Managing virtual hosts

Written by

Improved by

Updated at January 13, 2026

Creating a virtual host
Updating a virtual host
Deleting a virtual host

Virtual hosts within HTTP routers consolidate routes belonging to the same set of domains, i.e., the Host (:authority) header values of an HTTP request. On an incoming request, the load balancer checks route predicates one by one and selects the first one matching the request.

Creating a virtual host

To create a virtual host:

Management console

CLI

Terraform

API

In the management console, select the folder where you are going to create a virtual host.
Go to Application Load Balancer.
In the left-hand panel, click HTTP routers and select the HTTP router you are going to create a virtual host in.

Create a new HTTP router if needed.
In the top panel, click Create virtual host and in the window that opens:
1. In the Name field, enter a name for the new virtual host. Follow these naming requirements:
  - It must be from 2 to 63 characters long.
  - It can only contain lowercase Latin letters, numbers, and hyphens.
  - It must start with a letter and cannot end with a hyphen.
2. In the Authority field, specify:
  - For HTTP traffic, the value of the Host header for HTTP/1.1 or the :authority pseudo-header for HTTP/2 that will be used to select this virtual host.
  - For gRPC traffic, * or the IP address of the load balancer.
  If needed, use the Add host button to assign additional Authority values to the virtual host.
  
  If Authority is not specified, all traffic will be routed to this virtual host (same as *).
3. Optionally, in the Security profile field, select a Yandex Smart Web Security security profile. A security profile allows you to filter incoming requests and enable WAF for protection against malicious activities. For more information, see Security profiles.
4. Optionally, enable Limit on all requests and/or Limit on requests from one IP and set the limits for the number of requests the virtual host will be processing per unit of time.
5. Optionally, expand DNS settings for internal addresses and click Add record.
  - In the Type field, select where you want to modify the header:
    - Request: To modify incoming request headers, from client to load balancer.
    - Response: To modify outgoing response headers, from backend to external client.
  - In the Header name field, give the header a name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
  - In the Operation field, select an action:
    - append: To add a string to the header value. Specify the string in the field on the right.
    - replace: To completely replace the header value. Specify the new header value in the field on the right.
    - remove: To delete the header. Both the header value and the header itself will be removed.
    - rename: To change the header name. Specify the new header name in the field on the right. The header value will not change.
  If required, click Change header to add new rows if you need to modify multiple headers at once.
6. Optionally, create the necessary routes for your new virtual host's traffic.
7. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

See the description of the CLI command for creating a virtual host:
```
yc alb virtual-host create --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

Create a virtual host by specifying its name and these settings:
```
yc alb virtual-host create <virtual_host_name> \
  --http-router-name <HTTP_router_name> \
  --authority <domain_1>,<domain_2>,...,<domain_n> \
  --modify-request-header name=Accept-Language,append=ru-RU \
  --modify-response-header name=Accept-Charset,replace=utf-8 \
  --rate-limit rps=100,all-requests \
  --security-profile-id <security_profile_ID>
```
Where:
- --http-router-name: HTTP router name.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --authority: List of domains for the Host header (HTTP/1.1) or the authority pseudo-header (HTTP/2) associated with this virtual host, comma-separated. You can use wildcards, e.g., *.foo.com or *-bar.foo.com. For gRPC traffic, you may specify the load balancer's IP address.
  
  This is an optional parameter. If not specified, all traffic will be routed to this virtual host.
- --modify-request-header: Request HTTP header modification settings in <property>=<value> format. Available properties:
  - name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
  - append: Add a row to the current header value.
  - replace: Completely replace the current header value.
  - rename: Change the header name. The header value will not change.
  - remove: Delete the header. Both the header value and the header itself will be removed.
  To modify multiple HTTP headers in a request, include --modify-request-header as many times as needed.
  
  This is an optional parameter; if omitted, request headers go to the backend unchanged.
- --modify-response-header: Response HTTP header modification settings in <property>=<value> format. Available properties:
  - name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
  - append: Add a row to the current header value.
  - replace: Completely replace the current header value.
  - rename: Change the header name. The header value will not change.
  - remove: Delete the header. Both the header value and the header itself will be removed.
  To modify multiple HTTP headers in a response, include --modify-response-header as many times as needed.
  
  This is an optional parameter; if omitted, response headers go to the client unchanged.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip: Limits requests per client IP address.
  You can configure only one type of rate limit per virtual host, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
- --security-profile-id: Yandex Smart Web Security security profile ID. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activities. For more information, see Security profiles. This is an optional parameter.
Result:
```
name: test-virtual-host
authority:
  - example.com
  - example.org
modify_request_headers:
  - name: Accept-Language
    append: ru-RU
  - name: Accept-Charset
    replace: utf-8
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "100"
```

For more information about the alb virtual-host create command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

Describe the virtual host parameters in the configuration file. With Terraform, you can create virtual hosts with different route types:
HTTP

gRPC
```
resource "yandex_alb_virtual_host" "my-virtual-host" {
  name           = "<virtual_host_name>"
  http_router_id = "<HTTP_router_ID>"

