Managing routes

Written by

Improved by

Updated at November 11, 2025

Creating a route
Updating a route
Changing route order
Modifying HTTP request parameters
- Example of modifying HTTP request parameters
Deleting a route

Routes are sets of conditions (predicates) that are used by the load balancer to select the request's next forwarding direction and actions to perform with it. Possible conditions and actions depend on the route type.

Creating a route

To create a route in a virtual host of an HTTP router:

Management console

CLI

Terraform

API

In the management console, select the folder where you are going to create a virtual host route.
In the list of services, select Application Load Balancer.
In the left-hand panel, click HTTP routers and select the HTTP router containing the virtual host for which you need to create a route.
On the page that opens, under Virtual hosts, click next to the virtual host and select Edit.

Create a new virtual host if needed.

In the window that opens, click Add route and proceed as follows in the New route form that appears, depending on the new route type:
HTTP

gRPC
1. In the Name field, specify the name of the route you are creating. Follow these naming requirements:
  - It must be from 2 to 63 characters long.
  - It can only contain lowercase Latin letters, numbers, and hyphens.
  - It must start with a letter and cannot end with a hyphen.
2. In the Type field, select HTTP.
3. In the Path field, select one of the options:
  - Matches: To route requests with the same path as the one specified in the text box on the right. For example, to route all requests, specify the / path.
  - Starts with: To route requests whose path begins with the prefix specified in the text box on the right.
  - Regular expression: To route requests whose path matches the RE2 regular expression specified in the text box on the right, e.g., \/[a-z]{10}[0-9]{3}.
4. In the HTTP methods field, select the HTTP methods for which to route the requests.
5. In the Action field, select one of the options: Routing, Forward, or Response. Depending on the selected option:
  Routing
  
  Forward
  
  Response
  
  In the Backend group field, select a backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Optionally, in the Rewrite path or start field, specify the path the HTTP router should redirect traffic to. If you select Matches in the Path field, the path will be completely replaced. If you select Starts with, only the prefix will be changed.
  
  Optionally, in the Host header rewrite field, select one of these options:
  
  none: The Host header in the request does not change.
  
  rewrite: The Host header is replaced with the specified value.
  
  auto: The Host header in the request is automatically replaced with the target VM address.
  
  Optionally, enable Limit on all requests and/or Limit on requests from one IP and set these limits for the number of requests that will be processed for this route per unit of time.
  
  Optionally, in the Timeout, s field, specify the maximum connection time.
  
  Optionally, in the Idle timeout, seconds field, specify the maximum connection idle timeout (keep-alive time).
  
  Optionally, in the Valid values for the Upgrade header field:
  
  Optionally, list the protocols the backend group can switch to within a TCP connection on client's request. To add more protocols, click Add upgrade type.
  
  Optionally, enable WebSocket if you want to use the WebSocket protocol.
  
  In the HTTP status code field, select the HTTP forwarding status code:
  
  301 Moved Permanently
  
  302 Found
  
  303 See Other
  
  307 Temporary Redirect
  
  308 Permanent Redirect
  
  Optionally, enable Rewrite path or start and specify the modification type of the path the HTTP router should redirect traffic to:
  
  Entire path: To completely replace the request path with the value set in the field on the right.
  
  Start: To replace the request path prefix with the value set in the field on the right.
  
  Note
  
  If you select Matches in the Path field above, the path will be completely replaced, even with Start selected in the Rewrite path or start field.
  
  Optionally, enable Delete query parameters to remove all query parameters from requests.
  
  Optionally, enable Replace scheme to replace the scheme found in requests with the one specified in the field on the right.
  
  If the original URI uses the http (https) scheme and port 80 (443), changing the scheme will delete the port.
  
  Optionally, enable Replace host and specify the new host in the field on the right.
  
  Optionally, enable Replace port and specify the new port in the field on the right.
  
  In the HTTP status code field, select the static response code to return.
  
  In the Response body field, set the static response body to return. To do this, click Select and in the window that opens:
  
  In the Method field, select:
  
  File: To select a text file containing the response body.
  
  Text: To enter the response text in the relevant text box.
  
  Click Add.
1. In the Name field, specify the name of the route you are creating. Follow these naming requirements:
  - It must be from 2 to 63 characters long.
  - It can only contain lowercase Latin letters, numbers, and hyphens.
  - It must start with a letter and cannot end with a hyphen.
2. In the Type field, select gRPC.
3. In the FQMN field, select one of the options:
  - Matches: To route requests whose FQMN matches the FQMN specified in the text box on the right.
  - Starts with: To route requests whose FQMN begins with the prefix specified in the text box on the right. For example, you can specify the first word of the service name: /helloworld.
  - Regular expression: To route requests whose FQMN matches the RE2 regular expression specified in the text box on the right.
  Warning
  
  The FQMN must start with a slash / and contain a part of the service name where your procedure call is redirected.
4. In the Action field, select one of the options: Routing or Response. Depending on the selected option:
  Routing
  
  Response
  
  In the Backend group field, select a backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Optionally, in the Host header rewrite field, select one of these options:
  
  none: The Host header in the request does not change.
  
  rewrite: The Host header is replaced with the specified value.
  
  auto: The Host header in the request is automatically replaced with the target VM address.
  
  Optionally, enable Limit on all requests and/or Limit on requests from one IP and set these limits for the number of requests that will be processed for this route per unit of time.
  
  Optionally, in the Maximum timeout, sec. field, specify the maximum connection time. You can specify a shorter timeout in the grpc-timeout request HTTP header.
  
  Optionally, in the Idle timeout, seconds field, specify the connection idle timeout.
  
  In the gRPC status code field, select the static response code for the load balancer to return:
  
  OK
  
  INVALID_ARGUMENT
  
  NOT_FOUND
  
  PERMISSION_DENIED
  
  UNAUTHENTICATED
  
  UNIMPLEMENTED
  
  INTERNAL
  
  UNAVAILABLE
If you want to change the route order, click Sort and in the window that opens:
1. Drag and drop routes to arrange them in desired order.
2. Click Save.
Note

You will be able to reorder your virtual host routes at any later time.
Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

With the Yandex Cloud CLI, you can add different types of routes to the virtual host:

HTTP

gRPC

Yandex Cloud CLI allows using three different commands to add HTTP routes to a virtual host:

yc alb virtual-host append-http-route: Adds a route to the end of the list of virtual host routes.
yc alb virtual-host append-http-route: Adds a route to the beginning of the list of virtual host routes.
yc alb virtual-host append-http-route: Adds a route to a specified place in the list of virtual host routes.

append-http-route

prepend-http-route

insert-http-route

See the description of the CLI command for adding a route to the end of the virtual host's route list:
```
yc alb virtual-host append-http-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

Add the route by specifying its name and additional parameters:
```
yc alb virtual-host append-http-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name> \
  --match-http-method <method_1>,<method_2>,...<method_n> \
  --exact-path-match <full_path> \
  --prefix-path-match <path_prefix> \
  --regex-path-match <regular_expression> \
  --backend-group-name <backend_group_name> \
  --request-timeout <request_timeout>s \
  --request-idle-timeout <request_idle_timeout>s \
  --rate-limit rps=<request_limit>,requests-per-ip \
  --disable-security-profile
```
Where:
- --http-router-name: Name of the HTTPS router you are creating the route in.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --virtual-host-name: Name of the virtual host where the route is created.
- --match-http-method: List of HTTP methods for which requests need to be routed, e.g., --match-http-method GET,POST,OPTIONS. This is an optional parameter. If not specified, requests with any methods will be routed.
- Parameters with path-based routing conditions:
  - --exact-path-match: Route requests with the same path as the specified one. For example, to route all requests, specify the / path.
  - --prefix-path-match: Route requests whose path starts with the specified prefix, e.g., /myapp/.
  - --regex-path-match: Route requests whose path matches the specified RE2 regular expression, e.g., \/[a-z]{10}[0-9]{3}\/.
  Note
  
  The --exact-path-match, --prefix-path-match, and --regex-path-match parameters are mutually exclusive: you can use only one of them.
- --backend-group-name: Name of the backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Instead of the backend group name, you can provide its ID in the --backend-group-id parameter.
- --request-timeout: Maximum connection time in seconds for a connection on request.
- --request-idle-timeout: Maximum connection idle time in seconds.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip: Limits requests per client IP address.
  You can configure only one type of rate limit per route, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
- --disable-security-profile: Parameter that disables the use of the virtual host’s Yandex Smart Web Security profile for the route. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles. This is an optional parameter. By default, the security profile associated with a virtual host applies to all routes you create.
Result:
```
name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 60s
        auto_host_rewrite: false
  - name: my-second-route
    http:
      match:
        http_method:
          - GET
          - POST
          - OPTIONS
        path:
          exact_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 2s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "10"
    disable_security_profile: true
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "100"
```
For more details about the yc alb virtual-host append-http-route command, see the CLI reference.

See the description of the CLI command for adding a route to the beginning of the route list:
```
yc alb virtual-host prepend-http-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

