Skip to content


Service annotations

  • Annotation keys and values can only be strings. All other types below must be string-encoded, for example:
    • boolean: "true"
    • integer: "42"
    • stringList: "s1,s2,s3"
    • stringMap: "k1=v1,k2=v2"
    • json: "{ \"key\": \"value\" }"


Name Type Default Notes string boolean false string Set to "*" to enable string ipv4 ipv4 | dualstack boolean false string string boolean false stringList stringList string ELBSecurityPolicy-2016-08 string stringMap integer 3 integer 3 integer 10 integer 10 string TCP integer | traffic-port traffic-port string "/" for HTTP(S) protocols stringList stringMap stringList stringList

Traffic Routing

Traffic Routing can be controlled with following annotations:

  • specifies the Availability Zone the NLB will route traffic to. See Network Load Balancers for more details.


    Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.

    You must specify at least one subnet in any of the AZs, both subnetID or subnetName(Name tag on subnets) can be used.


    • Each subnets must be from a different Availability Zone
    • AWS has restrictions on disabling existing subnets for NLB. As a result, you might not be able to edit this annotation once the NLB gets provisioned.

    Example subnet-xxxx, mySubnet


    TLS listener forwarding to a TLS target group

    supported policies

    • HTTP1Only Negotiate only HTTP/1.*. The ALPN preference list is http/1.1, http/1.0.
    • HTTP2Only Negotiate only HTTP/2. The ALPN preference list is h2.
    • HTTP2Optional Prefer HTTP/1.* over HTTP/2 (which can be useful for HTTP/2 testing). The ALPN preference list is http/1.1, http/1.0, h2.
    • HTTP2Preferred Prefer HTTP/2 over HTTP/1.*. The ALPN preference list is h2, http/1.1, http/1.0.
    • None Do not negotiate ALPN. This is the default.

    Example HTTP2Preferred

Resource attributes

NLB target group attributes can be controlled via the following annotations:

  • specifies whether to enable proxy protocol v2 on the target group. Set to '*' to enable proxy protocol v2. This annotation takes precedence over the annotation for proxy protocol v2 configuration.

    The only valid value for this annotation is *.

  • specifies the Target Group Attributes to be configured.


    • set the deregistration delay to 120 seconds (available range is 0-3600 seconds) deregistration_delay.timeout_seconds=120
    • enable source IP affinity stickiness.enabled=true,stickiness.type=source_ip
    • enable proxy protocol version 2 proxy_protocol_v2.enabled=true
    • enable connection termination on deregistration deregistration_delay.connection_termination.enabled=true
    • enable client IP preservation preserve_client_ip.enabled=true