  rate_limit {
    all_requests {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
    requests_per_ip {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
  }

  route {
    name                      = "<route_name>"
    disable_security_profile  = true|false

    http_route {
      http_match {
        http_method = ["<HTTP_method_1>","<HTTP_method_2>",...,"<HTTP_method_n>"]
        path {
          prefix = "/<request_path_prefix>/"
          # or exact = "<request_path>"
          # or regex = "<regular_expression>"
        }
      }

      http_route_action {
        backend_group_id  = "<backend_group_ID>"
        host_rewrite      = "<Host_header_value>"
        timeout           = "<connection_timeout>s"
        idle_timeout      = "<idle_timeout>s"
        prefix_rewrite    = "<new_request_path_prefix>/"
        rate_limit {
          all_requests {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
          requests_per_ip {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
        }
      }
    }
  }

  authority        = ["<domain_1>","<domain_2>",...,"<domain_n>"]

  modify_request_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  modify_response_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  route_options {
    security_profile_id = "<security_profile_ID>"
  }
}
```
Where:
- yandex_alb_virtual_host: Virtual host description:
  - name: Virtual host name. Follow these naming requirements:
    
    It must be from 2 to 63 characters long.
    
    It can only contain lowercase Latin letters, numbers, and hyphens.
    
    It must start with a letter and cannot end with a hyphen.
  - http_router_id: HTTP router ID.
  - rate_limit: Request rate limit for the entire virtual host (optional).
    
    all_requests: Limit on all requests per second or per minute (optional):
    
    per_second: Maximum number of incoming requests to the virtual host per second.
    
    per_minute: Maximum number of incoming requests to the virtual host per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Additionally limits requests for each IP address per second or per minute (optional):
    
    per_second: Maximum number of incoming requests from a single IP address to the virtual host per second.
    
    per_minute: Maximum number of incoming requests from a single IP address to the virtual host per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
  - route: Virtual host route description:
    
    name: Route name.
    
    disable_security_profile: Disabling the Yandex Smart Web Security security profile (optional). The possible values are true (the profile is disabled) or false (the profile is enabled). The default value is false: the security profile is enabled.
    
    http_route: Route description for HTTP traffic:
    
    http_match: Parameter for filtering incoming HTTP requests (optional):
    
    http_method: List of HTTP methods for which requests will be routed (optional). By default, requests with any methods are routed.
    
    path: Optionally, parameters for filtering the path of an incoming request:
    
    exact: Route requests with the same path as the specified one. For example, to route all requests, specify the / path.
    
    prefix: Route requests whose path starts with the specified prefix.
    
    regex: Route requests whose path matches the specified RE2 regular expression, e.g., \/[a-z]{10}[0-9]{3}\/.
    
    The exact, prefix, and regex parameters are mutually exclusive: you can use only one of them.
    
    http_route_action: Action applied to HTTP traffic.
    
    backend_group_id: ID of the backend group located in the same folder as the HTTP router and virtual host of the new route.
    
    host_rewrite: Replacing the Host header in the request with the specified value (optional). You specify the auto_host_rewrite parameter instead of the host_rewrite parameter; in this case the Host header in the request will be automatically replaced with the address of the target VM.
    
    timeout: Maximum connection time in seconds (optional). The default value is 60 seconds.
    
    idle_timeout: Maximum connection idle timeout (keep-alive time) (optional). If not specified, the idle connection will be terminated immediately.
    
    prefix_rewrite: Value to replace the path or part of the path specified in the path parameter (optional).
    
    rate_limit: Limits the number of requests per unit of time (optional):
    
    all_requests: Limits all incoming requests (optional):
    
    per_second: Maximum number of incoming requests to a route per second.
    
    per_minute: Maximum number of incoming requests to a route per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Limits incoming requests from a single IP address (optional):
    
    per_second: Maximum number of incoming requests to a route from a single IP address per second.
    
    per_minute: Maximum number of incoming requests to a route from a single IP address per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
  - authority: HTTP/1.1 Host (HTTP/2 authority) header domains associated with this virtual host. You can use wildcards, e.g., *.foo.com or *-bar.foo.com. For gRPC traffic, you may specify * or the the load balancer's IP address.
    
    This is an optional parameter. If not specified, all traffic will be routed to this virtual host.
  - modify_request_headers: HTTP request header modification settings. Possible parameters:
    
    name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
    
    append: Add a row to the current header value.
    
    replace: Completely replace the current header value.
    
    remove: Delete the header. Both the header value and the header itself will be removed. The possible values are true or false.
    
    This is an optional parameter; if omitted, request headers go to the backend unchanged.
  - modify_response_headers: HTTP response header modification settings. Possible parameters:
    
    name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
    
    append: Add a row to the current header value.
    
    replace: Completely replace the current header value.
    
    remove: Delete the header. Both the header value and the header itself will be removed. The possible values are true or false.
    
    This is an optional parameter; if omitted, response headers go to the client unchanged.
  - route_options: Additional virtual host parameters (optional):
    
    security_profile_id: Security profile ID. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles.
```
resource "yandex_alb_virtual_host" "my-virtual-host" {
  name           = "<virtual_host_name>"
  http_router_id = "<HTTP_router_ID>"