Add the route by specifying its name and additional parameters:
```
yc alb virtual-host prepend-http-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name> \
  --match-http-method <method_1>,<method_2>,...<method_n> \
  --exact-path-match <full_path> \
  --prefix-path-match <path_prefix> \
  --regex-path-match <regular_expression> \
  --backend-group-name <backend_group_name> \
  --request-timeout <request_timeout>s \
  --request-idle-timeout <request_idle_timeout>s \
  --rate-limit rps=<request_limit>,requests-per-ip \
  --disable-security-profile
```
Where:
- --http-router-name: Name of the HTTPS router you are creating the route in.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --virtual-host-name: Name of the virtual host where the route is created.
- --match-http-method: List of HTTP methods for which requests need to be routed, e.g., --match-http-method GET,POST,OPTIONS. This is an optional parameter. If not specified, requests with any methods will be routed.
- Parameters with path-based routing conditions:
  - --exact-path-match: Route requests with the same path as the specified one. For example, to route all requests, specify the / path.
  - --prefix-path-match: Route requests whose path starts with the specified prefix, e.g., /myapp/.
  - --regex-path-match: Route requests whose path matches the specified RE2 regular expression, e.g., \/[a-z]{10}[0-9]{3}\/.
  Note
  
  The --exact-path-match, --prefix-path-match, and --regex-path-match parameters are mutually exclusive: you can use only one of them.
- --backend-group-name: Name of the backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Instead of the backend group name, you can provide its ID in the --backend-group-id parameter.
- --request-timeout: Maximum connection time in seconds for a connection on request.
- --request-idle-timeout: Maximum connection idle time in seconds.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip: Limits requests per client IP address.
  You can configure only one type of rate limit per route, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
- --disable-security-profile: Parameter that disables the use of the virtual host’s Yandex Smart Web Security profile for the route. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles. This is an optional parameter. By default, the security profile associated with a virtual host applies to all routes you create.
Result:
```
name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-second-route
    http:
      match:
        http_method:
          - GET
          - POST
          - OPTIONS
        path:
          exact_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 2s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "10"
    disable_security_profile: true
  - name: my-first-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 60s
        auto_host_rewrite: false
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "100"
```
For more details about the yc alb virtual-host prepend-http-route command, see the CLI reference.

See the description of the CLI command for adding a route to a specified place in the route list:
```
yc alb virtual-host insert-http-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

To find out the current route order in the virtual host, run the command below specifying the virtual host name and the HTTP router name or ID in the --http-router-name or --http-router-id parameter, respectively:

yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 60s
        auto_host_rewrite: false
  - name: my-second-route
    http:
      match:
        http_method:
          - GET
          - POST
          - OPTIONS
        path:
          exact_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 2s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "10"
    disable_security_profile: true
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "100"

Add the route by specifying its name and additional parameters:
```
yc alb virtual-host insert-http-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name> \
  --match-http-method <method_1>,<method_2>,...<method_n> \
  --exact-path-match <full_path> \
  --prefix-path-match <path_prefix> \
  --regex-path-match <regular_expression> \
  --backend-group-name <backend_group_name> \
  --request-timeout <request_timeout>s \
  --request-idle-timeout <request_idle_timeout>s \
  --rate-limit rps=<request_limit>,requests-per-ip \
  --disable-security-profile \
  --before <name_of_next_route> \
  --after <name_of_previous_route>
```
Where:
- --http-router-name: Name of the HTTPS router you are creating the route in.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --virtual-host-name: Name of the virtual host where the route is created.
- --match-http-method: List of HTTP methods for which requests need to be routed, e.g., --match-http-method GET,POST,OPTIONS. This is an optional parameter. If not specified, requests with any methods will be routed.
- Parameters with path-based routing conditions:
  - --exact-path-match: Route requests with the same path as the specified one. For example, to route all requests, specify the / path.
  - --prefix-path-match: Route requests whose path starts with the specified prefix, e.g., /myapp/.
  - --regex-path-match: Route requests whose path matches the specified RE2 regular expression, e.g., \/[a-z]{10}[0-9]{3}\/.
  Note
  
  The --exact-path-match, --prefix-path-match, and --regex-path-match parameters are mutually exclusive: you can use only one of them.
- --backend-group-name: Name of the backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Instead of the backend group name, you can provide its ID in the --backend-group-id parameter.
- --request-timeout: Maximum connection time in seconds for a connection on request.
- --request-idle-timeout: Maximum connection idle time in seconds.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip: Limits requests per client IP address.
  You can configure only one type of rate limit per route, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
- --disable-security-profile: Parameter that disables the use of the virtual host’s Yandex Smart Web Security profile for the route. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles. This is an optional parameter. By default, the security profile associated with a virtual host applies to all routes you create.
- --before: Name of the route which the new route will precede in the list of all virtual host routes.
- --after: Name of the route which the new route will follow in the list of all virtual host routes.
Note

The --before and --after parameters are mutually exclusive: you can use only one of them.
Result:
```
name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 60s
        auto_host_rewrite: false
  - name: my-third-route
    http:
      match:
        http_method:
          - PATCH
          - PUT
        path:
          exact_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 2s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "10"
    disable_security_profile: true
  - name: my-second-route
    http:
      match:
        http_method:
          - GET
          - POST
          - OPTIONS
        path:
          exact_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 2s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "10"
    disable_security_profile: true
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "100"
```
For more details about the yc alb virtual-host insert-http-route command, see the CLI reference.

Yandex Cloud CLI allows using three different commands to add gRPC routes to a virtual host:

yc alb virtual-host append-grpc-route: Adds a route to the end of the list of virtual host routes.
yc alb virtual-host append-http-route: Adds a route to the beginning of the list of virtual host routes.
yc alb virtual-host append-http-route: Adds a route to a specified place in the list of virtual host routes.

append-grpc-route

prepend-grpc-route

insert-grpc-route

See the description of the CLI command for adding a route to the end of the virtual host's route list:
```
yc alb virtual-host append-grpc-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

Add the route by specifying its name and additional parameters:
```
yc alb virtual-host append-grpc-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name> \
  --exact-fqmn-match <full_FQMN> \
  --prefix-fqmn-match <FQMN_prefix> \
  --regex-fqmn-match <regular_expression> \
  --backend-group-name <backend_group_name> \
  --request-max-timeout <request_timeout>s \
  --request-idle-timeout <request_idle_timeout>s \
  --rate-limit rps=<request_limit>,requests-per-ip \
  --disable-security-profile
```
Where:
- --http-router-name: Name of the HTTPS router you are creating the route in.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --virtual-host-name: Name of the virtual host you are creating the route in.
- FQMN-based routing condition parameters:
  - --exact-fqmn-match: Route requests with the same FQMN as the specified one.
  - --prefix-fqmn-match: Route requests whose FQMN starts with the specified prefix. For example, you can specify the first word of the service name: /helloworld.
  - --regex-fqmn-match: Route requests whose FQMN matches the specified RE2 regular expression. For example: \/[a-z]{10}[0-9]{3}.
  Warning
  
  The FQMN must start with a slash / and contain a part of the service name where your procedure call is redirected.
  
