Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring Yandex Application Load Balancer logging via an ingress controller

Written by
Updated at November 21, 2025

You can configure logging for L7 load balancers created with Application Load Balancer ingress controllers within a Managed Service for Kubernetes cluster.

Tip

We recommend using the new Yandex Cloud Gwin controller instead of an Application Load Balancer Ingress controller.

This tutorial explains how to create three L7 load balancers with different logging settings:

To configure L7 load balancers:

  1. Create a test application.
  2. Create Ingress resources.
  3. Specify the settings for the Ingress resource groups.
  4. Check the result.

If you no longer need the resources you created, delete them.

The support cost for this solution includes:

Getting started

Set up your infrastructure

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create the following service accounts for the Managed Service for Kubernetes cluster:

    You can use the same service account for all operations.

  2. Create an authorized key for the ingress controller's service account in JSON format and save it to the key.json file:

    yc iam key create \
   --service-account-name <name_of_service_account_for_ingress_controller> \
   --output key.json

    You need the key data to install the ALB ingress controller.

  3. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    Also configure the security groups required for Application Load Balancer.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  4. Create a Managed Service for Kubernetes cluster. Use these settings:

    • Specify the previously created service account for resources as well as security groups.
    • For Yandex Cloud internal network usage, your cluster does not need a public IP address. To enable internet access to your cluster, assign it a public IP address.

  5. Create a node group. Use these settings:

    • Specify the previously created service account for nodes as well as security groups.
    • To enable internet access for your node group (e.g., for Docker image pulls), assign it a public IP address.

  6. Create a custom Cloud Logging log group.

  1. If you do not have Terraform yet, install it.

  2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

  3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

  4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

  5. Download the k8s-and-registry-for-alb.tf configuration file to the same working directory.

    This file describes:

    • Network.

    • Subnet.

    • Managed Service for Kubernetes cluster.

    • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

      Some rules are required for Application Load Balancer to work correctly.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

    • Service account for Managed Service for Kubernetes resources and nodes.

    • Service account for the Application Load Balancer ingress controller.

    • Custom Cloud Logging log group.

    • Authorized key for the service account of the ingress controller.

    • Creating a local key.json file with the authorized key data. You need the key data to install the ALB ingress controller.

  6. Specify the following in the k8s-and-registry-for-alb.tf file:

    • Folder ID.
    • Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
    • Name of the service account for Kubernetes resources and nodes.
    • Name of the service account for the Application Load Balancer ingress controller.
    • Name of the custom Cloud Logging log group.

  7. Make sure the Terraform configuration files are correct using this command:

    terraform validate

    Terraform will show any errors found in your configuration files.

  8. Create the required infrastructure:

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

Get ready to use the Managed Service for Kubernetes cluster

  1. Install kubect and configure it to work with the new cluster.

    If a cluster has no public IP address assigned and kubectl is configured via the cluster's private IP address, run kubectl commands on a Yandex Cloud VM that is in the same network as the cluster.

  2. Install Helm.

Register a domain zone

Register a public domain zone and delegate your domain.

Install the Application Load Balancer ingress controller

Install the ALB ingress controller by following this guide. During the installation, use key.json you created when setting up your infrastructure.

Create a test application

Create the ConfigMap, Deployment with NGINX, and Service objects for the application.

  1. Create the app.yaml file:

    app.yaml
    apiVersion: v1
kind: ConfigMap
metadata:
  name: alb-demo-1
data:
  nginx.conf: |
    worker_processes auto;
    events {
    }
    http {
      server {
        listen 80 ;
        location = /_healthz {
          add_header Content-Type text/plain;
          return 200 'ok';
        }
        location / {
          add_header Content-Type text/plain;
          return 200 'Index';
        }
        location = /app1 {
          add_header Content-Type text/plain;
          return 200 'This is APP#1';
        }
      }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: alb-demo-1
  labels:
    app: alb-demo-1
    version: v1
spec:
  replicas: 2
  selector:
    matchLabels:
      app: alb-demo-1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  template:
    metadata:
      labels:
        app: alb-demo-1
        version: v1
    spec:
      terminationGracePeriodSeconds: 5
      volumes:
        - name: alb-demo-1
          configMap:
            name: alb-demo-1
      containers:
        - name: alb-demo-1
          image: nginx:latest
          ports:
            - name: http
              containerPort: 80
          livenessProbe:
            httpGet:
              path: /_healthz
              port: 80
            initialDelaySeconds: 3
            timeoutSeconds: 2
            failureThreshold: 2
          volumeMounts:
            - name: alb-demo-1
              mountPath: /etc/nginx
              readOnly: true
          resources:
            limits:
              cpu: 250m
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
---
apiVersion: v1
kind: Service
metadata:
  name: alb-demo-1
spec:
  selector:
    app: alb-demo-1
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
      nodePort: 30081

  2. Create an app:

    kubectl apply -f app.yaml

    Result:

    configmap/alb-demo-1 created
deployment.apps/alb-demo-1 created
service/alb-demo-1 created

Create Ingress resources

Create three Ingress resources that the Application Load Balancer ingress controller will use to deploy three load balancers with the required listeners and HTTP routers.

