Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring logging for an Yandex Application Load Balancer L7 load balancer using an Ingress controller

Written by
Updated at May 5, 2025

You can configure the logging settings for L7 balancers created with Application Load Balancer Ingress controllers within a Managed Service for Kubernetes cluster.

This article explains how to create three L7 balancers with different logging settings:

  • Save logs to the default group.
  • Save logs to a custom group.
  • No logging.

To configure L7 balancers:

  1. Create a test application.
  2. Create Ingress resources.
  3. Specify the settings for the Ingress resource groups.
  4. Check the result.

If you no longer need the resources you created, delete them.

The support cost includes:

Getting started

Set up your infrastructure

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create the following service accounts for the Managed Service for Kubernetes cluster:

    You can use the same service account for all operations.

  2. Create an authorized key for the Ingress controller's service account in JSON format and save it to a file named key.json:

    yc iam key create \
   --service-account-name <name_of_service_account_for_Ingress_controller> \
   --output key.json

    The key data is required for the installation of the ALB Ingress Controller application.

  3. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    Also configure the security groups required for Application Load Balancer.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  4. Create a Managed Service for Kubernetes cluster. Use these settings:

    • Specify the previously created service account for resources as well as security groups.
    • If you intend to use your cluster within the Yandex Cloud network, there is no need to allocate a public IP address to it. To allow connections from outside the network, assign a public IP address to the cluster.

  5. Create a node group. Use these settings:

    • Specify the previously created service account for nodes as well as security groups.
    • Allocate it a public IP address to grant internet access to the node group and allow pulling Docker images and components.

  6. Create a custom Cloud Logging log group.

  1. If you do not have Terraform yet, install it.

  2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

  3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

  4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

  5. Download the k8s-and-registry-for-alb.tf configuration file to the same working directory.

    This file describes:

    • Network.

    • Subnet.

    • Managed Service for Kubernetes cluster.

    • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

      Some rules are required for Application Load Balancer to work correctly.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    • Service account for Managed Service for Kubernetes resources and nodes.

    • Service account for the operation of the Application Load Balancer Ingress controller.

    • Custom Cloud Logging log group.

    • Authorized key for the service account of the Ingress controller.

    • Creating a local key.json file with authorized key data. The key data is required for the installation of the ALB Ingress Controller application.

  6. Specify the following in the k8s-and-registry-for-alb.tf file:

    • Folder ID.
    • Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
    • Name of the service account for Kubernetes resources and nodes.
    • Name of the service account for the operation of the Application Load Balancer Ingress controller.
    • Name of the custom Cloud Logging log group.

  7. Make sure the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  8. Create the required infrastructure:

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

Get ready to use the Managed Service for Kubernetes cluster

  1. Install kubect and configure it to work with the new cluster.

    If a cluster has no public IP address assigned and kubectl is configured via the cluster's private IP address, run kubectl commands on a Yandex Cloud VM that is in the same network as the cluster.

  2. Install the Kubernetes Helm package manager.

Register a domain zone

Register a public domain zone and delegate your domain.

Install the Application Load Balancer Ingress controller

Install the ALB Ingress Controller application by following this guide. During the installation, use the key.json key data from Prepare the infrastructure.

Create a test application

Create ConfigMap, Deployment with NGINX, and Service objects for the application.

  1. Create the app.yaml app file:

    app.yaml
    apiVersion: v1
kind: ConfigMap
metadata:
  name: alb-demo-1
data:
  nginx.conf: |
    worker_processes auto;
    events {
    }
    http {
      server {
        listen 80 ;
        location = /_healthz {
          add_header Content-Type text/plain;
          return 200 'ok';
        }
        location / {
          add_header Content-Type text/plain;
          return 200 'Index';
        }
        location = /app1 {
          add_header Content-Type text/plain;
          return 200 'This is APP#1';
        }
      }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: alb-demo-1
  labels:
    app: alb-demo-1
    version: v1
spec:
  replicas: 2
  selector:
    matchLabels:
      app: alb-demo-1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  template:
    metadata:
      labels:
        app: alb-demo-1
        version: v1
    spec:
      terminationGracePeriodSeconds: 5
      volumes:
        - name: alb-demo-1
          configMap:
            name: alb-demo-1
      containers:
        - name: alb-demo-1
          image: nginx:latest
          ports:
            - name: http
              containerPort: 80
          livenessProbe:
            httpGet:
              path: /_healthz
              port: 80
            initialDelaySeconds: 3
            timeoutSeconds: 2
            failureThreshold: 2
          volumeMounts:
            - name: alb-demo-1
              mountPath: /etc/nginx
              readOnly: true
          resources:
            limits:
              cpu: 250m
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
---
apiVersion: v1
kind: Service
metadata:
  name: alb-demo-1
spec:
  selector:
    app: alb-demo-1
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
      nodePort: 30081

  2. Create an app:

    kubectl apply -f app.yaml

    Result:

    configmap/alb-demo-1 created
deployment.apps/alb-demo-1 created
service/alb-demo-1 created

Create Ingress resources

Create three Ingress resources from which the Application Load Balancer Ingress controller will create three balancers with the required listeners and HTTP routers.