  Note
  
  The --exact-fqmn-match, --prefix-fqmn-match, and --regex-fqmn-match parameters are mutually exclusive: you can use only one of them.
- --backend-group-name: Name of the backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Instead of the backend group name, you can provide its ID in the --backend-group-id parameter.
- --request-max-timeout: Maximum connection time. You can specify a shorter timeout in the grpc-timeout request HTTP header.
- --request-idle-timeout: Maximum connection idle time in seconds.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip: Limits requests per client IP address.
  You can configure only one type of rate limit per route, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
- --disable-security-profile: Parameter that disables the use of the virtual host’s Yandex Smart Web Security profile for the route. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles. This is an optional parameter. By default, the security profile associated with a virtual host applies to all routes you create.
Result:
```
name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    grpc:
      match:
        fqmn:
          prefix_match: /
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 60s
        idle_timeout: 5s
        auto_host_rewrite: false
  - name: my-second-route
    grpc:
      match:
        fqmn:
          prefix_match: helloworld/
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 10s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "4"
    disable_security_profile: true
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "100"
```
For more details about the yc alb virtual-host append-grpc-route command, see the CLI reference.

See the description of the CLI command for adding a route to the beginning of the route list:
```
yc alb virtual-host prepend-grpc-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

Add the route by specifying its name and additional parameters:
```
yc alb virtual-host prepend-grpc-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name> \
  --exact-fqmn-match <full_FQMN> \
  --prefix-fqmn-match <FQMN_prefix> \
  --regex-fqmn-match <regular_expression> \
  --backend-group-name <backend_group_name> \
  --request-max-timeout <request_timeout>s \
  --request-idle-timeout <request_idle_timeout>s \
  --rate-limit rps=<request_limit>,requests-per-ip \
  --disable-security-profile
```
Where:
- --http-router-name: Name of the HTTPS router you are creating the route in.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --virtual-host-name: Name of the virtual host you are creating the route in.
- FQMN-based routing condition parameters:
  - --exact-fqmn-match: Route requests with the same FQMN as the specified one.
  - --prefix-fqmn-match: Route requests whose FQMN starts with the specified prefix. For example, you can specify the first word of the service name: /helloworld.
  - --regex-fqmn-match: Route requests whose FQMN matches the specified RE2 regular expression. For example: \/[a-z]{10}[0-9]{3}.
  Warning
  
  The FQMN must start with a slash / and contain a part of the service name where your procedure call is redirected.
  
  Note
  
  The --exact-fqmn-match, --prefix-fqmn-match, and --regex-fqmn-match parameters are mutually exclusive: you can use only one of them.
- --backend-group-name: Name of the backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Instead of the backend group name, you can provide its ID in the --backend-group-id parameter.
- --request-max-timeout: Maximum connection time. You can specify a shorter timeout in the grpc-timeout request HTTP header.
- --request-idle-timeout: Maximum connection idle time in seconds.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip: Limits requests per client IP address.
  You can configure only one type of rate limit per route, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
- --disable-security-profile: Parameter that disables the use of the virtual host’s Yandex Smart Web Security profile for the route. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles. This is an optional parameter. By default, the security profile associated with a virtual host applies to all routes you create.
Result:
```
name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-second-route
    grpc:
      match:
        fqmn:
          prefix_match: helloworld/
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 10s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "4"
    disable_security_profile: true
  - name: my-first-route
    grpc:
      match:
        fqmn:
          prefix_match: /
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 60s
        idle_timeout: 5s
        auto_host_rewrite: false
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "100"
```
For more details about the yc alb virtual-host prepend-grpc-route command, see the CLI reference.

See the description of the CLI command for adding a route to a specified place in the route list:
```
yc alb virtual-host insert-grpc-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    grpc:
      match:
        fqmn:
          prefix_match: /
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 60s
        idle_timeout: 5s
        auto_host_rewrite: false
  - name: my-second-route
    grpc:
      match:
        fqmn:
          prefix_match: helloworld/
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 10s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "4"
    disable_security_profile: true
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "100"

Add the route by specifying its name and additional parameters:
```
yc alb virtual-host insert-grpc-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name> \
  --exact-fqmn-match <full_FQMN> \
  --prefix-fqmn-match <FQMN_prefix> \
  --regex-fqmn-match <regular_expression> \
  --backend-group-name <backend_group_name> \
  --request-max-timeout <request_timeout>s \
  --request-idle-timeout <request_idle_timeout>s \
  --rate-limit rps=<request_limit>,requests-per-ip \
  --disable-security-profile \
  --before <name_of_next_route> \
  --after <name_of_previous_route>
```
Where:
- --http-router-name: Name of the HTTPS router you are creating the route in.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --virtual-host-name: Name of the virtual host you are creating the route in.
- FQMN-based routing condition parameters:
  - --exact-fqmn-match: Route requests with the same FQMN as the specified one.
  - --prefix-fqmn-match: Route requests whose FQMN starts with the specified prefix. For example, you can specify the first word of the service name: /helloworld.
  - --regex-fqmn-match: Route requests whose FQMN matches the specified RE2 regular expression. For example: \/[a-z]{10}[0-9]{3}.
  Warning
  
  The FQMN must start with a slash / and contain a part of the service name where your procedure call is redirected.
  
  Note
  
  The --exact-fqmn-match, --prefix-fqmn-match, and --regex-fqmn-match parameters are mutually exclusive: you can use only one of them.
- --backend-group-name: Name of the backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Instead of the backend group name, you can provide its ID in the --backend-group-id parameter.
- --request-max-timeout: Maximum connection time. You can specify a shorter timeout in the grpc-timeout request HTTP header.
- --request-idle-timeout: Maximum connection idle time in seconds.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip: Limits requests per client IP address.
  You can configure only one type of rate limit per route, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
- --disable-security-profile: Parameter that disables the use of the virtual host’s Yandex Smart Web Security profile for the route. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles. This is an optional parameter. By default, the security profile associated with a virtual host applies to all routes you create.
- --before: Name of the route which the new route will precede in the list of all virtual host routes.
- --after: Name of the route which the new route will follow in the list of all virtual host routes.
Note

The --before and --after parameters are mutually exclusive: you can use only one of them.
Result:
```
name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    grpc:
      match:
        fqmn:
          prefix_match: /
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 60s
        idle_timeout: 5s
        auto_host_rewrite: false
  - name: my-third-route
    grpc:
      match:
        fqmn:
          prefix_match: myapp/
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 10s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "4"
    disable_security_profile: true
  - name: my-second-route
    grpc:
      match:
        fqmn:
          prefix_match: helloworld/
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 10s
        idle_timeout: 5s
        rate_limit:
          requests_per_ip:
            per_second: "4"
    disable_security_profile: true
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "100"
```
For more details about the yc alb virtual-host insert-grpc-route command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

Note

Virtual host routes will be applied to incoming requests in the same order as described in the Terraform configuration file.

