Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating a backend group

Written by
Updated at May 13, 2025

To create a backend group:

  1. In the management console, select the folder where you want to create a backend group.

  2. From the list of services, select Application Load Balancer.

  3. In the left-hand panel, select Backend groups.

  4. Click Create backend group.

  5. Specify the backend group name.

  6. Select the backend group type:

    • HTTP: For HTTP or HTTPS traffic.
    • gRPC: For HTTP or HTTPS traffic with gRPC.
    • Stream: For unencrypted TCP traffic or TCP traffic with TLS encryption support.

  7. Optinally, enable session affinity. HTTP and gRPC backend groups support the following session affinity modes:

    • By IP address.
    • By HTTP header.
    • By cookie.

    Stream backend groups support session affinity by client IP address.

    Note

    Currently, session affinity only works for a single active backend in a group, containing at least one target group and using the MAGLEV_HASH load balancing mode.

  8. Under Backends, click Add. Specify the backend settings:

    • Backend Name.

    • Weight: Backend weight in traffic distribution. If this option is disabled, the backend weight will be 0 and its endpoints will not be receiving traffic.

    • Backend Type: Target group for Application Load Balancer target groups or Bucket for Object Storage buckets. This option works for HTTP backend groups only. gRPC and Stream group backends have the Target group backend type. For more information about backend types, see Backend types.

    • The settings described below only work for Target group backends:

      • Under Load balancing settings:

        • Balancing mode: Load balancing mode.
        • Panic mode threshold: Healthy endpoint threshold triggering panic mode when the load balancer distributes requests across all endpoints, regardless of their health status.
        • Locality aware routing: Share of incoming traffic the load balancer node will route to its availability zone backends. The remaining traffic will be evenly distributed across other availability zones. To learn more, see Locality aware routing.
        • Strict locality: If this option is enabled, the load balancer will return 503 Service Unavailable if no application backends are operational in the request’s originating availability zone.

      • Under Protocol settings:

        • For a HTTP backend group:

          • HTTP/2: With this option enabled, the load balancer will use the HTTP/2 protocol when routing requests to HTTP group backends. By default, the load balancer uses the HTTP/1.1 protocol. gRPC backend groups only support the HTTP/2 protocol.

          • Protocol: Backend connection protocol, e.g., HTTP without encryption or HTTPS with TLS encryption. For HTTPS, specify:

            • SNI. SNI domain name for TLS connections.
            • Trusted root certificate. Specify the root CA for the certificate chain installed on backend endpoints. You can use X.509 certificates in PEM format.

        • For a gRPC backend group:

          • Protocol: Backend connection protocol, e.g., Plain-text or Encrypted. For the encrypted protocol, specify SNI and Trusted root certificate as shown above.

        • For a Stream backend group:

          • PROXY protocol: With this option enabled, the load balancer will send its client connection metadata, e.g. its IP address, to the backend via HAProxy protocol.

          • Protocol: Backend connection protocol, e.g., Plain-text or Encrypted. For the encrypted protocol, specify SNI and Trusted root certificate as shown above.

    • The following settings only work for Bucket backends in HTTP backend groups:

      • Bucket ID format: List or ID.
      • Bucket: Select a bucket from the list or specify its ID.

    • Under HTTP health check, gRPC health check, or Stream health check specify:

      • Timeout, s: Response timeout. Maximum connection time.

      • Interval: Health check request interval.

      • Healthy threshold: Number of consecutive successful checks required before considering the endpoint healthy. The load balancer ignores this setting at start, conducting one health check to identify the endpoint as healthy.

      • Unhealthy threshold: Number of consecutive failed checks required before considering the endpoint unhealthy. The load balancer ignores this setting when receiving 503 Service Unavailable from a backend, following which it is considered unhealthy right away.

      • Port.

      • Type: Health check protocol, e.g., HTTP, gRPC, or Stream. The health check protocol does not need to match the backend group type. Depending on the selected protocol, specify:

        • For the HTTP type:

          • Path: Endpoint request URI path.
          • Authority: HTTP/1.1 Host or HTTP/2 :authority header of the backend endpoint health check requests.
          • HTTP/2: Use HTTP v2 protocol.
          • HTTP codes: HTTP status codes deemed valid during a backend health check.

        • For the gRPC type:

          • Service name: Name of the gRPC service you want to check. If no service is specified, the system will check the backend overall health.

        • For the Stream type:

          • Send: Data sent to the endpoint for a health check.
          • Receive: Data the endpoint must return to pass the health check.

      Alert

      If all backends with health checks enabled in an availability zone fail those checks, traffic will no longer route to that zone, even if functional backends without health checks remain.

      We recommend configuring health checks for all backends.

