Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating a backend group

Written by
Updated at July 29, 2025

To create a backend group:

  1. In the management console, select the folder where you want to create a backend group.

  2. From the list of services, select Application Load Balancer.

  3. In the left-hand panel, select Backend groups.

  4. Click Create backend group.

  5. Specify the backend group name.

  6. Select the backend group type:

    • HTTP: For HTTP or HTTPS traffic.
    • gRPC: For HTTP or HTTPS traffic with gRPC.
    • Stream: For unencrypted TCP traffic or TCP traffic with TLS encryption support.

  7. Optinally, enable session affinity. HTTP and gRPC backend groups support the following session affinity modes:

    • By IP address.
    • By HTTP header.
    • By cookie.

    Stream backend groups support session affinity by client IP address.

    Note

    Currently, session affinity only works for a single active backend in a group, containing at least one target group and using the MAGLEV_HASH load balancing mode.

  8. Under Backends, click Add. Specify the backend settings:

    • Backend Name.

    • Weight: Backend weight in traffic distribution. If this option is disabled, the backend weight will be 0 and its endpoints will not be receiving traffic.

    • Backend Type: Target group for Application Load Balancer target groups or Bucket for Object Storage buckets. This option works for HTTP backend groups only. gRPC and Stream group backends have the Target group backend type. For more information about backend types, see Backend types.

    • The settings described below only work for Target group backends:

      • Under Load balancing settings:

        • Balancing mode: Load balancing mode.
        • Panic mode threshold: Healthy endpoint threshold triggering panic mode when the load balancer distributes requests across all endpoints, regardless of their health status.
        • Locality aware routing: Share of incoming traffic the load balancer node will route to its availability zone backends. The remaining traffic will be evenly distributed across other availability zones. To learn more, see Locality aware routing.
        • Strict locality: If this option is enabled, the load balancer will return 503 Service Unavailable if no application backends are operational in the request’s originating availability zone.

      • Under Protocol settings:

        • For a HTTP backend group:

          • HTTP/2: With this option enabled, the load balancer will use the HTTP/2 protocol when routing requests to HTTP group backends. By default, the load balancer uses the HTTP/1.1 protocol. gRPC backend groups only support the HTTP/2 protocol.

          • Protocol: Backend connection protocol, e.g., HTTP without encryption or HTTPS with TLS encryption. For HTTPS, specify:

            • SNI. SNI domain name for TLS connections.
            • Trusted root certificate. Specify the root CA for the certificate chain installed on backend endpoints. You can use X.509 certificates in PEM format.

        • For a gRPC backend group:

          • Protocol: Backend connection protocol, e.g., Plain-text or Encrypted. For the encrypted protocol, specify SNI and Trusted root certificate as shown above.

        • For a Stream backend group:

          • PROXY protocol: With this option enabled, the load balancer will send its client connection metadata, e.g. its IP address, to the backend via HAProxy protocol.

          • Protocol: Backend connection protocol, e.g., Plain-text or Encrypted. For the encrypted protocol, specify SNI and Trusted root certificate as shown above.

    • The following settings only work for Bucket backends in HTTP backend groups:

      • Bucket ID format: List or ID.
      • Bucket: Select a bucket from the list or specify its ID.

    • Under HTTP health check, gRPC health check, or Stream health check specify:

      • Timeout, s: Response timeout. Maximum connection time.

      • Interval: Health check request interval.

      • Healthy threshold: Number of consecutive successful checks required before considering the endpoint healthy. The load balancer ignores this setting at start, conducting one health check to identify the endpoint as healthy.

      • Unhealthy threshold: Number of consecutive failed checks required before considering the endpoint unhealthy. The load balancer ignores this setting when receiving 503 Service Unavailable from a backend, following which it is considered unhealthy right away.

      • Port.

      • Type: Health check protocol, e.g., HTTP, gRPC, or Stream. The health check protocol does not need to match the backend group type. Depending on the selected protocol, specify:

        • For the HTTP type:

          • Path: Endpoint request URI path.
          • Authority: HTTP/1.1 Host or HTTP/2 :authority header of the backend endpoint health check requests.
          • HTTP/2: Use HTTP v2 protocol.
          • HTTP codes: HTTP status codes deemed valid during a backend health check.

        • For the gRPC type:

          • Service name: Name of the gRPC service you want to check. If no service is specified, the system will check the backend overall health.

        • For the Stream type:

          • Send: Data sent to the endpoint for a health check.
          • Receive: Data the endpoint must return to pass the health check.

      Alert

      If all backends with health checks enabled in an availability zone fail those checks, traffic will no longer route to that zone, even if functional backends without health checks remain.

      We recommend configuring health checks for all backends.

      To add a health check, at the bottom of the backend section, click Add health check and specify the check settings.

      To remove a health check, click next to the HTTP health check, gRPC health check, or Stream health check title, and select Delete.