In the configuration file, describe the parameters of the route as a resource nested in a yandex_alb_virtual_host resource. With Terraform, you can add different types of routes to the virtual host:
HTTP

gRPC
```
...
route {
  name                      = "<route_name>"
  disable_security_profile  = true|false

  http_route {
    http_match {
      http_method = ["<HTTP_method_1>","<HTTP_method_2>",...,"<HTTP_method_n>"]
      path {
        prefix = "/<request_path_prefix>/"
        # or exact = "<request_path>"
        # or regex = "<regular_expression>"
      }
    }

    http_route_action {
      backend_group_id  = "<backend_group_ID>"
      host_rewrite      = "<Host_header_value>"
      timeout           = "<connection_timeout>s"
      idle_timeout      = "<idle_timeout>s"
      prefix_rewrite    = "<new_request_path_prefix>/"
      rate_limit {
        all_requests {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
        requests_per_ip {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
      }
    }
  }
}
...
```
Where:
- route: Virtual host route description:
  - name: Route name.
  - disable_security_profile: Disabling the Yandex Smart Web Security security profile (optional). The possible values are true (the profile is disabled) or false (the profile is enabled). The default value is false: the security profile is enabled.
  - http_route: Route description for HTTP traffic:
    
    http_match: Parameter for filtering incoming HTTP requests (optional):
    
    http_method: List of HTTP methods for which requests will be routed (optional). By default, requests with any methods are routed.
    
    path: Optionally, parameters for filtering the path of an incoming request:
    
    exact: Route requests with the same path as the specified one. For example, to route all requests, specify the / path.
    
    prefix: Route requests whose path starts with the specified prefix.
    
    regex: Route requests whose path matches the specified RE2 regular expression, e.g., \/[a-z]{10}[0-9]{3}\/.
    
    The exact, prefix, and regex parameters are mutually exclusive: you can use only one of them.
    
    http_route_action: Action applied to HTTP traffic.
    
    backend_group_id: ID of the backend group located in the same folder as the HTTP router and virtual host of the new route.
    
    host_rewrite: Replacing the Host header in the request with the specified value (optional). You specify the auto_host_rewrite parameter instead of the host_rewrite parameter; in this case the Host header in the request will be automatically replaced with the address of the target VM.
    
    timeout: Maximum connection time in seconds (optional). The default value is 60 seconds.
    
    idle_timeout: Maximum connection idle timeout (keep-alive time) (optional). If not specified, the idle connection will be terminated immediately.
    
    prefix_rewrite: Value to replace the path or part of the path specified in the path parameter (optional).
    
    rate_limit: Limits the number of requests per unit of time (optional):
    
    all_requests: Limits all incoming requests (optional):
    
    per_second: Maximum number of incoming requests to a route per second.
    
    per_minute: Maximum number of incoming requests to a route per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Limits incoming requests from a single IP address (optional):
    
    per_second: Maximum number of incoming requests to a route from a single IP address per second.
    
    per_minute: Maximum number of incoming requests to a route from a single IP address per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
```
...
route {
  name                      = "<route_name>"
  disable_security_profile  = true|false

  grpc_route {
    grpc_match {
      fqmn {
        prefix = "/<request_FQMN_prefix>"
        # or exact = "<request_FQMN>"
        # or regex = "<regular_expression>"
      }
    }

    grpc_route_action {
      backend_group_id = "<backend_group_ID>"
      host_rewrite = "<Host_header_value>"
      max_timeout = "<connection_timeout>s"
      idle_timeout = "<idle_timeout>s"
      rate_limit {
        all_requests {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
        requests_per_ip {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
      }
    }
  }
}
...
```
Where:
- route: Virtual host route description:
  - name: Route name.
  - disable_security_profile: Disabling the Yandex Smart Web Security security profile (optional). The possible values are true (the profile is disabled) or false (the profile is enabled). The default value is false: the security profile is enabled.
  - grpc_route: Route description for gRPC traffic:
    
    grpc_match.fqmn: Parameter for filtering incoming gRPC requests by FQMN (optional):
    
    exact: Route requests with the same FQMN as the specified one.
    
    prefix: Route requests whose FQMN starts with the specified prefix. For example, you can specify the first word of the service name: /helloworld.
    
    regex: Route requests whose FQMN matches the specified RE2 regular expression. For example: \/[a-z]{10}[0-9]{3}.
    
    The exact, prefix, and regex parameters are mutually exclusive: you can use only one of them.
    
    grpc_route_action: Action applied to gRPC traffic.
    
    backend_group_id: ID of the backend group located in the same folder as the new route's HTTP router and virtual host.
    
    host_rewrite: Replacing the Host header in the request with the specified value (optional). You can specify auto_host_rewrite instead of host_rewrite, in which case the Host header in the request will be automatically replaced with the target VM address.
    
    --request-max-timeout: Maximum request timeout in seconds (optional). You can specify a shorter timeout in the grpc-timeout request HTTP header. The default value is 60 seconds.
    
    idle_timeout: Maximum connection idle timeout (keep-alive time) (optional). If not specified, the idle connection will be terminated immediately.
    
    rate_limit: Limits the number of requests per unit of time (optional):
    
    all_requests: Limits all incoming requests (optional):
    
    per_second: Maximum number of incoming requests to a route per second.
    
    per_minute: Maximum number of incoming requests to a route per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Limits incoming requests from a single IP address (optional):
    
    per_second: Maximum number of incoming requests to a route from a single IP address per second.
    
    per_minute: Maximum number of incoming requests to a route from a single IP address per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
Learn more about the properties of Terraform resources in the relevant provider guide: yandex_alb_virtual_host.
Create the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources and their settings using the management console or this CLI command:
```
yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name>
```
Timeouts
The Terraform provider limits the execution time for operations with Application Load Balancer HTTP routers and virtual hosts to 10 minutes.

Operations in excess of this time will be interrupted.
How do I modify these limits?
Add the timeouts section to the descriptions of the HTTP router and virtual host (the yandex_alb_http_router and yandex_alb_virtual_host resources, respectively).

Here is an example:

resource "yandex_alb_http_router" "<router_name>" { ... timeouts { create = "60m" update = "60m" delete = "60m" } }

Use the update REST API method for the VirtualHost resource or the VirtualHostService/Update gRPC API call.

Note

Virtual host routes will be applied to incoming requests in the same order as described in the request body.

Updating a route

To update a route in a virtual host of an HTTP router:

Management console

CLI

Terraform

API

In the management console, select the folder you are going to update a virtual host route in.
In the list of services, select Application Load Balancer.
In the left-hand panel, click HTTP routers and select the HTTP router that contains the route you need.
On the page that opens, under Virtual hosts, locate the route in the virtual host section, click next to its name, and select Edit. In the window that opens, depending on the type of your route:
HTTP

gRPC
1. In the Type field, select HTTP.
2. In the Path field, select one of the options:
  - Matches: To route requests with the same path as the one specified in the text box on the right. For example, to route all requests, specify the / path.
  - Starts with: To route requests whose path begins with the prefix specified in the text box on the right.
  - Regular expression: To route requests whose path matches the RE2 regular expression specified in the text box on the right, e.g., \/[a-z]{10}[0-9]{3}.
3. In the HTTP methods field, select the HTTP methods for which to route the requests.
4. In the Action field, select one of the options: Routing, Forward, or Response. Depending on the selected option:
  Routing
  
  Forward
  
  Response
  
  In the Backend group field, select a backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Optionally, in the Rewrite path or start field, specify the path the HTTP router should redirect traffic to. If you select Matches in the Path field, the path will be completely replaced. If you select Starts with, only the prefix will be changed.
  
  Optionally, in the Host header rewrite field, select one of these options:
  
  none: The Host header in the request does not change.
  
  rewrite: The Host header is replaced with the specified value.
  
  auto: The Host header in the request is automatically replaced with the target VM address.
  
  Optionally, enable Limit on all requests and/or Limit on requests from one IP and set these limits for the number of requests that will be processed for this route per unit of time.
  
  Optionally, in the Timeout, s field, specify the maximum connection time.
  
  Optionally, in the Idle timeout, seconds field, specify the maximum connection idle timeout (keep-alive time).
  
  Optionally, in the Valid values for the Upgrade header field:
  
  Optionally, list the protocols the backend group can switch to within a TCP connection on client's request. To add more protocols, click Add upgrade type.
  
  Optionally, enable WebSocket if you want to use the WebSocket protocol.
  