  rate_limit {
    all_requests {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
    requests_per_ip {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
  }

  route {
    name                      = "<route_name>"
    disable_security_profile  = true|false

    grpc_route {
      grpc_match {
        fqmn {
          prefix = "/<request_FQMN_prefix>"
          # or exact = "<request_FQMN>"
          # or regex = "<regular_expression>"
        }
      }

      grpc_route_action {
        backend_group_id  = "<backend_group_ID>"
        host_rewrite      = "<Host_header_value>"
        max_timeout       = "<connection_timeout>s"
        idle_timeout      = "<idle_timeout>s"
        rate_limit {
          all_requests {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
          requests_per_ip {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
        }
      }
    }
  }

  authority        = ["<domain_1>","<domain_2>",...,"<domain_n>"]

  modify_request_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  modify_response_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  route_options {
    security_profile_id = "<security_profile_ID>"
  }
}
```
Where:
- yandex_alb_virtual_host: Virtual host description:
  - name: Virtual host name. Follow these naming requirements:
    
    It must be from 2 to 63 characters long.
    
    It can only contain lowercase Latin letters, numbers, and hyphens.
    
    It must start with a letter and cannot end with a hyphen.
  - http_router_id: HTTP router ID.
  - rate_limit: Request rate limit for the entire virtual host (optional).
    
    all_requests: Limit on all requests per second or per minute (optional):
    
    per_second: Maximum number of incoming requests to the virtual host per second.
    
    per_minute: Maximum number of incoming requests to the virtual host per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Additionally limits requests for each IP address per second or per minute (optional):
    
    per_second: Maximum number of incoming requests from a single IP address to the virtual host per second.
    
    per_minute: Maximum number of incoming requests from a single IP address to the virtual host per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
  - route: Virtual host route description:
    
    name: Route name.
    
    disable_security_profile: Disabling the Yandex Smart Web Security security profile (optional). The possible values are true (the profile is disabled) or false (the profile is enabled). The default value is false: the security profile is enabled.
    
    grpc_route: Route description for gRPC traffic:
    
    grpc_match.fqmn: Parameter for filtering incoming gRPC requests by FQMN (optional):
    
    exact: Route requests with the same FQMN as the specified one.
    
    prefix: Route requests whose FQMN starts with the specified prefix. For example, you can specify the first word of the service name: /helloworld.
    
    regex: Route requests whose FQMN matches the specified RE2 regular expression. For example: \/[a-z]{10}[0-9]{3}.
    
    The exact, prefix, and regex parameters are mutually exclusive: you can use only one of them.
    
    grpc_route_action: Action applied to gRPC traffic.
    
    backend_group_id: ID of the backend group located in the same folder as the new route's HTTP router and virtual host.
    
    host_rewrite: Replacing the Host header in the request with the specified value (optional). You can specify auto_host_rewrite instead of host_rewrite, in which case the Host header in the request will be automatically replaced with the target VM address.
    
    --request-max-timeout: Maximum request timeout in seconds (optional). You can specify a shorter timeout in the grpc-timeout request HTTP header. The default value is 60 seconds.
    
    idle_timeout: Maximum connection idle timeout (keep-alive time) (optional). If not specified, the idle connection will be terminated immediately.
    
    rate_limit: Limits the number of requests per unit of time (optional):
    
    all_requests: Limits all incoming requests (optional):
    
    per_second: Maximum number of incoming requests to a route per second.
    
    per_minute: Maximum number of incoming requests to a route per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Limits incoming requests from a single IP address (optional):
    
    per_second: Maximum number of incoming requests to a route from a single IP address per second.
    
    per_minute: Maximum number of incoming requests to a route from a single IP address per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
  - authority: HTTP/1.1 Host (HTTP/2 authority) header domains associated with this virtual host. You can use wildcards, e.g., *.foo.com or *-bar.foo.com. For gRPC traffic, you may specify * or the the load balancer's IP address.
    
    This is an optional parameter. If not specified, all traffic will be routed to this virtual host.
  - modify_request_headers: HTTP request header modification settings. Possible parameters:
    
    name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
    
    append: Add a row to the current header value.
    
    replace: Completely replace the current header value.
    
    remove: Delete the header. Both the header value and the header itself will be removed. The possible values are true or false.
    
    This is an optional parameter; if omitted, request headers go to the backend unchanged.
