This chapter covers Application Load Balancer (ALB) routing rules: path-based, host-based, and header-based routing. These features are critical for building resilient, multi-service architectures on AWS and appear in approximately 10-15% of SAA-C03 exam questions. You will learn the exact mechanisms, configuration steps, and exam traps associated with each routing type, enabling you to design efficient microservice and multi-tenant architectures that pass the exam and work in production.
Jump to a section
Imagine a large company's mail room that receives all incoming packages. The mail room has a single loading dock (the ALB's public endpoint), but it needs to deliver packages to hundreds of different departments and individuals. The mail room uses a three-tier sorting system. First, a sorter looks at the building address on the package (the host header). If the package says 'Building A', it goes to one bin; 'Building B' to another. This is host-based routing—routing based on the domain name. Next, within each building bin, another sorter looks at the department name written in the 'Attn' field (the path). Packages for 'Accounting' go to one chute, 'Engineering' to another. This is path-based routing. Finally, a third sorter checks for special stickers like 'Confidential' or 'Fragile' (custom headers). If a package has a 'Confidential' sticker, it gets routed to a secure handling area. The mail room maintains a routing table: a list of which building/department combinations go to which delivery truck (target group). When a package arrives, the sorters sequentially check the routing rules in order. The first matching rule determines the destination. If no rule matches, the package is sent to a default bin (default action). This system allows the company to handle mail for multiple offices and departments using a single loading dock, just as ALB routes traffic for multiple applications and environments using a single load balancer.
What is ALB Routing and Why Does It Matter?
An Application Load Balancer (ALB) operates at Layer 7 of the OSI model, meaning it can inspect the content of HTTP/HTTPS requests—specifically the host header, URL path, HTTP method, query strings, and custom headers. This allows the ALB to make routing decisions based on application-level data, not just network-level information like source IP and port. The exam tests your ability to differentiate ALB from Network Load Balancer (NLB) and Classic Load Balancer (CLB), and to choose the right routing type for given requirements.
Path-based routing directs requests to different target groups based on the URL path (e.g., /api/* vs. /images/*). Host-based routing uses the Host header (e.g., api.example.com vs. app.example.com). Header-based routing uses arbitrary custom headers (e.g., X-Client-Version: 2.0). These rules are evaluated in order of priority, and the first matching rule determines the target group. If no rule matches, the request is sent to the default target group (which you must configure).
How ALB Routing Works Internally
When a client sends an HTTP/HTTPS request to the ALB's DNS name (e.g., myalb-1234567890.us-east-1.elb.amazonaws.com), the ALB terminates the TLS connection (if HTTPS) and then inspects the request. The ALB maintains a list of listeners (e.g., HTTP:80, HTTPS:443). Each listener has a set of rules. Each rule has:
- Priority: A unique integer from 1 to 50000. Lower numbers are evaluated first.
- Action: Typically forward to a target group, but can also be redirect, fixed-response, or authenticate (for Cognito or OIDC).
- Conditions: One or more conditions that must be met. Conditions can be:
- host-header: Matches the Host header against a list of hostnames (supports wildcards *.example.com).
- path-pattern: Matches the URL path against a pattern (supports wildcards * and ?).
- http-header: Matches a custom header name and value.
- http-request-method: Matches HTTP methods like GET, POST.
- query-string: Matches key-value pairs in the query string.
- source-ip: Matches the client's IP address (requires a target group of type ip).
When a request arrives, the ALB evaluates rules in ascending priority order. If a rule's conditions all evaluate to true, the rule's action is executed, and no further rules are evaluated. If no rule matches, the default action (which has no conditions) is executed. The default action is always present and cannot be deleted, but you can modify its target group.
Key Components, Values, and Defaults
- Listener: Each ALB must have at least one listener. You can have up to 10 listeners per ALB (default limit, can be increased).
- Rules: Up to 100 rules per listener (default). Each rule can have up to 5 conditions (except for source-ip which is limited to 1 condition per rule).
- Conditions:
- host-header: You can specify up to 5 hostnames per condition, each can include wildcards (*.example.com). Matching is case-insensitive.