  In the HTTP status code field, select the HTTP forwarding status code:
  
  301 Moved Permanently
  
  302 Found
  
  303 See Other
  
  307 Temporary Redirect
  
  308 Permanent Redirect
  
  Optionally, enable Rewrite path or start and specify the modification type of the path the HTTP router should redirect traffic to:
  
  Entire path: To completely replace the request path with the value set in the field on the right.
  
  Start: To replace the request path prefix with the value set in the field on the right.
  
  Note
  
  If you select Matches in the Path field above, the path will be completely replaced, even with Start selected in the Rewrite path or start field.
  
  Optionally, enable Delete query parameters to remove all query parameters from requests.
  
  Optionally, enable Replace scheme to replace the scheme found in requests with the one specified in the field on the right.
  
  If the original URI uses the http (https) scheme and port 80 (443), changing the scheme will delete the port.
  
  Optionally, enable Replace host and specify the new host in the field on the right.
  
  Optionally, enable Replace port and specify the new port in the field on the right.
  
  In the HTTP status code field, select the static response code to return.
  
  In the Response body field, set the static response body to return. To do this, click Select and in the window that opens:
  
  In the Method field, select:
  
  File: To select a text file containing the response body.
  
  Text: To enter the response text in the relevant text box.
  
  Click Add.
1. In the Type field, select gRPC.
2. In the FQMN field, select one of the options:
  - Matches: To route requests whose FQMN matches the FQMN specified in the text box on the right.
  - Starts with: To route requests whose FQMN begins with the prefix specified in the text box on the right. For example, you can specify the first word of the service name: /helloworld.
  - Regular expression: To route requests whose FQMN matches the RE2 regular expression specified in the text box on the right.
  Warning
  
  The FQMN must start with a slash / and contain a part of the service name where your procedure call is redirected.
3. In the Action field, select one of the options: Routing or Response. Depending on the selected option:
  Routing
  
  Response
  
  In the Backend group field, select a backend group located in the same folder as the HTTP router and virtual host for which you are creating the new route.
  
  Optionally, in the Host header rewrite field, select one of these options:
  
  none: The Host header in the request does not change.
  
  rewrite: The Host header is replaced with the specified value.
  
  auto: The Host header in the request is automatically replaced with the target VM address.
  
  Optionally, enable Limit on all requests and/or Limit on requests from one IP and set these limits for the number of requests that will be processed for this route per unit of time.
  
  Optionally, in the Maximum timeout, sec. field, specify the maximum connection time. You can specify a shorter timeout in the grpc-timeout request HTTP header.
  
  Optionally, in the Idle timeout, seconds field, specify the connection idle timeout.
  
  In the gRPC status code field, select the static response code for the load balancer to return:
  
  OK
  
  INVALID_ARGUMENT
  
  NOT_FOUND
  
  PERMISSION_DENIED
  
  UNAUTHENTICATED
  
  UNIMPLEMENTED
  
  INTERNAL
  
  UNAVAILABLE
Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

With the Yandex Cloud CLI, you can update different types of routes in the virtual host:

HTTP

gRPC

See the description of the CLI command for updating a virtual host route:
```
yc alb virtual-host update-http-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

To get a list of a virtual host's routes, run this command by substituting the virtual host name and the HTTP router name or ID in the --http-router-name or --http-router-id parameter, respectively:

yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    http:
      match:
        path:
          prefix_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 60s
        auto_host_rewrite: false
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
modify_response_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "5"
  requests_per_ip:
    per_second: "3"

Update the route by specifying its name and additional parameters:
```
yc alb virtual-host update-http-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name> \
  --match-http-method <method_1>,<method_2>,...<method_n> \
  --exact-path-match <full_path> \
  --prefix-path-match <path_prefix> \
  --regex-path-match <regular_expression> \
  --backend-group-name <backend_group_name> \
  --request-timeout <request_timeout>s \
  --request-idle-timeout <request_idle_timeout>s \
  --rate-limit rps=<request_limit>,requests-per-ip \
  --disable-security-profile
```
Where:
- --http-router-name: Name of the HTTP router the route is in.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --virtual-host-name: Name of the virtual host the route is in.
- --match-http-method: List of HTTP methods for which requests need to be routed, e.g., --match-http-method GET,POST,OPTIONS.
  
  To clear the list of HTTP methods set for the route, provide the --clear-method-match parameter in the command.
- Path-based routing condition parameters:
  - --exact-path-match: Route requests with the same path as the specified one. For example, to route all requests, specify the / path.
  - --prefix-path-match: Route requests whose path starts with the specified prefix, e.g., /myapp/.
  - --regex-path-match: Route requests whose path matches the specified RE2 regular expression, e.g., \/[a-z]{10}[0-9]{3}\/.
  Note
  
  The --exact-path-match, --prefix-path-match, and --regex-path-match parameters are mutually exclusive: you can use only one of them.
  
  To clear the path-based routing conditions set for the route, provide the --clear-path-match parameter in the command.
- --backend-group-name: Name of the backend group located in the same folder as the HTTP router, virtual host, and route.
  
  Instead of the backend group name, you can provide its ID in the --backend-group-id parameter.
- --request-timeout: Maximum connection time in seconds for a connection on request.
  
  To clear the request timeout set for the route, provide the --clear-request-timeout parameter in the command.
- --request-idle-timeout: Maximum connection idle time in seconds.
  
  To clear the idle timeout set for the route, provide the --clear-idle-timeout parameter in the command.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip: Limits requests per client IP address.
  You can configure only one type of rate limit per route, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
  
  To clear the route's request rate limits settings, provide the --clear-rate-limit parameter in the command.
- --disable-security-profile: Parameter that disables the use of the virtual host’s Yandex Smart Web Security profile for the route. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles. This is an optional parameter. By default, the security profile associated with a virtual host applies to all routes you create.
  
  To re-enable the security profile previously disabled for the route, provide the --disable-security-profile=false parameter in the command.
Result:
```
name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    http:
      match:
        http_method:
          - POST
          - PATCH
        path:
          exact_match: /
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 12s
        idle_timeout: 6s
        host_rewrite: myapp
        prefix_rewrite: yourapp/
        rate_limit:
          requests_per_ip:
            per_second: "5"
  modify_request_headers:
    - name: Accept-Language
      append: ru-RU
  modify_response_headers:
    - name: Accept-Language
      append: ru-RU
  route_options:
    security_profile_id: fevu5fnuk6vf********
  rate_limit:
    all_requests:
      per_second: "5"
    requests_per_ip:
      per_second: "3"
```
For more details about the yc alb virtual-host update-http-route command, see the CLI reference.

See the description of the CLI command for updating a virtual host route:
```
yc alb virtual-host update-grpc-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    grpc:
      match:
        fqmn:
          prefix_match: /
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 10s
        idle_timeout: 5s
        host_rewrite: myapp
        rate_limit:
          all_requests:
            per_second: "12"
          requests_per_ip:
            per_second: "6"
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
modify_response_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "5"
  requests_per_ip:
    per_second: "3"

Update the route by specifying its name and additional parameters:
```
yc alb virtual-host update-grpc-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name> \
  --exact-fqmn-match <full_FQMN> \
  --prefix-fqmn-match <FQMN_prefix> \
  --regex-fqmn-match <regular_expression> \
  --backend-group-name <backend_group_name> \
  --request-max-timeout <request_timeout>s \
  --request-idle-timeout <request_idle_timeout>s \
  --rate-limit rps=<request_limit>,requests-per-ip \
  --disable-security-profile
```
Where:
- --http-router-name: Name of the HTTP router the route is in.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --virtual-host-name: Name of the virtual host the route is in.
- Parameters of routing conditions based on FQMN:
  - --exact-fqmn-match: Route requests with the same FQMN as the specified one.
  - --prefix-fqmn-match: Route requests whose FQMN starts with the specified prefix. For example, you can specify the first word of the service name: /helloworld.
  - --regex-fqmn-match: Route requests whose FQMN matches the specified RE2 regular expression, e.g., \/[a-z]{10}[0-9]{3}.
  Warning
  
  The FQMN must start with a slash / and contain a part of the service name where your procedure call is redirected.
  