  - modify_response_headers: HTTP response header modification settings. Possible parameters:
    
    name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
    
    append: Add a row to the current header value.
    
    replace: Completely replace the current header value.
    
    remove: Delete the header. Both the header value and the header itself will be removed. The possible values are true or false.
    
    This is an optional parameter; if omitted, response headers go to the client unchanged.
  - route_options: Additional virtual host parameters (optional):
    
    security_profile_id: Security profile ID. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles.
Learn more about the properties of Terraform resources in the relevant provider guide: yandex_alb_virtual_host.
Create the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources and their settings using the management console or this CLI command:
```
yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name>
```
Timeouts
The Terraform provider limits the execution time for operations with Application Load Balancer HTTP routers and virtual hosts to 10 minutes.

Operations in excess of this time will be interrupted.
How do I modify these limits?
Add the timeouts section to the descriptions of the HTTP router and virtual host (the yandex_alb_http_router and yandex_alb_virtual_host resources, respectively).

Here is an example:

resource "yandex_alb_http_router" "<router_name>" { ... timeouts { create = "60m" update = "60m" delete = "60m" } }

Use the create REST API method for the VirtualHost resource or the VirtualHostService/Create gRPC API call.

Updating a virtual host

To update a virtual host:

Management console

CLI

Terraform

API

In the management console, select the folder containing your virtual host.
Go to Application Load Balancer.
In the left-hand panel, click HTTP routers and select the HTTP router that contains the virtual host.
On the page that opens, under Virtual hosts, click next to the virtual host and select Edit. In the window that opens:
1. Optionally, in the Authority field, update the settings and specify:
  - For HTTP traffic, the value of the Host header for HTTP/1.1 or the :authority pseudo-header for HTTP/2 that will be used to select this virtual host.
  - For gRPC traffic, * or the IP address of the load balancer.
  If needed, use the Add host button to assign additional Authority values to the virtual host.
  
  If Authority is not specified, all traffic will be routed to this virtual host (same as *).
2. Optionally, in the Security profile field, select a Yandex Smart Web Security security profile. A security profile allows you to filter incoming requests and enable WAF for protection against malicious activities. For more information, see Security profiles.
3. Optionally, enable Limit on all requests and/or Limit on requests from one IP and set the limits for the number of requests the virtual host will be processing per unit of time.
4. Optionally, expand the Manage headers section and configure a HTTP header modification. If there are none yet, click Change header to add a new header modification:
  - In the Type field, select where you want to modify the header:
    - Request: To modify incoming request headers, from client to load balancer.
    - Response: To modify outgoing response headers, from backend to external client.
  - In the Header name field, give the header a name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
  - In the Operation field, select an action:
    - append: To add a string to the header value. Specify the string in the field on the right.
    - replace: To completely replace the header value. Specify the new header value in the field on the right.
    - remove: To delete the header. Both the header value and the header itself will be removed.
    - rename: To change the header name. Specify the new header name in the field on the right. The header value will not change.
  If required, click Change header to add new rows if you need to modify multiple headers at once.
5. Optionally, create the necessary routes for your new virtual host's traffic.
6. If you want to change the route order, click Sort and in the window that opens:
  1. Drag and drop routes to arrange them in desired order.
  2. Click Save.
  Note
  
  You will be able to reorder your virtual host routes at any later time.
7. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

View the description of the CLI command for updating a virtual host:
```
yc alb virtual-host update --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

To update a virtual host, put in its name and run this command:
```
yc alb virtual-host update <virtual_host_name> \
  --http-router-name <HTTP_router_name> \
  --authority <domain_1>,<domain_2>,...,<domain_n> \
  --modify-request-header name=Accept-Language,append=ru-RU \
  --modify-response-header name=Accept-Charset,replace=utf-8 \
  --rate-limit rps=100,all-requests \
  --security-profile-id <security_profile_ID> \
  --clear-routes
```
Where:
- --http-router-name: HTTP router name.
  
  Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.
- --authority: List of domains for the Host header (HTTP/1.1) or the authority pseudo-header (HTTP/2) associated with this virtual host, comma-separated. You can use wildcards, e.g., *.foo.com or *-bar.foo.com. For gRPC traffic, you may specify the load balancer's IP address.
  