  9. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

Note

You can create a gRPC backend group in the management console or using Terraform.

  1. See the description of the CLI command for creating a backend group:

    yc alb backend-group create --help

  2. Create a backend group by running this command:

    yc alb backend-group create <backend_group_name>

    Result:

    id: a5dg2cv4ngne********
name: test-backend-group
folder_id: aoerb349v3h4********
created_at: "2021-02-11T20:46:21.688940670Z"

  3. Add a backend and a health check to the group.

    Alert

    If all backends with health checks enabled in an availability zone fail those checks, traffic will no longer route to that zone, even if functional backends without health checks remain.

    We recommend configuring health checks for all backends.

    All backends within a group must be of the same type: HTTP, gRPC, or Stream.

    HTTP backend

    Run this command:

    yc alb backend-group add-http-backend \
  --backend-group-name <backend_group_name> \
  --name <name_of_backend_you_are_adding> \
  --weight <backend_weight> \
  --port <backend_port> \
  --target-group-id=<target_group_ID> \
  --panic-threshold 90 \
  --http-healthcheck port=80,healthy-threshold=10,unhealthy-threshold=15,expected-statuses=211,\
timeout=10s,interval=2s,host=<host_address>,path=<path>

    Where:

    • --name: The name of the backend you want to add or update.
    • --panic-threshold: Panic mode threshold.
    • --http-healthcheck: Health check settings:
      • port: Port.
      • healthy-threshold: Healthy threshold.
      • unhealthy-threshold: Unhealthy threshold.
      • expected-statuses: HTTP status code deemed valid during a backend health check. You can add multiple values separated by a comma: expected-statuses=201,expected-statuses=205,expected-statuses=302. You can use HTTP codes in the range between 100 and 599. If this setting is not specified, the response code will be 200.
      • timeout: Maximum connection time.
      • interval: Interval.
      • host: Host address.
      • path: Path.

    Result:

    id: a5dqkr2mk3rr********
name: <backend_group_name>
folder_id: aoe197919j8e********
http:
  backends:
  - name: <backend_name>
    backend_weight: "1"
    load_balancing_config:
      panic_threshold: "90"
    port: "80"
    target_groups:
      target_group_ids:
      - a5d2iap3nue9********
    healthchecks:
    - timeout: 10s
      interval: 2s
      healthy_threshold: "10"
      unhealthy_threshold: "15"
      healthcheck_port: "80"
      http:
        host: <host_address>
        path: <path>
created_at: "2021-02-11T20:46:21.688940670Z"
    gRPC backend

    Run this command:

    yc alb backend-group add-grpc-backend \
  --backend-group-name <backend_group_name> \
  --name <name_of_backend_you_are_adding> \
  --weight <backend_weight> \
  --port <backend_port> \
  --target-group-id=<target_group_ID> \
  --panic-threshold 90 \
  --grpc-healthcheck port=80,healthy-threshold=10,unhealthy-threshold=15,\
timeout=10s,interval=2s,service-name=<gRPC_service_name>

    Where:

    • --panic-threshold: Panic mode threshold.
    • --grpc-healthcheck: Resource health check settings:
      • port: Port.
      • healthy-threshold: Healthy threshold.
      • unhealthy-threshold: Unhealthy threshold.
      • timeout: Maximum connection time.
      • interval: Interval.
      • service-name: Name of the gRPC service you want to check. If no service is specified, the system will check the backend overall health.

    Result:

    id: a5dqkr2mk3rr********
name: <backend_group_name>
folder_id: aoe197919j8e********
grpc:
  backends:
    - name: <backend_name>
      backend_weight: "12"
      load_balancing_config:
        panic_threshold: "90"
      port: "80"
      target_groups:
        target_group_ids:
          - a5d2iap3nue9********
      healthchecks:
        - timeout: 10s
          interval: 2s
          healthy_threshold: "10"
          unhealthy_threshold: "15"
          healthcheck_port: "80"
          grpc:
            service_name: <gRPC_service_name>
created_at: "2023-06-17T13:04:08.567141292Z"
    Stream backend

    Run this command:

    yc alb backend-group add-stream-backend \
  --backend-group-name <backend_group_name> \
  --name <name_of_backend_you_are_adding> \
  --weight <backend_weight> \
  --port <backend_port> \
  --target-group-id=<target_group_ID> \
  --panic-threshold 90 \
  --enable-proxy-protocol \
  --keep-connections-on-host-health-failure \
  --stream-healthcheck port=80,healthy-threshold=10,unhealthy-threshold=15,\
timeout=10s,interval=2s,send-text=<data_to_endpoint>,receive-text=<data_from_endpoint>

    Where:

    • --panic-threshold: Panic mode threshold.
    • --enable-proxy-protocol: With this option enabled, the load balancer will send its client connection metadata, e.g. its IP address, to the backend via HAProxy protocol. If you do not set specific values for this option, the load balancer will only send its IP address to the backend.
    • --keep-connections-on-host-health-failure: Keeps the connection alive even if the health check fails.
    • --stream-healthcheck: Health check settings:
      • port: Port.
      • healthy-threshold: Healthy threshold.
      • unhealthy-threshold: Unhealthy threshold.
      • timeout: Maximum connection time.
      • interval: Interval.
      • send-text: Data sent to the endpoint for a health check.
      • receive-text: Data the endpoint must return to pass the health check.