- path-pattern: Supports up to 5 patterns per condition. Patterns use glob-style matching: * matches any sequence of characters, ? matches any single character. Example: /api/* matches /api/users, /api/v1/items. Path matching is case-sensitive by default, but you can enable case-insensitive matching at the listener level.
- http-header: You specify a header name (case-insensitive) and up to 5 values (case-sensitive). The condition matches if the request contains the header with one of the specified values.
- Default action: Every listener has a default rule (priority default). You must set a default target group or action. If you don't, the ALB will return a 503 error.
- Target groups: Each target group can contain EC2 instances, IP addresses, Lambda functions, or private IP addresses. Target groups can be of type instance, ip, or lambda. Health checks are configured per target group.
Configuration Examples
To create a listener with path-based rules using the AWS CLI:
aws elbv2 create-listener --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/myalb/1234567890 --protocol HTTP --port 80 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/default-tg/1234567890Then add a rule:
aws elbv2 create-rule --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/myalb/1234567890/1234567890 --priority 10 --conditions Field=path-pattern,Values=['/api/*'] --actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/api-tg/0987654321For host-based routing, the condition would be:
--conditions Field=host-header,Values=['api.example.com']For header-based routing:
--conditions Field=http-header,HttpHeaderConfig={HttpHeaderName=X-Client-Version,Values=['2.0']}How ALB Routing Interacts with Related Technologies
AWS WAF: You can associate a Web ACL with an ALB to filter requests based on IP addresses, SQL injection, XSS, etc. WAF rules are evaluated after ALB routing rules. This means the ALB first decides which target group to forward to, then WAF inspects the request. However, WAF can also inspect before routing if you integrate at the ALB level.
AWS Cognito / OIDC: ALB can authenticate users before forwarding requests. The authentication action can be set as a rule action, allowing you to require authentication for specific paths or hosts.
AWS Global Accelerator: You can put Global Accelerator in front of an ALB to improve performance and provide static IP addresses. Routing still works the same way.
Auto Scaling: Target groups can be associated with Auto Scaling groups. As instances scale up/down, the ALB automatically registers/deregisters them.
Sticky sessions (session affinity): You can enable sticky sessions on a target group using a cookie (AWSALB or custom). This ensures requests from the same client go to the same target, which is important for stateful applications.
Advanced Routing: Weighted Target Groups
You can also forward traffic to multiple target groups with weights. This is useful for canary deployments. For example, you can send 90% of traffic to the stable target group and 10% to the new version. This is configured using the forward action with TargetGroupStickinessConfig and ForwardConfig.
Important Limits and Quotas
ALB can have up to 10 listeners.
Up to 100 rules per listener.
Each rule can have up to 5 conditions (except source-ip which is 1 condition).
Each condition can have up to 5 values (e.g., 5 hostnames or 5 path patterns).
Maximum size of a request body that ALB can pass to a target is 1 MB.
ALB idle timeout is 60 seconds (configurable).
ALB connection timeout is 10 seconds (not configurable).
Exam Relevance
On the SAA-C03 exam, you will be asked to design architectures that separate traffic for different microservices, or to route users to different backends based on domain name or path. You must know when to use path-based vs. host-based routing and how to combine them. The exam also tests edge cases like overlapping patterns, default actions, and the difference between ALB and NLB for Layer 7 routing.
Client sends HTTP request to ALB DNS
A client (browser, mobile app, or server) sends an HTTP/HTTPS request to the ALB's DNS name, e.g., `myalb-1234567890.us-east-1.elb.amazonaws.com`. The request includes headers such as `Host: api.example.com` and path `/users/123`. DNS resolves the ALB's DNS name to one of its IP addresses (which are the public IPs of the ALB's nodes). The client establishes a TCP connection to that IP on port 80 or 443. If HTTPS, the ALB terminates the TLS session using its certificate.
ALB listener receives the request
The ALB's listener on the configured port (e.g., 80) receives the request. The listener has a set of rules, each with a priority number. The listener also has a default action. The ALB examines the request's HTTP method, headers, path, query string, and source IP. It then begins evaluating rules in ascending order of priority.
