# Set Up an Application Load Balancer
{% hint style="info" %}
**Prerequisites:** A public load balancer can be created by providing at least one listener IP address. Ensure you have reserved public IP addresses from the [IP Management](https://docs.ionos.com/sections-test/guides/network-services/vdc-networking/ip-address/ipv4). You may always create a private load balancer without specifying any IP addresses.
Additionally, you will need at least one Target Group to which Application Load Balancer (ALB) will forward the traffic. You can create one in the [Target Group Manager](https://docs.ionos.com/sections-test/guides/network-services/application-load-balancer/how-tos/create-target-groups).
{% endhint %}
## Configure an ALB
1\. In the **DCD**, go to **Menu** > **Virtual Data Centers**.
2\\. Select a data center where you want to configure the ALB.
3\. Drag a **Load Balancer** of type **application** to the **Workspace**.
4\. Connect the northern interface to **Internet Access** and the southern interface to a target **Server**. Only public load balancers require a public IP address and internet-facing connectivity to accept traffic from the web. Private load balancers operate strictly within a virtual network using private IP addresses.
## Define Settings
Select **Settings** to configure the ALB settings, and provide the following information:
* **Name:** Enter a name for the ALB.
* **Primary IPv4:** Use a public IP address you have previously reserved for public load balancing. For private load balancing, a private IP address will be assigned automatically upon provisioning. Otherwise, you may always enter a separate private IP address.
* **Add IP:** *(Optional)*. Add additional public or private IP addresses.
* **Flowlog:** Configure [flow logs](https://docs.ionos.com/sections-test/guides/network-services/flow-logs).
## Add Forwarding rules
Forwarding rules define how client traffic is distributed to the targets. More than one rule can be created for the same load balancer. In the Inspector pane on the right side, select the **Forwarding rules** tab. To add Forwarding rules, select **Add forwarding rule** option and fill in the following fields:
* **Name:** Enter a unique name for the forwarding rule.
* **Protocol:** This field is preset and defines how data is transmitted between devices. The default value is set to HTTP.
* **Listener IP:** Assign an IP address to the listener interface.
* **Listener port:** Select the HTTP port on which the listener will accept client requests.
* **Client timeout:** The default value is set to 50000 milliseconds(ms). This idle timeout is applied when the client is expected to acknowledge or send data. Client time is the duration in which the ALB will not break the TCP connection established with the client, after which the connection is terminated, provided that the client does not send any subsequent requests during this interval.
### Set up HTTP rules
1\. Setting up HTTP rules in ALB configuration is essential for properly routing incoming traffic to the appropriate targets, load balancing between multiple targets, and improving security by filtering out unwanted traffic.
HTTP rules include **Forward**, **Redirect**, and **Static** rules. To create an HTTP rule, select **Add HTTP Rule** on the right side.
Select an appropriate option for the incoming traffic to activate HTTP Rules in the workspace.
{% tabs %}
{% tab title="Forward" %}
To forward a request to a pre-made Target Group, select the **Forward** option from the drop-down menu and fill in the following fields:
* **Name:** Enter a unique name for the HTTP rule.
* **Target Group:** Select a target group for forwarding traffic based on the protocol and port specified in the listener configuration.
To add a new target, select **Add**. Provide the following information in the **Add Target** pop-up window:
* **IP:** Enter the target IP address directly or choose one from the drop-down list.
* **Port:** Enter the target port directly or choose one from the drop-down list.
* **Weight:** Assign a target weight from **1** to **256**. A target with a higher weight gets a larger share of traffic. The default weight value is set to **1**.
* **Proxy Protocol:** Select a value for the Proxy Protocol from the drop-down list to enable it. You can preserve and send the connection information to your backend instances, such as Apache, NGINX, or an ingress controller inside Kubernetes. Ensure your backend instances are up and running and have Proxy Protocol enabled. The backend instances may return errors or empty responses if the servers are not configured. The following options are available for the Proxy Protocol:
* **none:** for disabling the Proxy Protocol
* **v1:** for plain text format
* **v2:** for binary format
* **v2ssl:** for encrypted binary format
* **Options:** For changing the target-specific health check configuration, select the following:
* **Health Check Enabled:** Upon selection, the target becomes available only for TCP or HTTP connection attempts.
* **Maintenance Enabled:** Upon selection, the target does not receive balanced traffic and affects the health of the target.
{% endtab %}
{% tab title="Redirect" %}
To request redirection at the HTTP level, select the **Redirect** option from the drop-down menu and fill in the following fields:
* **Name:** Enter a unique name for the HTTP rule.