  Note
  
  The --exact-fqmn-match, --prefix-fqmn-match, and --regex-fqmn-match parameters are mutually exclusive: you can use only one of them.
  
  To clear the FQMN-based routing conditions set for the route, provide the --clear-fqmn-match parameter in the command.
- --backend-group-name: Name of the backend group located in the same folder as the HTTP router, virtual host, and route.
  
  Instead of the backend group name, you can provide its ID in the --backend-group-id parameter.
- --request-max-timeout: Maximum connection time. You can specify a shorter timeout in the grpc-timeout request HTTP header.
  
  To clear the connection timeout set for the route, provide the --clear-max-timeout parameter in the command.
- --request-idle-timeout: Maximum connection idle time in seconds.
  
  To clear the idle timeout set for the route, provide the --clear-idle-timeout parameter in the command.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip: Limits requests per client IP address.
  You can configure only one type of rate limit per route, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
  
  To clear the route's request rate limits settings, provide the --clear-rate-limit parameter in the command.
- --disable-security-profile: Parameter that disables the use of the virtual host’s Yandex Smart Web Security profile for the route. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles. This is an optional parameter. By default, the security profile associated with a virtual host applies to all routes you create.
  
  To re-enable the security profile previously disabled for the route, provide the --disable-security-profile=false parameter in the command.
Result:
```
name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-route
    grpc:
      match:
        fqmn:
          exact_match: /myapp
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 12s
        idle_timeout: 6s
        host_rewrite: myapp
        rate_limit:
          all_requests:
            per_second: "12"
          requests_per_ip:
            per_second: "6"
    disable_security_profile: true
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
modify_response_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "5"
  requests_per_ip:
    per_second: "3"
```
For more details about the yc alb virtual-host update-grpc-route command, see the CLI reference.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

In the configuration file, update the parameters of the route as a resource nested in a yandex_alb_virtual_host resource. With Terraform, you can update different types of routes in the virtual host:
HTTP

gRPC
```
...
route {
  name                      = "<route_name>"
  disable_security_profile  = true|false

  http_route {
    http_match {
      http_method = ["<HTTP_method_1>","<HTTP_method_2>",...,"<HTTP_method_n>"]
      path {
        prefix = "/<request_path_prefix>/"
        # or exact = "<request_path>"
        # or regex = "<regular_expression>"
      }
    }

    http_route_action {
      backend_group_id  = "<backend_group_ID>"
      host_rewrite      = "<Host_header_value>"
      timeout           = "<connection_timeout>s"
      idle_timeout      = "<idle_timeout>s"
      prefix_rewrite    = "<new_request_path_prefix>/"
      rate_limit {
        all_requests {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
        requests_per_ip {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
      }
    }
  }
}
...
```
Where:
- route: Virtual host route description:
  - name: Route name.
  - disable_security_profile: Disabling the Yandex Smart Web Security security profile (optional). The possible values are true (the profile is disabled) or false (the profile is enabled). The default value is false: the security profile is enabled.
  - http_route: Route description for HTTP traffic:
    
    http_match: Parameter for filtering incoming HTTP requests (optional):
    
    http_method: List of HTTP methods for which requests will be routed (optional). By default, requests with any methods are routed.
    
    path: Optionally, parameters for filtering the path of an incoming request:
    
    exact: Route requests with the same path as the specified one. For example, to route all requests, specify the / path.
    
    prefix: Route requests whose path starts with the specified prefix.
    
    regex: Route requests whose path matches the specified RE2 regular expression, e.g., \/[a-z]{10}[0-9]{3}\/.
    
    The exact, prefix, and regex parameters are mutually exclusive: you can use only one of them.
    
    http_route_action: Action applied to HTTP traffic.
    
    backend_group_id: ID of the backend group located in the same folder as the HTTP router and virtual host of the new route.
    
    host_rewrite: Replacing the Host header in the request with the specified value (optional). You specify the auto_host_rewrite parameter instead of the host_rewrite parameter; in this case the Host header in the request will be automatically replaced with the address of the target VM.
    
    timeout: Maximum connection time in seconds (optional). The default value is 60 seconds.
    
    idle_timeout: Maximum connection idle timeout (keep-alive time) (optional). If not specified, the idle connection will be terminated immediately.
    
    prefix_rewrite: Value to replace the path or part of the path specified in the path parameter (optional).
    
    rate_limit: Limits the number of requests per unit of time (optional):
    
    all_requests: Limits all incoming requests (optional):
    
    per_second: Maximum number of incoming requests to a route per second.
    
    per_minute: Maximum number of incoming requests to a route per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Limits incoming requests from a single IP address (optional):
    
    per_second: Maximum number of incoming requests to a route from a single IP address per second.
    
    per_minute: Maximum number of incoming requests to a route from a single IP address per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
```
...
route {
  name                      = "<route_name>"
  disable_security_profile  = true|false

  grpc_route {
    grpc_match {
      fqmn {
        prefix = "/<request_FQMN_prefix>"
        # or exact = "<request_FQMN>"
        # or regex = "<regular_expression>"
      }
    }

    grpc_route_action {
      backend_group_id = "<backend_group_ID>"
      host_rewrite = "<Host_header_value>"
      max_timeout = "<connection_timeout>s"
      idle_timeout = "<idle_timeout>s"
      rate_limit {
        all_requests {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
        requests_per_ip {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
      }
    }
  }
}
...
```
Where:
- route: Virtual host route description:
  - name: Route name.
  - disable_security_profile: Disabling the Yandex Smart Web Security security profile (optional). The possible values are true (the profile is disabled) or false (the profile is enabled). The default value is false: the security profile is enabled.
  - grpc_route: Route description for gRPC traffic:
    
    grpc_match.fqmn: Parameter for filtering incoming gRPC requests by FQMN (optional):
    
    exact: Route requests with the same FQMN as the specified one.
    
    prefix: Route requests whose FQMN starts with the specified prefix. For example, you can specify the first word of the service name: /helloworld.
    
    regex: Route requests whose FQMN matches the specified RE2 regular expression. For example: \/[a-z]{10}[0-9]{3}.
    
    The exact, prefix, and regex parameters are mutually exclusive: you can use only one of them.
    
    grpc_route_action: Action applied to gRPC traffic.
    
    backend_group_id: ID of the backend group located in the same folder as the new route's HTTP router and virtual host.
    
    host_rewrite: Replacing the Host header in the request with the specified value (optional). You can specify auto_host_rewrite instead of host_rewrite, in which case the Host header in the request will be automatically replaced with the target VM address.
    
    --request-max-timeout: Maximum request timeout in seconds (optional). You can specify a shorter timeout in the grpc-timeout request HTTP header. The default value is 60 seconds.
    
    idle_timeout: Maximum connection idle timeout (keep-alive time) (optional). If not specified, the idle connection will be terminated immediately.
    
    rate_limit: Limits the number of requests per unit of time (optional):
    
    all_requests: Limits all incoming requests (optional):
    
    per_second: Maximum number of incoming requests to a route per second.
    
    per_minute: Maximum number of incoming requests to a route per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Limits incoming requests from a single IP address (optional):
    
    per_second: Maximum number of incoming requests to a route from a single IP address per second.
    
    per_minute: Maximum number of incoming requests to a route from a single IP address per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
Learn more about the properties of Terraform resources in the relevant provider guide: yandex_alb_virtual_host.
Update the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources, their updates, and settings using the management console or this CLI command:
```
yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name>
```
Timeouts
The Terraform provider limits the execution time for operations with Application Load Balancer HTTP routers and virtual hosts to 10 minutes.

Operations in excess of this time will be interrupted.
How do I modify these limits?
Add the timeouts section to the descriptions of the HTTP router and virtual host (the yandex_alb_http_router and yandex_alb_virtual_host resources, respectively).