  This is an optional setting. If not specified, all traffic will be routed to this virtual host.
  
  To remove the current list of domains assigned to the virtual host, provide the --clear-authorities parameter in the command.
- --modify-request-header: Request HTTP header modification settings in <property>=<value> format. Available properties:
  - name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
  - append: Add a row to the current header value.
  - replace: Completely replace the current header value.
  - rename: Change the header name. The header value will not change.
  - remove: Delete the header. Both the header value and the header itself will be removed.
  To modify multiple HTTP headers in a request, include --modify-request-header as many times as needed.
  
  This is an optional parameter; if omitted, request headers are provided to the backend unchanged.
  
  To clear all request header modification settings for the virtual host, provide the --clear-request-header-modifications parameter in the command.
- --modify-response-header: Response HTTP header modification settings in <property>=<value> format. Available properties:
  - name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
  - append: Add a row to the current header value.
  - replace: Completely replace the current header value.
  - rename: Change the header name. The header value will not change.
  - remove: Delete the header. Both the header value and the header itself will be removed.
  To modify multiple HTTP headers in a response, include --modify-response-header as many times as needed.
  
  This is an optional parameter; if omitted, response headers are provided to the client unchanged.
  
  To clear all response HTTP header modification settings for the virtual host, provide the --clear-response-header-modifications parameter in the command.
- --rate-limit: Request rate limit. Available properties:
  - rps or rpm: Number of incoming requests per second or per minute.
  - all-requests: Limits all incoming requests.
  - requests-per-ip Applies the limit per client IP address.
  You can configure only one type of rate limit per virtual host, either all-requests or requests-per-ip.
  
  This is an optional parameter; if not specified, no rate limiting is applied.
  
  To clear all rate-limiting settings from the virtual host, provide the --clear-rate-limit parameter in the command.
- --security-profile-id: Yandex Smart Web Security security profile ID. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activities. For more information, see Security profiles. This is an optional setting.
  
  To detach a security profile from the virtual host, provide an empty value in the flag: --security-profile-id "".
- --clear-routes: Clears all routes from the virtual host. This is an optional setting.
Result:
```
name: test-virtual-host
authority:
  - example.com
modify_request_headers:
  - name: Accept-Language
    replace: ru-RU
modify_response_headers:
  - name: Accept-Charset
    append: utf-8
route_options:
  security_profile_id: fevu5fnuk6vf********
rate_limit:
  all_requests:
    per_second: "80"
```

For more information about the yc alb virtual-host update command, see the CLI reference.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

Describe the updated virtual host parameters in the configuration file. With Terraform, you can create virtual hosts with different route types:
HTTP

gRPC
```
resource "yandex_alb_virtual_host" "my-virtual-host" {
  name           = "<virtual_host_name>"
  http_router_id = "<HTTP_router_ID>"

  rate_limit {
    all_requests {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
    requests_per_ip {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
  }

  route {
    name                      = "<route_name>"
    disable_security_profile  = true|false

    http_route {
      http_match {
        http_method = ["<HTTP_method_1>","<HTTP_method_2>",...,"<HTTP_method_n>"]
        path {
          prefix = "/<request_path_prefix>/"
          # or exact = "<request_path>"
          # or regex = "<regular_expression>"
        }
      }

      http_route_action {
        backend_group_id  = "<backend_group_ID>"
        host_rewrite      = "<Host_header_value>"
        timeout           = "<connection_timeout>s"
        idle_timeout      = "<idle_timeout>s"
        prefix_rewrite    = "<new_request_path_prefix>/"
        rate_limit {
          all_requests {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
          requests_per_ip {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
        }
      }
    }
  }

  authority        = ["<domain_1>","<domain_2>",...,"<domain_n>"]

  modify_request_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  modify_response_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  route_options {
    security_profile_id = "<security_profile_ID>"
  }
}
```
Where:
- yandex_alb_virtual_host: Virtual host description:
  - name: Virtual host name. Follow these naming requirements:
    
    It must be from 2 to 63 characters long.
    
    It can only contain lowercase Latin letters, numbers, and hyphens.
    