      To add a health check, at the bottom of the backend section, click Add health check and specify the check settings.

      To remove a health check, click next to the HTTP health check, gRPC health check, or Stream health check title, and select Delete.

  9. Click Create.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

Note

You can create a gRPC backend group in the management console or using Terraform.

  1. See the description of the CLI command for creating a backend group:

    yc alb backend-group create --help

  2. Create a backend group by running this command:

    yc alb backend-group create <backend_group_name>

    Result:

    id: a5dg2cv4ngne********
name: test-backend-group
folder_id: aoerb349v3h4********
created_at: "2021-02-11T20:46:21.688940670Z"

  3. Add a backend and a health check to the group.

    Alert

    If all backends with health checks enabled in an availability zone fail those checks, traffic will no longer route to that zone, even if functional backends without health checks remain.

    We recommend configuring health checks for all backends.

    All backends within the group must be of the same type: HTTP, gRPC, or Stream.

    HTTP backend

    Run this command:

    yc alb backend-group add-http-backend \
  --backend-group-name <backend_group_name> \
  --name <name_of_backend_you_are_adding> \
  --weight <backend_weight> \
  --port <backend_port> \
  --target-group-id=<target_group_ID> \
  --panic-threshold 90 \
  --http-healthcheck port=80,healthy-threshold=10,unhealthy-threshold=15,expected-statuses=211,\
timeout=10s,interval=2s,host=<host_address>,path=<path>

    Where:

    • --name: The name of the backend you want to add or update.
    • --panic-threshold: Panic mode threshold.
    • --http-healthcheck: Health check settings:
      • port: Port.
      • healthy-threshold: Healthy threshold.
      • unhealthy-threshold: Unhealthy threshold.
      • expected-statuses: HTTP status code deemed valid during a backend health check. You can add multiple values separated by a comma: expected-statuses=201,expected-statuses=205,expected-statuses=302. You can use HTTP codes in the range between 100 and 599. If this setting is not specified, the response code will be 200.
      • timeout: Maximum connection time.
      • interval: Interval.
      • host: Host address.
      • path: Path.

    Result:

    id: a5dqkr2mk3rr********
name: <backend_group_name>
folder_id: aoe197919j8e********
http:
  backends:
  - name: <backend_name>
    backend_weight: "1"
    load_balancing_config:
      panic_threshold: "90"
    port: "80"
    target_groups:
      target_group_ids:
      - a5d2iap3nue9********
    healthchecks:
    - timeout: 10s
      interval: 2s
      healthy_threshold: "10"
      unhealthy_threshold: "15"
      healthcheck_port: "80"
      http:
        host: <host_address>
        path: <path>
created_at: "2021-02-11T20:46:21.688940670Z"
    gRPC backend

    Run this command:

    yc alb backend-group add-grpc-backend \
  --backend-group-name <backend_group_name> \
  --name <name_of_backend_you_are_adding> \
  --weight <backend_weight> \
  --port <backend_port> \
  --target-group-id=<target_group_ID> \
  --panic-threshold 90 \
  --grpc-healthcheck port=80,healthy-threshold=10,unhealthy-threshold=15,\
timeout=10s,interval=2s,service-name=<gRPC_service_name>

    Where:

    • --panic-threshold: Panic mode threshold.
    • --grpc-healthcheck: Resource health check settings:
      • port: Port.
      • healthy-threshold: Healthy threshold.
      • unhealthy-threshold: Unhealthy threshold.
      • timeout: Maximum connection time.
      • interval: Interval.
      • service-name: Name of the gRPC service you want to check. If no service is specified, the system will check the backend overall health.

    Result:

    id: a5dqkr2mk3rr********
name: <backend_group_name>
folder_id: aoe197919j8e********
grpc:
  backends:
    - name: <backend_name>
      backend_weight: "12"
      load_balancing_config:
        panic_threshold: "90"
      port: "80"
      target_groups:
        target_group_ids:
          - a5d2iap3nue9********
      healthchecks:
        - timeout: 10s
          interval: 2s
          healthy_threshold: "10"
          unhealthy_threshold: "15"
          healthcheck_port: "80"
          grpc:
            service_name: <gRPC_service_name>
created_at: "2023-06-17T13:04:08.567141292Z"
    Stream backend

    Run this command:

    yc alb backend-group add-stream-backend \
  --backend-group-name <backend_group_name> \
  --name <name_of_backend_you_are_adding> \
  --weight <backend_weight> \
  --port <backend_port> \
  --target-group-id=<target_group_ID> \
  --panic-threshold 90 \
  --enable-proxy-protocol \
  --keep-connections-on-host-health-failure \
  --stream-healthcheck port=80,healthy-threshold=10,unhealthy-threshold=15,\
timeout=10s,interval=2s,send-text=<data_to_endpoint>,receive-text=<data_from_endpoint>