    Result:

    id: ds77tero4f5********
name: <backend_group_name>
folder_id: b1gu6g9ielh6********
stream:
  backends:
  - name: <backend_name>
backend_weight: "1"
    port: "80"
    target_groups:
      target_group_ids:
      - ds7eof3r2cte********
    healthchecks:
      - timeout: 10s
        interval: 2s
        healthy_threshold: "10"
        unhealthy_threshold: "15"
        healthcheck_port: "80"
        stream:
          send:
            text: <data_to_endpoint>
          receive:
            text: <data_from_endpoint>
    enable_proxy_protocol: true
created_at: "2022-04-06T09:17:57.104324513Z"

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, describe the resource you want to create:

    resource "yandex_alb_backend_group" "test-backend-group" {
  name                     = "<backend_group_name>"
  session_affinity {
    connection {
      source_ip = <IP_address_session_affinity_mode>
    }
  }
  stream_backend {
    name                   = "<backend_name>"
    weight                 = 1
    port                   = 80
    target_group_ids       = ["<target_group_ID>"]
    load_balancing_config {
      panic_threshold      = 90
    }
    enable_proxy_protocol  = true
    healthcheck {
      timeout              = "10s"
      interval             = "2s"
      healthy_threshold    = 10
      unhealthy_threshold  = 15
      keep_connections_on_host_health_failure = <true_or_false>
      stream_healthcheck {
        send               = "<data_to_endpoint>"
        receive            = "<data_from_endpoint>"
      }
      http_healthcheck {
        path              = "<path>"
        host              = "<host>"
        expected_statuses = [<HTTP codes>]
      }
    }
  }
}

    Where:

    • yandex_alb_backend_group: Backend group settings:

      • name: Backend group name.

      • session_affinity: Session affinity settings. This is an optional parameter.

        Note

        Currently, session affinity only works for a single active backend in a group, containing at least one target group and using the MAGLEV_HASH load balancing mode.

        • connection: Session affinity by the source_ip IP address. It can be either true or false. You can also use cookie or header session affinity modes, but you can only specify one mode. If the backend group is of the Stream type, i.e., it consists of the stream_backend resources, you can only use the connection mode for session affinity.

      • http_backend, grpc_backend, and stream_backend: Backend type. All backends within a group must match the same type: HTTP, gRPC, or Stream.

    Backend parameters:

    • name: Backend name.

    • port: Backend port.

    • weight: Backend weight.

    • target_group_ids: Target group ID. To get a list of available target groups, run the yc alb target-group list CLI command.

    • load_balancing_config: Balancing parameters:

      • panic_threshold: Panic mode threshold.

    • enable_proxy_protocol: With this option enabled, the load balancer will send its client connection metadata, e.g. its IP address, to the backend via HAProxy protocol. If you do not set specific values for this option, the load balancer will only send its IP address to the backend. This option is only available for Stream type backends.

    • healthcheck: Health check settings:

      • timeout: Maximum connection request timeout.
      • interval: Interval.
      • healthy_threshold: Healthy threshold.
      • unhealthy_threshold: Unhealthy threshold.
      • keep_connections_on_host_health_failure: This option maintains connections open even if the target host status changes to Unhealthy.
      • http_healthcheck: HTTP health check settings:
        • path: Path, e.g., /health.
        • host: Host address, e.g., example.com.
        • expected_statuses: List of HTTP status codes corresponding to the Healthy status, e.g., [200, 201, 202].
      • grpc_healthcheck: gRPC health check settings:
        • service_name: Name of the gRPC service you want to check. If no service is specified, the system will check the backend overall health.
      • stream_healthcheck: Stream health check settings:
        • send: Data sent to the endpoint for a health check.
        • receive: Data the endpoint must return to pass the health check.

      Alert

      If all backends with health checks enabled in an availability zone fail those checks, traffic will no longer route to that zone, even if functional backends without health checks remain.

      We recommend configuring health checks for all backends.

    For more information about yandex_alb_backend_group properties, see the relevant Terraform article.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check new resources in the management console or using this CLI command:

    yc alb backend-group list

Use the create REST API method for the BackendGroup resource or the BackendGroupService/Create gRPC API call.

See also

Previous
Deleting a target group
Next
Getting information about a backend group