  1. Create a file named ingress.yaml with the load balancer settings and domain name:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: logs-demo-nondefault
  annotations:
    ingress.alb.yc.io/group-name: non-default
    ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
    ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
    ingress.alb.yc.io/group-settings-name: non-default-settings
    ingress.alb.yc.io/external-ipv4-address: auto
spec:
  rules:
    - host: <domain_name>
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-1
                port: 
                  name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: logs-demo-disabled
  annotations:
    ingress.alb.yc.io/group-name: logs-disabled
    ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
    ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
    ingress.alb.yc.io/group-settings-name: logs-disabled-settings
    ingress.alb.yc.io/external-ipv4-address: auto
spec:
  rules:
    - host: <domain_name>
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-1
                port:
                  name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: logs-demo-default
  annotations:
    ingress.alb.yc.io/group-name: default
    ingress.alb.yc.io/subnets: <list_of_subnet_IDs>
    ingress.alb.yc.io/security-groups: <list_of_security_group_IDs>
    ingress.alb.yc.io/external-ipv4-address: auto
spec:
  rules:
    - host: <domain_name>
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: alb-demo-1
                port:
                  name: http

    Where:

    • ingress.alb.yc.io/group-name: Group name. Ingress resources are grouped so that a separate Application Load Balancer serves each group.

    • ingress.alb.yc.io/subnets: One or more subnets to host the load balancer.

    • ingress.alb.yc.io/security-groups: One or more security groups for the load balancer. If you skip this parameter, the default security group will be used.

    • ingress.alb.yc.io/external-ipv4-address: Public access to the load balancer from the internet. Enter the IP address you got earlier or set auto to get a new IP address automatically.

      If you set auto, deleting the load balancer from the cloud removes its IP address. To avoid this, use a reserved IP address.

    • ingress.alb.yc.io/group-settings-name: Name for the Ingress resource group settings to describe in the IngressGroupSettings optional resource.

    Optionally, specify the additional controller settings:

    Note

    The settings listed below will only apply to the virtual hosts of the Ingress resource in which the corresponding annotations are configured.

    They will not apply to the virtual hosts of the group's other Ingress resources.

    • ingress.alb.yc.io/internal-ipv4-address: Provide internal access to the load balancer. Enter the internal IP address or use auto to get the IP address automatically.

      Note

      You can only use one type of access to the load balancer at a time: ingress.alb.yc.io/external-ipv4-address or ingress.alb.yc.io/internal-ipv4-address.

    • ingress.alb.yc.io/internal-alb-subnet: Subnet to host the load balancer. This parameter is required if you select ingress.alb.yc.io/internal-ipv4-address.

    • ingress.alb.yc.io/protocol: Protocol for connections between the load balancer and backends:

      • http: HTTP/1.1. This is a default value.
      • http2: HTTP/2.
      • grpc: gRPC.

    • ingress.alb.yc.io/transport-security: Encryption protocol for connections between the load balancer and backends.

      Warning

      For ALB Ingress Controller 0.2.0 and later, you can only use this annotation in the Service object.

      Annotations specified in Ingress resources sharing a single service with the same backend group settings apply correctly. However, this feature is deprecated and will be discontinued.

      The acceptable value is tls: TLS without certificate validation.

      If this annotation is not specified, the load balancer will connect to the backends without encryption.

    • ingress.alb.yc.io/prefix-rewrite: Replace the path with the specified value.

    • ingress.alb.yc.io/upgrade-types: Valid values of the Upgrade HTTP header, e.g., websocket.

    • ingress.alb.yc.io/request-timeout: Maximum connection request timeout.

    • ingress.alb.yc.io/idle-timeout: Maximum connection idle timeout.

      Make sure to provide the request-timeout and idle-timeout values with units of measurement, e.g., 300ms or 1.5h. Acceptable units of measurement include:

      • ns, nanoseconds
      • us, microseconds
      • ms, milliseconds
      • s, seconds
      • m, minutes
      • h, hours

    For more information about the Ingress resource settings, see Ingress resource fields and annotations.

  2. Create Ingress resources:

    kubectl apply -f ingress.yaml

    Result:

    ingress.networking.k8s.io/logs-demo-nondefault created
ingress.networking.k8s.io/logs-demo-disabled created
ingress.networking.k8s.io/logs-demo-default created

    The system will automatically deploy three L7 load balancers based on the Ingress resource configurations.

Specify the settings for the Ingress resource groups

Create the IngressGroupSettings resource with these logging settings for the Ingress resource groups:

  • non-default-settings: Logging to the previously created custom log group with defined rules.
  • logs-disabled-settings: No logging.

If you want to have logs saved to the default log group, skip these settings.

  1. Create the settings.yaml file with the log group ID:

    apiVersion: alb.yc.io/v1alpha1
kind: IngressGroupSettings
metadata:
  name: non-default-settings
logOptions:
  logGroupID: <custom_log_group_ID>
  discardRules:
    - discardPercent: 50
      grpcCodes:
        - OK
        - CANCELLED
        - UNKNOWN
    - discardPercent: 67
      httpCodeIntervals:
        - HTTP_1XX
    - discardPercent: 20
      httpCodes:
        - 200
        - 404
---
apiVersion: alb.yc.io/v1alpha1
kind: IngressGroupSettings
metadata:
  name: logs-disabled-settings
logOptions:
  disable: true

  2. Create the resources:

    kubectl apply -f settings.yaml

    Result:

    ingressgroupsettings.alb.yc.io/non-default-settings created
ingressgroupsettings.alb.yc.io/logs-disabled-settings created

The settings from those resources will apply to the Ingress resource groups in line with the ingress.alb.yc.io/group-settings-name annotations specified for the Ingress resources.

Check the result

Get the log group IDs for the new L7 load balancers and make sure they match the settings in settings.yaml:

  • For one of the load balancers, select the custom log group you created with defined rules.
  • Use the default log group for another.
  • For the third load balancer, disable logging.

Delete the resources you created

Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them:

  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy

    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.

Previous
Configuring an L7 Application Load Balancer via an ingress controller
Next
Creating an L7 load balancer with a Smart Web Security profile through an Application Load Balancer ingress controller