Here is an example:

resource "yandex_alb_http_router" "<router_name>" { ... timeouts { create = "60m" update = "60m" delete = "60m" } }

Use the updateRoute REST API method for the VirtualHost resource or the VirtualHostService/UpdateRoute gRPC API call.

Changing route order

To reorder routes in a virtual host of an HTTP router:

Management console

CLI

Terraform

API

In the management console, select the folder in which you are going to reorder virtual host.
In the list of services, select Application Load Balancer.
In the left-hand panel, click HTTP routers and select the HTTP router that contains the virtual host.
On the page that opens, under Virtual hosts, click next to the virtual host and select Edit.
If you want to change the route order, click Sort and in the window that opens:
1. Drag and drop routes to arrange them in desired order.
2. Click Save.
Click Save.

The Yandex Cloud CLI currently does not have a dedicated command for reordering routes in a virtual host.

To reorder routes via the CLI, follow these steps:

Delete the route in question from the virtual host.
Add the route again to the appropriate place in the route list.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

Note

Virtual host routes will be applied to incoming requests in the same order as described in the Terraform configuration file.

In the configuration file, reorder the routes as resources nested in a yandex_alb_virtual_host resource.

Example of a virtual host configuration:

resource "yandex_alb_virtual_host" "my-virtual-host" {
  name           = "test-virtual-host"
  http_router_id = "ds76j5n6a39g********"

  rate_limit {
    all_requests {
      per_second = 5
    }
    requests_per_ip {
      per_second = 3
    }
  }

  route {
    name = "my-first-http-route"
    disable_security_profile = false

    http_route {
      http_match {
        http_method = ["GET","POST"]
        path {
          prefix = "/myapp/"
        }
      }

      http_route_action {
        backend_group_id = "ds7dnf2s5dco********"
        host_rewrite = "myapp"
        idle_timeout = "3s"
        prefix_rewrite = "/yourapp/"
        rate_limit {
          all_requests {
            per_second = 12
          }
          requests_per_ip {
            per_minute = 120
          }
        }
        timeout = "10s"
      }
    }
  }

  route {
    name = "my-first-grpc-route"
    disable_security_profile = false

    grpc_route {
      grpc_match {
        fqmn {
          prefix = "/"
        }
      }

      grpc_route_action {
        backend_group_id = "ds7dq9nsrgpc********"
        host_rewrite = "myapp"
        idle_timeout = "5s"
        max_timeout = "10s"
        rate_limit {
          all_requests {
            per_minute = 0
            per_second = 12
          }
          requests_per_ip {
            per_minute = 0
            per_second = 6
          }
        }
      }
    }
  }

  authority        = ["example.com"]

  modify_request_headers {
    name           = "Accept-Language"
    append         = "ru-RU"
  }

  modify_response_headers {
    name           = "Accept-Language"
    append         = "ru-RU"
  }

  route_options {
    security_profile_id = "fevu5fnuk6vf********"
  }
}

Learn more about the properties of Terraform resources in the relevant provider guide: yandex_alb_virtual_host.

Update the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources as well as their order and settings using the management console or this CLI command:
```
yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name>
```
Timeouts
The Terraform provider limits the execution time for operations with Application Load Balancer HTTP routers and virtual hosts to 10 minutes.

Operations in excess of this time will be interrupted.
How do I modify these limits?
Add the timeouts section to the descriptions of the HTTP router and virtual host (the yandex_alb_http_router and yandex_alb_virtual_host resources, respectively).

Here is an example:

resource "yandex_alb_http_router" "<router_name>" { ... timeouts { create = "60m" update = "60m" delete = "60m" } }

Use the update REST API method for the VirtualHost resource or the VirtualHostService/Update gRPC API call.

Note

Virtual host routes will be applied to incoming requests in the same order as described in the request body.

Modifying HTTP request parameters

Virtual host routes in Yandex Application Load Balancer HTTP routers allow you to modify HTTP request parameters as needed by replacing the request parts matching RE2 regular expressions with other values.

For example, such modifications may be of use for API versioning, microservice routing, backward compatibility, URL normalization, as well as A/B testing and canary releases.

To modify HTTP request parameters, you can use Yandex Cloud CLI, Terraform, or API.

Example of modifying HTTP request parameters

As an example, consider a scenario that may arise from implementing a new API version in the service. Let's assume that initially, the only API version offered by the service was available at /api/users. After introducing the new API version (v2), the new interface should be available at /api/v2/users, and the old one, at /api/v1/users.

Requests targeting the new API go straight to /api/v2/users, and it is enough to configure a standard routing rule to send them to the api-v2-backend group with the new API.

Requests to the old API continue to arrive at /api/users. In which case, you can replace this address in the requests with /api/v1/users by modifying the HTTP request parameters in route settings.

CLI

Terraform

API

To modify the HTTP request parameters in a virtual host route, specify the required replacement settings in the --path-regex-rewrite parameter when creating or updating an HTTP route. The following example shows how to configure request modification when creating a route:

yc alb virtual-host append-http-route <route_name> \
--virtual-host-name <virtual_host_name> \
--http-router-name <HTTP_router_name> \
--backend-group-name api-v1-backend \
--prefix-path-match '/api/users/' \
--path-regex-rewrite 'regex=^/api/users/(.*),substitute=/api/v1/users/\\1'

Where:

--backend-group-name: Name of the backend group serving the old API.
--prefix-path-match: Filter specifying the path prefix to select requests for the route you are creating.
--path-regex-rewrite: Specifies how to replace parts of the HTTP request path:
- regex: RE2 standard regular expression that, when matched, will modify the request path string. In this example, the regular expression describes a path that begins with the /api/users/ prefix, followed by any number of any characters (or nothing). In this case, everything that follows the prefix is saved in a group (pocket).
- substitute: String that will replace the path matching the regular expression specified in regex. In the example above, the path will be replaced with a string consisting of the /api/v1/users/ prefix and the contents of the group (pocket) saved in the regular expression.
Note

The --path-regex-rewrite, and --path-prefix-rewrite parameters are mutually exclusive: you can use only one of them.

Result:

name: my-virtual-host
routes:
  - name: my-http-route
    http:
      match:
        path:
          prefix_match: /api/users/
      route:
        backend_group_id: ds7m9iupbcaq********
        regex_rewrite:
          regex: ^/api/users/(.*)
          substitute: /api/v1/users/\\1

For more details about the yc alb virtual-host append-http-route command, see the CLI reference.

To modify the HTTP request parameters, in the Terraform configuration file, provide regex_rewrite in the HTTP route resource settings nested within a yandex_alb_virtual_host resource:
```
...
route {
  name                      = "<route_name>"
  disable_security_profile  = true|false

  http_route {
    http_match {
      http_method = ["<HTTP_method_1>","<HTTP_method_2>",...,"<HTTP_method_n>"]
      path {
        prefix = "/api/users/"
        # or exact = "<request_path>"
        # or regex = "<regular_expression>"
      }
    }

    http_route_action {
      backend_group_id  = "ds7m9iupbcaq********"
      host_rewrite      = "<Host_header_value>"
      timeout           = "<connection_timeout>s"
      idle_timeout      = "<idle_timeout>s"
      regex_rewrite {
        regex      = "^/api/users/(.*)"
        substitute = "/api/v1/users/\\1"
      }
      rate_limit {
        all_requests {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
        requests_per_ip {
          per_second = <requests_per_second>
          # or per_minute = <requests_per_minute>
        }
      }
    }
  }
}
...
```
Where:
- route: Virtual host route description:
  - http_route: Route description for HTTP traffic:
    - path: Parameter for filtering the incoming request path:
      - prefix: Filter specifying the path prefix to match requests for the route you are creating.
  - http_route_action: Action to apply to HTTP traffic.
    - backend_group_id: ID of the backend group serving the old API.
    - regex_rewrite: Specifies how to replace parts of the HTTP request path:
      - regex: RE2 standard regular expression that, when matched, will modify the request path string. In this example, the regular expression describes a path that begins with the /api/users/ prefix, followed by any number of any characters (or nothing). In this case, everything that follows the prefix is saved in a group (pocket).
      - substitute: String that will replace the path matching the regular expression specified in regex. In the example above, the path will be replaced with a string consisting of the /api/v1/users/ prefix and the contents of the group (pocket) saved in the regular expression.
    Note
    
    The regex_rewrite, and prefix_rewrite parameters are mutually exclusive: you can use only one of them.
  Learn more about the properties of Terraform resources in the relevant provider guide: yandex_alb_virtual_host.
Create or update the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources, their updates, and settings using the management console or this CLI command:
```
yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name>
```

To modify the HTTP request parameters in a virtual host route, specify the required replacement settings in the regexRewrite (for REST API) or regex_rewrite (for gRPC API) fields when creating or updating the HTTP route.