    It must start with a letter and cannot end with a hyphen.
  - http_router_id: HTTP router ID.
  - rate_limit: Request rate limit for the entire virtual host (optional).
    
    all_requests: Limit on all requests per second or per minute (optional):
    
    per_second: Maximum number of incoming requests to the virtual host per second.
    
    per_minute: Maximum number of incoming requests to the virtual host per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Additionally limits requests for each IP address per second or per minute (optional):
    
    per_second: Maximum number of incoming requests from a single IP address to the virtual host per second.
    
    per_minute: Maximum number of incoming requests from a single IP address to the virtual host per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
  - route: Virtual host route description:
    
    name: Route name.
    
    disable_security_profile: Disabling the Yandex Smart Web Security security profile (optional). The possible values are true (the profile is disabled) or false (the profile is enabled). The default value is false: the security profile is enabled.
    
    http_route: Route description for HTTP traffic:
    
    http_match: Parameter for filtering incoming HTTP requests (optional):
    
    http_method: List of HTTP methods for which requests will be routed (optional). By default, requests with any methods are routed.
    
    path: Optionally, parameters for filtering the path of an incoming request:
    
    exact: Route requests with the same path as the specified one. For example, to route all requests, specify the / path.
    
    prefix: Route requests whose path starts with the specified prefix.
    
    regex: Route requests whose path matches the specified RE2 regular expression, e.g., \/[a-z]{10}[0-9]{3}\/.
    
    The exact, prefix, and regex parameters are mutually exclusive: you can use only one of them.
    
    http_route_action: Action applied to HTTP traffic.
    
    backend_group_id: ID of the backend group located in the same folder as the HTTP router and virtual host of the new route.
    
    host_rewrite: Replacing the Host header in the request with the specified value (optional). You specify the auto_host_rewrite parameter instead of the host_rewrite parameter; in this case the Host header in the request will be automatically replaced with the address of the target VM.
    
    timeout: Maximum connection time in seconds (optional). The default value is 60 seconds.
    
    idle_timeout: Maximum connection idle timeout (keep-alive time) (optional). If not specified, the idle connection will be terminated immediately.
    
    prefix_rewrite: Value to replace the path or part of the path specified in the path parameter (optional).
    
    rate_limit: Limits the number of requests per unit of time (optional):
    
    all_requests: Limits all incoming requests (optional):
    
    per_second: Maximum number of incoming requests to a route per second.
    
    per_minute: Maximum number of incoming requests to a route per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Limits incoming requests from a single IP address (optional):
    
    per_second: Maximum number of incoming requests to a route from a single IP address per second.
    
    per_minute: Maximum number of incoming requests to a route from a single IP address per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
  - authority: HTTP/1.1 Host (HTTP/2 authority) header domains associated with this virtual host. You can use wildcards, e.g., *.foo.com or *-bar.foo.com. For gRPC traffic, you may specify * or the the load balancer's IP address.
    
    This is an optional parameter. If not specified, all traffic will be routed to this virtual host.
  - modify_request_headers: HTTP request header modification settings. Possible parameters:
    
    name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
    
    append: Add a row to the current header value.
    
    replace: Completely replace the current header value.
    
    remove: Delete the header. Both the header value and the header itself will be removed. The possible values are true or false.
    
    This is an optional parameter; if omitted, request headers go to the backend unchanged.
  - modify_response_headers: HTTP response header modification settings. Possible parameters:
    
    name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
    
    append: Add a row to the current header value.
    
    replace: Completely replace the current header value.
    
    remove: Delete the header. Both the header value and the header itself will be removed. The possible values are true or false.
    
    This is an optional parameter; if omitted, response headers go to the client unchanged.
  - route_options: Additional virtual host parameters (optional):
    
    security_profile_id: Security profile ID. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles.
```
resource "yandex_alb_virtual_host" "my-virtual-host" {
  name           = "<virtual_host_name>"
  http_router_id = "<HTTP_router_ID>"

  rate_limit {
    all_requests {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
    requests_per_ip {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
  }

  route {
    name                      = "<route_name>"
    disable_security_profile  = true|false

    grpc_route {
      grpc_match {
        fqmn {
          prefix = "/<request_FQMN_prefix>"
          # or exact = "<request_FQMN>"
          # or regex = "<regular_expression>"
        }
      }

      grpc_route_action {
        backend_group_id  = "<backend_group_ID>"
        host_rewrite      = "<Host_header_value>"
        max_timeout       = "<connection_timeout>s"
        idle_timeout      = "<idle_timeout>s"
        rate_limit {
          all_requests {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
          requests_per_ip {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
        }
      }
    }
  }

  authority        = ["<domain_1>","<domain_2>",...,"<domain_n>"]

  modify_request_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  modify_response_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  route_options {
    security_profile_id = "<security_profile_ID>"
  }
}
```
Where:
- yandex_alb_virtual_host: Virtual host description:
  - name: Virtual host name. Follow these naming requirements:
    
    It must be from 2 to 63 characters long.
    
    It can only contain lowercase Latin letters, numbers, and hyphens.
    