    Where:

    • --panic-threshold: Panic mode threshold.
    • --enable-proxy-protocol: With this option enabled, the load balancer will send its client connection metadata, e.g. its IP address, to the backend via HAProxy protocol. If you do not set specific values for this option, the load balancer will only send its IP address to the backend.
    • --keep-connections-on-host-health-failure: Keeps the connection alive even if the health check fails.
    • --stream-healthcheck: Health check settings:
      • port: Port.
      • healthy-threshold: Healthy threshold.
      • unhealthy-threshold: Unhealthy threshold.
      • timeout: Maximum connection time.
      • interval: Interval.
      • send-text: Data sent to the endpoint for a health check.
      • receive-text: Data the endpoint must return to pass the health check.

    Result:

    id: ds77tero4f5********
name: <backend_group_name>
folder_id: b1gu6g9ielh6********
stream:
  backends:
  - name: <backend_name>
backend_weight: "1"
    port: "80"
    target_groups:
      target_group_ids:
      - ds7eof3r2cte********
    healthchecks:
      - timeout: 10s
        interval: 2s
        healthy_threshold: "10"
        unhealthy_threshold: "15"
        healthcheck_port: "80"
        stream:
          send:
            text: <data_to_endpoint>
          receive:
            text: <data_from_endpoint>
    enable_proxy_protocol: true
created_at: "2022-04-06T09:17:57.104324513Z"

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In the Terraform configuration file, describe the resource you want to create:

    resource "yandex_alb_backend_group" "test-backend-group" {
  name                     = "<backend_group_name>"
  session_affinity {
    connection {
      source_ip = <IP_address_session_affinity_mode>
    }
  }
  stream_backend {
    name                   = "<backend_name>"
    weight                 = 1
    port                   = 80
    target_group_ids       = ["<target_group_ID>"]
    load_balancing_config {
      panic_threshold      = 90
    }
    enable_proxy_protocol  = true
    healthcheck {
      timeout              = "10s"
      interval             = "2s"
      healthy_threshold    = 10
      unhealthy_threshold  = 15
      stream_healthcheck {
        send               = "<data_to_endpoint>"
        receive            = "<data_from_endpoint>"
      }
    }
  }
}

    Where:

    • yandex_alb_backend_group: Backend group settings:

      • name: Backend group name.

      • session_affinity: Session affinity settings. This is an optional parameter.

        Note

        Currently, session affinity only works for a single active backend in a group, containing at least one target group and using the MAGLEV_HASH load balancing mode.

        • connection: Session affinity by the source_ip IP address. It can be either true or false. You can also choose cookie or header session affinity modes, but you can only specify one mode. If the backend group is of the Stream type, i.e., it consists of the stream_backend resources, you can only use the connection mode for session affinity.

      • http_backend, grpc_backend, and stream_backend: Backend type. All backends within a group must be of the same type: HTTP, gRPC, or Stream.

    Backend parameters:

    • name: Backend name.

    • port: Backend port.

    • weight: Backend weight.

    • target_group_ids: Target group ID. To get a list of available target groups, run the yc alb target-group list CLI command.

    • load_balancing_config: Balancing parameters:

      • panic_threshold: Panic mode threshold.

    • enable_proxy_protocol: With this option enabled, the load balancer will send its client connection metadata, e.g. its IP address, to the backend via HAProxy protocol. If you do not set specific values for this option, the load balancer will only send its IP address to the backend. This option is only available for Stream type backends.

    • healthcheck: Health check settings:

      • timeout: Maximum connection time.
      • interval: Interval.
      • healthy_threshold: Healthy threshold.
      • unhealthy_threshold: Unhealthy threshold.
      • http_healthcheck: HTTP health check settings:
        • path: Path.
        • host: Host address.
      • grpc_healthcheck: gRPC health check settings:
        • service_name: Name of the gRPC service you want to check. If no service is specified, the system will check the backend overall health.
      • stream_healthcheck: Stream health check settings:
        • send: Data sent to the endpoint for a health check.
        • receive: Data the endpoint must return to pass the health check.

      Alert

      If all backends with health checks enabled in an availability zone fail those checks, traffic will no longer route to that zone, even if functional backends without health checks remain.

      We recommend configuring health checks for all backends.

    For more information about yandex_alb_backend_group properties, see the relevant Terraform article.

  2. Create the resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create all the required resources. You can check new resources in the management console or using this CLI command:

    yc alb backend-group list

Use the create REST API method for the BackendGroup resource or the BackendGroupService/Create gRPC API call.

See also

Previous
Deleting a target group
Next
Getting information about a backend group