Note

The regexRewrite and prefixRewrite parameters are mutually exclusive, so you can specify only one of them.

Deleting a route

To delete a route from a virtual host of an HTTP router:

Management console

CLI

Terraform

API

In the management console, select the folder to delete a virtual host route from.
In the list of services, select Application Load Balancer.
In the left-hand panel, click HTTP routers and select the HTTP router that contains the route you need.
On the page that opens, under Virtual hosts, locate the route in the virtual host section, click next to its name, and select Delete.
In the window that opens, confirm the deletion.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

With the Yandex Cloud CLI, you can delete different types of routes from a virtual host:

HTTP

gRPC

See the description of the CLI command for deleting a virtual host route:
```
yc alb virtual-host remove-http-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-http-route
    http:
      match:
        http_method:
          - GET
          - POST
        path:
          prefix_match: myapp/
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 10s
        idle_timeout: 3s
        host_rewrite: myapp
        prefix_rewrite: yourapp/
        rate_limit:
          all_requests:
            per_second: "12"
          requests_per_ip:
            per_minute: "120"
  - name: my-first-grpc-route
    grpc:
      match:
        fqmn:
          prefix_match: /
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 10s
        idle_timeout: 5s
        host_rewrite: myapp
        rate_limit:
          all_requests:
            per_second: "12"
          requests_per_ip:
            per_second: "6"
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
modify_response_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "5"
  requests_per_ip:
    per_second: "3"

Delete a route by specifying its name, virtual host details, and HTTP router details:

yc alb virtual-host remove-http-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name>

Where:

--http-router-name: Name of the HTTP router the route is in.

Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
--virtual-host-name: Name of the virtual host the route is in.

Result:

name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-grpc-route
    grpc:
      match:
        fqmn:
          prefix_match: /
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 10s
        idle_timeout: 5s
        host_rewrite: myapp
        rate_limit:
          all_requests:
            per_second: "12"
          requests_per_ip:
            per_second: "6"
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
modify_response_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "5"
  requests_per_ip:
    per_second: "3"

For more details about the yc alb virtual-host remove-http-route command, see the CLI reference.

See the description of the CLI command for deleting a virtual host route:
```
yc alb virtual-host remove-grpc-route --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-http-route
    http:
      match:
        http_method:
          - GET
          - POST
        path:
          prefix_match: myapp/
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 10s
        idle_timeout: 3s
        host_rewrite: myapp
        prefix_rewrite: yourapp/
        rate_limit:
          all_requests:
            per_second: "12"
          requests_per_ip:
            per_minute: "120"
  - name: my-first-grpc-route
    grpc:
      match:
        fqmn:
          prefix_match: /
      route:
        backend_group_id: ds7dq9nsrgpc********
        max_timeout: 10s
        idle_timeout: 5s
        host_rewrite: myapp
        rate_limit:
          all_requests:
            per_second: "12"
          requests_per_ip:
            per_second: "6"
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
modify_response_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "5"
  requests_per_ip:
    per_second: "3"

Delete a route by specifying its name, virtual host details, and HTTP router details:

yc alb virtual-host remove-grpc-route <route_name> \
  --http-router-name <HTTP_router_name> \
  --virtual-host-name <virtual_host_name>

Where:

--http-router-name: Name of the HTTP router the route is in.

Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
--virtual-host-name: Name of the virtual host the route is in.

Result:

name: test-virtual-host
authority:
  - example.com
routes:
  - name: my-first-http-route
    http:
      match:
        http_method:
          - GET
          - POST
        path:
          prefix_match: myapp/
      route:
        backend_group_id: ds7dnf2s5dco********
        timeout: 10s
        idle_timeout: 3s
        host_rewrite: myapp
        prefix_rewrite: yourapp/
        rate_limit:
          all_requests:
            per_second: "12"
          requests_per_ip:
            per_minute: "120"
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
modify_response_headers:
  - name: Accept-Language
    append: ru-RU
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "5"
  requests_per_ip:
    per_second: "3"

For more details about the yc alb virtual-host remove-grpc-route command, see the CLI reference.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

Delete from the configuration file the description of the route as a resource nested in a yandex_alb_virtual_host resource.

Example of a virtual host configuration:

resource "yandex_alb_virtual_host" "my-virtual-host" {
  name           = "test-virtual-host"
  http_router_id = "ds76j5n6a39g********"

  rate_limit {
    all_requests {
      per_second = 5
    }
    requests_per_ip {
      per_second = 3
    }
  }

  route {
    name = "my-first-http-route"
    disable_security_profile = false

    http_route {
      http_match {
        http_method = ["GET","POST"]
        path {
          prefix = "/myapp/"
        }
      }

      http_route_action {
        backend_group_id = "ds7dnf2s5dco********"
        host_rewrite = "myapp"
        idle_timeout = "3s"
        prefix_rewrite = "/yourapp/"
        rate_limit {
          all_requests {
            per_second = 12
          }
          requests_per_ip {
            per_minute = 120
          }
        }
        timeout = "10s"
      }
    }
  }

  route {
    name = "my-first-grpc-route"
    disable_security_profile = false

    grpc_route {
      grpc_match {
        fqmn {
          prefix = "/"
        }
      }

      grpc_route_action {
        backend_group_id = "ds7dq9nsrgpc********"
        host_rewrite = "myapp"
        idle_timeout = "5s"
        max_timeout = "10s"
        rate_limit {
          all_requests {
            per_minute = 0
            per_second = 12
          }
          requests_per_ip {
            per_minute = 0
            per_second = 6
          }
        }
      }
    }
  }

  authority        = ["example.com"]

  modify_request_headers {
    name           = "Accept-Language"
    append         = "ru-RU"
  }

  modify_response_headers {
    name           = "Accept-Language"
    append         = "ru-RU"
  }

  route_options {
    security_profile_id = "fevu5fnuk6vf********"
  }
}

Learn more about the properties of Terraform resources in the relevant provider guide: yandex_alb_virtual_host.

Update the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources, their deletion status, and settings using the management console or this CLI command:
```
yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name>
```
Timeouts
The Terraform provider limits the execution time for operations with Application Load Balancer HTTP routers and virtual hosts to 10 minutes.

Operations in excess of this time will be interrupted.
How do I modify these limits?
Add the timeouts section to the descriptions of the HTTP router and virtual host (the yandex_alb_http_router and yandex_alb_virtual_host resources, respectively).

Here is an example:

resource "yandex_alb_http_router" "<router_name>" { ... timeouts { create = "60m" update = "60m" delete = "60m" } }

Use the removeRoute REST API method for the VirtualHost resource or the VirtualHostService/RemoveRoute gRPC API call.

Managing routes

Creating a routeCreating a route

Updating a routeUpdating a route

Changing route orderChanging route order

Modifying HTTP request parametersModifying HTTP request parameters

Example of modifying HTTP request parametersExample of modifying HTTP request parameters

Deleting a routeDeleting a route

Was the article helpful?

Creating a route

Updating a route

Changing route order

Modifying HTTP request parameters

Example of modifying HTTP request parameters

Deleting a route