    It must start with a letter and cannot end with a hyphen.
  - http_router_id: HTTP router ID.
  - rate_limit: Request rate limit for the entire virtual host (optional).
    
    all_requests: Limit on all requests per second or per minute (optional):
    
    per_second: Maximum number of incoming requests to the virtual host per second.
    
    per_minute: Maximum number of incoming requests to the virtual host per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Additionally limits requests for each IP address per second or per minute (optional):
    
    per_second: Maximum number of incoming requests from a single IP address to the virtual host per second.
    
    per_minute: Maximum number of incoming requests from a single IP address to the virtual host per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
  - route: Virtual host route description:
    
    name: Route name.
    
    disable_security_profile: Disabling the Yandex Smart Web Security security profile (optional). The possible values are true (the profile is disabled) or false (the profile is enabled). The default value is false: the security profile is enabled.
    
    grpc_route: Route description for gRPC traffic:
    
    grpc_match.fqmn: Parameter for filtering incoming gRPC requests by FQMN (optional):
    
    exact: Route requests with the same FQMN as the specified one.
    
    prefix: Route requests whose FQMN starts with the specified prefix. For example, you can specify the first word of the service name: /helloworld.
    
    regex: Route requests whose FQMN matches the specified RE2 regular expression. For example: \/[a-z]{10}[0-9]{3}.
    
    The exact, prefix, and regex parameters are mutually exclusive: you can use only one of them.
    
    grpc_route_action: Action applied to gRPC traffic.
    
    backend_group_id: ID of the backend group located in the same folder as the new route's HTTP router and virtual host.
    
    host_rewrite: Replacing the Host header in the request with the specified value (optional). You can specify auto_host_rewrite instead of host_rewrite, in which case the Host header in the request will be automatically replaced with the target VM address.
    
    --request-max-timeout: Maximum request timeout in seconds (optional). You can specify a shorter timeout in the grpc-timeout request HTTP header. The default value is 60 seconds.
    
    idle_timeout: Maximum connection idle timeout (keep-alive time) (optional). If not specified, the idle connection will be terminated immediately.
    
    rate_limit: Limits the number of requests per unit of time (optional):
    
    all_requests: Limits all incoming requests (optional):
    
    per_second: Maximum number of incoming requests to a route per second.
    
    per_minute: Maximum number of incoming requests to a route per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
    
    requests_per_ip: Limits incoming requests from a single IP address (optional):
    
    per_second: Maximum number of incoming requests to a route from a single IP address per second.
    
    per_minute: Maximum number of incoming requests to a route from a single IP address per minute.
    
    The per_second, and per_minute parameters are mutually exclusive: you can use only one of them.
  - authority: HTTP/1.1 Host (HTTP/2 authority) header domains associated with this virtual host. You can use wildcards, e.g., *.foo.com or *-bar.foo.com. For gRPC traffic, you may specify * or the the load balancer's IP address.
    
    This is an optional parameter. If not specified, all traffic will be routed to this virtual host.
  - modify_request_headers: HTTP request header modification settings. Possible parameters:
    
    name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
    
    append: Add a row to the current header value.
    
    replace: Completely replace the current header value.
    
    remove: Delete the header. Both the header value and the header itself will be removed. The possible values are true or false.
    
    This is an optional parameter; if omitted, request headers go to the backend unchanged.
  - modify_response_headers: HTTP response header modification settings. Possible parameters:
    
    name: Modified header name, e.g., Host, User-Agent, X-Forwarded-For, Strict-Transport-Security, etc.
    
    append: Add a row to the current header value.
    
    replace: Completely replace the current header value.
    
    remove: Delete the header. Both the header value and the header itself will be removed. The possible values are true or false.
    
    This is an optional parameter; if omitted, response headers go to the client unchanged.
  - route_options: Additional virtual host parameters (optional):
    
    security_profile_id: Security profile ID. A security profile allows you to filter incoming requests, enable WAF, and set limits on the number of requests for protection against malicious activity. For more information, see Security profiles.
Learn more about the properties of Terraform resources in the relevant provider guide: yandex_alb_virtual_host.
Update the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will update the required resources. You can check the new resources and their settings using the management console or this CLI command:
```
yc alb virtual-host get <virtual_host_name> \
  --http-router-name <HTTP_router_name>
```
Timeouts
The Terraform provider limits the execution time for operations with Application Load Balancer HTTP routers and virtual hosts to 10 minutes.

Operations in excess of this time will be interrupted.
How do I modify these limits?
Add the timeouts section to the descriptions of the HTTP router and virtual host (the yandex_alb_http_router and yandex_alb_virtual_host resources, respectively).

Here is an example:

resource "yandex_alb_http_router" "<router_name>" { ... timeouts { create = "60m" update = "60m" delete = "60m" } }

Use the update REST API method for the VirtualHost resource or the VirtualHostService/Update gRPC API call.