  1. Create a file named ingress.yaml with the load balancer settings and domain name:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: logs-demo-nondefault
  annotations:
    ingress.alb.yc.io/group-name: non-default
    ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
    ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
    ingress.alb.yc.io/group-settings-name: non-default-settings
    ingress.alb.yc.io/external-ipv4-address: auto
spec:
  rules:
    - host: <domain_name>
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-1
                port: 
                  name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: logs-demo-disabled
  annotations:
    ingress.alb.yc.io/group-name: logs-disabled
    ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
    ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
    ingress.alb.yc.io/group-settings-name: logs-disabled-settings
    ingress.alb.yc.io/external-ipv4-address: auto
spec:
  rules:
    - host: <domain_name>
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-1
                port:
                  name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: logs-demo-default
  annotations:
    ingress.alb.yc.io/group-name: default
    ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
    ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
    ingress.alb.yc.io/external-ipv4-address: auto
spec:
  rules:
    - host: <domain_name>
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-1
                port:
                  name: http

    Where:

    • ingress.alb.yc.io/group-name: Group name. Ingress resources are grouped together, each group served by a separate Application Load Balancer L7 load balancer.

    • ingress.alb.yc.io/subnets: One or more subnets to host the load balancer.

    • ingress.alb.yc.io/security-groups: One or more security groups for the load balancer. If you skip this parameter, the default security group will be used.

    • ingress.alb.yc.io/external-ipv4-address: Public access to the load balancer from the internet. Enter the IP address you got earlier or set auto to get a new IP address automatically.

      If you set auto, deleting the load balancer from the cloud will also delete the IP address. To avoid this, use an existing reserved IP address.

    • ingress.alb.yc.io/group-settings-name: Name for the Ingress resource group settings to be described in the optional IngressGroupSettings resource.

    Optionally, enter advanced controller settings.

    Note

    The settings listed below will only apply to the virtual hosts of the Ingress resource in which the corresponding annotations are configured.

    They will not apply to the virtual hosts of the group's other Ingress resources.

    • ingress.alb.yc.io/internal-ipv4-address: Provide internal access to the load balancer. Enter the internal IP address or use auto to obtain the IP address automatically.

      Note

      You can only use one type of access to the load balancer at a time: ingress.alb.yc.io/external-ipv4-address or ingress.alb.yc.io/internal-ipv4-address.

    • ingress.alb.yc.io/internal-alb-subnet: Subnet to host the load balancer. This parameter is required if the ingress.alb.yc.io/internal-ipv4-address parameter is selected.

    • ingress.alb.yc.io/protocol: Connection protocol used between the load balancer and backends:

      • http: HTTP/1.1, default
      • http2: HTTP/2
      • grpc: gRPC

    • ingress.alb.yc.io/transport-security: Encryption protocol for connections between the load balancer and backends.

      Warning

      In ALB Ingress Controller version 0.2.0 and later, you can only use an annotation in the Service object.

      If you annotate Ingress resources that use a single service with the same settings for backend groups, such annotation will apply correctly. However, this mechanism is obsolete and will not be supported going forward.

      The valid value is tls: TLS with no certificate challenge.

      If no annotation is specified, the load balancer connects to the backends with no encryption.

    • ingress.alb.yc.io/prefix-rewrite: Replace the path for the specified value.

    • ingress.alb.yc.io/upgrade-types: Valid values of the Upgrade HTTP header, e.g., websocket.

    • ingress.alb.yc.io/request-timeout: Maximum period for which a connection can be established.

    • ingress.alb.yc.io/idle-timeout: Maximum connection keep-alive time without data transmission.

      The request-timeout and idle-timeout values must be specified with units of measurement, e.g., 300ms or 1.5h. Valid units of measurement:

      • ns: Nanoseconds
      • us: Microseconds
      • ms: Milliseconds
      • s: Seconds
      • m: Minutes
      • h: Hours

    For more information about the Ingress resource settings, see Ingress resource fields and annotations.

  2. Create Ingress resources:

    kubectl apply -f ingress.yaml

    Result:

    ingress.networking.k8s.io/logs-demo-nondefault created
ingress.networking.k8s.io/logs-demo-disabled created
ingress.networking.k8s.io/logs-demo-default created

    Three L7 load balancers will be automatically deployed based on the Ingress resource configurations.

Specify the settings for the Ingress resource groups

Create a resource named IngressGroupSettings with logging settings for the Ingress resource groups:

  • non-default-settings: Logging to the previously created custom log group with defined rules.
  • logs-disabled-settings: No logging.

No settings need to be specified to save logs to the default log group.

  1. Create a file named settings.yaml with the log group ID:

    apiVersion: alb.yc.io/v1alpha1
kind: IngressGroupSettings
metadata:
  name: non-default-settings
logOptions:
  logGroupID: <user_log_group_ID>
  discardRules:
    - discardPercent: 50
      grpcCodes:
        - OK
        - CANCELLED
        - UNKNOWN
    - discardPercent: 67
      httpCodeIntervals:
        - HTTP_1XX
    - discardPercent: 20
      httpCodes:
        - 200
        - 404
---
apiVersion: alb.yc.io/v1alpha1
kind: IngressGroupSettings
metadata:
  name: logs-disabled-settings
logOptions:
  disable: true

  2. Create the resources:

    kubectl apply -f settings.yaml

    Result:

    ingressgroupsettings.alb.yc.io/non-default-settings created
ingressgroupsettings.alb.yc.io/logs-disabled-settings created

The settings from those resources will apply to the Ingress resource groups in line with the ingress.alb.yc.io/group-settings-name annotations specified for the Ingress resources.

Check the result

Get log group IDs for the new L7 load balancers and make sure they match the settings in the settings.yaml file:

  • One of the balancers should use your custom log group with defined rules.
  • Another should use the default log group.
  • For the third balancer, logging should be disabled.

Delete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy

    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.

Previous
Configuring an Application Load Balancer L7 load balancer using an Ingress controller
Next
Creating an L7 load balancer with a Smart Web Security security profile through an Application Load Balancer Ingress controller