* **Redirect URL:** Select a target URL for the redirect.
* **Status Code:** Select a status response code from the list.
* **Query string:** Specify whether you want to keep or drop the query string.
{% endtab %}
{% tab title="Static" %}
To return a static response message, select the **Static** option from the drop-down menu and fill in the following fields:
* **Name:** Enter a unique name for the HTTP rule.
* **Status Code:** Select a status response code from the list.
* **Response Message:** Select an appropriate content type from the list.
* **Response Content type:** Enter the content to be displayed in the browser upon the rule trigger.
{% endtab %}
{% endtabs %}
2\. In addition, you can set **Conditions** for the rule.
* Select the **Add Condition** option to define rules to determine how the load balancer should route incoming traffic. A **New Condition** window will open up. Provide the following information:
* **Type:** Select the **Type** of the condition from the drop-down list.
* **Header:** Used when you want to customize the routing of incoming requests based on specific information found in the HTTP headers of those requests.
* **Path:** Used when you want to customize the routing or handling of incoming requests based on the path of the URL.
* **Query:** Used when you want to customize the routing or handling of incoming requests based on parameters in the query string of the URL.
* **Method:** Used when you want to customize the routing or handling of incoming requests based on the HTTP method used in the request.
* **Host:** Used when you want to customize the routing or handling of incoming requests based on the host or domain name present in the HTTP headers.
* **Cookie:** Used when you want to customize the routing or handling of incoming requests based on the presence or value of specific cookies.
* **Source IP:** Used when you want to customize the routing or handling of incoming requests based on the IP address of the client or the source of the request.
* **not:** Select **not** to specify conditions for routing rules.
* **Condition:** Select an option from the drop-down list to specify conditions for routing rules.
* **Key:** Enter the attribute of an incoming request that the condition is evaluating.
* Select **Add Condition** to save the newly created condition.
You can delete a condition by selecting the **Remove** option on the right.
3\. Select **OK** to save the configuration.
{% hint style="success" %}
**Result:** The rules are created successfully. To edit, click on the respective rule name.
{% endhint %}
### Create and associate SSL Certificates
You can create or associate an [imported SSL certificate](https://docs.ionos.com/sections-test/guides/security/certificate-manager/dcd-how-tos/create-certificate) with the load balancer.
{% hint style="info" %}
**Certificate requirements for ALB:** To successfully provision an ALB, you must provide a valid Leaf (End-Entity) certificate. The ALB provisioning process performs strict validation on the certificate structure to ensure it is intended for server identity.
1\. **Certificate Constraints:**
* **Accepted:** Only a specific domain or server (Leaf) certificate is permitted.
* **Not Accepted:** Certificate Authority (CA) certificates, including root and intermediate, cannot be used as the server identity.
* **Avoid Bundles:** Do not upload a CA bundle or combined root file as the primary certificate.
2\. **Verification via the OpenSSL:**
Before uploading your certificate or triggering a deployment, verify that your file is a valid Leaf certificate. You can use the following command for verification:
`openssl x509 -in your_certificate.crt -text -noout`
{% endhint %}
Select **Add Certificate** to create or associate an imported certificate:
{% tabs %}
{% tab title="Select an existing SSL Certificate" %}
1\. Select an imported certificate from the drop-down list.
2\. Select **Add Certificate** to associate the certificate with the ALB.
{% endtab %}
{% tab title="Create SSL Certificate" %}
Enter the necessary details to create a certificate. For more information about the details you must specify, see **Import a Certificate** tab in [Create Certificate](https://docs.ionos.com/sections-test/guides/security/certificate-manager/dcd-how-tos/create-certificate).
{% endtab %}
{% endtabs %}
## Private IPs
{% hint style="info" %}
**Note:** This step is optional. A private IP address will be assigned automatically during provisioning. You may also add a private IP manually if you select **Add IP**.
{% endhint %}
The backend of the ALB exposes the private IP addresses of the target as the source of client traffic. A backend IP address is configurable and defaults to x.x.x.225. Backend IPs are listed in the ALB Inspector under the **Private IPs** tab.
## Provision an ALB
Once you have entered the mandatory **Settings** and **Forwarding Rules**, you can provision the ALB by selecting **PROVISION CHANGES**. A **Provision Data Center** pop-up will appear. Select **Provision Now**.
{% hint style="info" %}
**Note:** The provisioning process cannot be canceled. However, an existing ALB can be modified at any time. Your password may be required to edit some elements as an additional security measure.
{% endhint %}
## Delete an ALB
To delete the ALB, right-click the element and select **Delete**. You can also use backspace or the Delete button on your keyboard.