Deleting a virtual host

To delete a virtual host:

Management console

CLI

Terraform

API

In the management console, select the folder containing your virtual host.
Go to Application Load Balancer.
In the left-hand panel, click HTTP routers and select the HTTP router that contains the virtual host.
On the page that opens, under Virtual hosts, click next to the virtual host and select Delete.
In the window that opens, confirm the deletion.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

See the description of the CLI command for deleting a virtual host:
```
yc alb virtual-host delete --help
```

View the list of HTTP routers in the default folder:

yc alb http-router list

Result:

+----------------------+--------------------+-------------+-------------+
|          ID          |        NAME        | VHOST COUNT | ROUTE COUNT |
+----------------------+--------------------+-------------+-------------+
| ds76j5n6a39g******** | sample-http-router |           1 |           2 |
| ds76jk27sdf3******** | new-http-router    |           2 |           7 |
+----------------------+--------------------+-------------+-------------+

View the list of virtual hosts in an HTTP router by specifying the router name or ID, respectively, in the --http-router-name or --http-router-id parameter:

yc alb virtual-host list \
  --http-router-name <HTTP_router_name> \
  --http-router-id <HTTP_router_ID>

Result:

+-------------------+-------------+-------------+----------------------+
|        NAME       | AUTHORITIES | ROUTE COUNT | SECURITY PROFILE ID  |
+-------------------+-------------+-------------+----------------------+
| my-virtual-host   | *           |           1 | fevu5fnuk6vf******** |
| test-virtual-host | example.com |           2 | fevug3d25bv6******** |
+-------------------+-------------+-------------+----------------------+

To delete a virtual host, put in its name and run this command:
```
yc alb virtual-host delete <virtual_host_name> \
  --http-router-name <HTTP_router_name>
```
Where --http-router-name is the HTTP router name. Instead of the HTTP router name, you can provide its ID in the --http-router-id parameter.

For more information about the yc alb virtual-host delete command, see the CLI reference.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To delete a virtual host created with Terraform:

Open the Terraform configuration file and remove the fragment describing the virtual host (the yandex_alb_virtual_host resource).

Example of a virtual host description in a Terraform configuration

resource "yandex_alb_virtual_host" "my-virtual-host" {
  name           = "<virtual_host_name>"
  http_router_id = "<HTTP_router_ID>"

  rate_limit {
    all_requests {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
    requests_per_ip {
      per_second = <requests_per_second>
      # or per_minute = <requests_per_minute>
    }
  }

  route {
    name                      = "<route_name>"
    disable_security_profile  = true|false

    http_route {
      http_match {
        http_method = ["<HTTP_method_1>","<HTTP_method_2>",...,"<HTTP_method_n>"]
        path {
          prefix = "/<request_path_prefix>/"
          # or exact = "<request_path>"
          # or regex = "<regular_expression>"
        }
      }

      http_route_action {
        backend_group_id  = "<backend_group_ID>"
        host_rewrite      = "<Host_header_value>"
        timeout           = "<connection_timeout>s"
        idle_timeout      = "<idle_timeout>s"
        prefix_rewrite    = "<new_request_path_prefix>/"
        rate_limit {
          all_requests {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
          requests_per_ip {
            per_second = <requests_per_second>
            # or per_minute = <requests_per_minute>
          }
        }
      }
    }
  }

  authority        = ["<domain_1>","<domain_2>",...,"<domain_n>"]

  modify_request_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  modify_response_headers {
    name           = "<header_name>"
    append         = "<string_added_to_header_content>"
    # or replace  = "<new_header_content>"
    # or remove   = true|false
  }

  route_options {
    security_profile_id = "<security_profile_ID>"
  }
}

Update the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will update the required resources. You can check for your resources and their settings using the management console or this CLI command:
```
yc alb virtual-host list \
  --http-router-name <HTTP_router_name>
```
Timeouts
The Terraform provider limits the execution time for operations with Application Load Balancer HTTP routers and virtual hosts to 10 minutes.

Operations in excess of this time will be interrupted.
How do I modify these limits?
Add the timeouts section to the descriptions of the HTTP router and virtual host (the yandex_alb_http_router and yandex_alb_virtual_host resources, respectively).

Here is an example:

resource "yandex_alb_http_router" "<router_name>" { ... timeouts { create = "60m" update = "60m" delete = "60m" } }

Use the delete REST API method for the VirtualHost resource or the VirtualHostService/Delete gRPC API call.

Managing virtual hosts

Creating a virtual hostCreating a virtual host

Updating a virtual hostUpdating a virtual host

Deleting a virtual hostDeleting a virtual host

Was the article helpful?

Creating a virtual host

Updating a virtual host

Deleting a virtual host