console or using this CLI command:
```
yc alb load-balancer list
```
  Timeouts
  The Terraform provider limits operations with Application Load Balancer load balancers to 10 minutes.
  
  Operations in excess of this time will be interrupted.
  How do I modify these limits?
  Add the timeouts section to the load balancer description, e.g.:
  
  resource "yandex_alb_load_balancer" "<load_balancer_name>" { ... timeouts { create = "60m" update = "60m" delete = "60m" } }

Use the create REST API method for the LoadBalancer resource or the LoadBalancer/Create gRPC API call.

Creating an L7 load balancer

Was the article helpful?