ALB evaluates rules in priority order
Starting from the lowest priority number (highest priority), the ALB checks each rule's conditions. For example, rule priority 10 has conditions: host-header = `api.example.com` AND path-pattern = `/v1/*`. The ALB compares the request's Host header and path against these conditions. If both match, the rule's action is triggered. If not, the next rule (priority 20) is checked. This continues until a matching rule is found or all rules are exhausted.
First matching rule determines target group
The first rule whose conditions are all satisfied determines the action. If the action is `forward`, the ALB selects the target group specified in the rule. The ALB then performs load balancing across healthy targets in that target group using the round-robin algorithm (or least outstanding requests if configured). The ALB also adds the `X-Forwarded-For`, `X-Forwarded-Proto`, and `X-Forwarded-Port` headers to the request.
Default rule handles unmatched requests
If no user-defined rule matches, the ALB falls back to the default rule (which has no conditions). The default rule is configured with a default action, typically forwarding to a default target group. If you have not configured a default target group, the ALB returns a 503 Service Unavailable response. The default rule is always present and cannot be deleted, but you can modify its action.
Scenario 1: Microservices Architecture with Path-Based Routing
A SaaS company runs multiple microservices (users, orders, payments) behind a single ALB. Each microservice is deployed on its own Auto Scaling group and target group. The ALB listener on port 443 has rules: path /users/* forwards to the users target group, /orders/* to orders, /payments/* to payments. This allows the company to manage each service independently, scale them separately, and deploy updates without affecting others. In production, they also use host-based routing to separate staging and production: api.example.com for prod, api.staging.example.com for staging. They configure host-header conditions with wildcards like *.example.com to simplify. Common misconfiguration: overlapping path patterns (e.g., /users/* and /users/admin/*). If the more specific pattern has a higher priority number (lower priority), the broader pattern matches first, causing admin requests to go to the wrong target group. The fix is to assign lower priority numbers to more specific patterns.
Scenario 2: Multi-Tenant SaaS with Host-Based Routing
A SaaS provider hosts multiple tenants, each with a custom domain (e.g., tenant1.app.com, tenant2.app.com). They use host-based routing to direct each tenant to their own target group. The ALB listener has rules: host-header = tenant1.app.com forwards to tenant1-tg, tenant2.app.com to tenant2-tg. A default rule sends unknown hosts to a landing page. They also use header-based routing to route based on API version: requests with X-API-Version: 2.0 go to a canary target group for testing. Performance consideration: ALB can handle tens of thousands of rules, but each rule adds latency. For hundreds of tenants, they use a wildcard rule (*.app.com) and then examine the host header at the application level to avoid rule explosion.
Scenario 3: Blue/Green Deployments with Weighted Routing
An e-commerce company uses weighted target groups to perform blue/green deployments. They create two target groups: blue-tg (stable) and green-tg (new version). A rule forwards traffic to both with weights 90 and 10. They monitor the green version, and if successful, gradually increase its weight to 100. This is done using the AWS CLI or SDK. Common pitfall: forgetting to enable stickiness for stateful applications. If a user's session is on the blue target and then a subsequent request goes to green, the session is lost. They enable stickiness on the target group (using the AWSALB cookie) to ensure session affinity during the transition.
What SAA-C03 Tests on This Topic
The exam objectives under "Resilient Architectures" (Objective 2.2) include designing load balancing and auto scaling configurations. Specifically, you need to know:
How to choose between ALB, NLB, and CLB based on Layer 7 vs. Layer 4 requirements.
How to configure path-based, host-based, and header-based routing.
How to combine multiple conditions in a single rule (AND logic).
How to use wildcards in host-header and path-pattern.
The importance of rule priority and default actions.
How to use weighted target groups for canary deployments.
Common Wrong Answers and Why Candidates Choose Them
Using NLB for path-based routing: Candidates see "load balancer" and pick NLB because it's newer. But NLB operates at Layer 4 and cannot inspect HTTP headers or paths. The correct answer is ALB.
Setting overlapping path patterns with wrong priorities: Candidates create rules like /api/* (priority 10) and /api/v1/* (priority 20). They expect the more specific pattern to match first, but because priority 10 is lower number, /api/* matches first. The correct setup is to give /api/v1/* a lower priority number (e.g., 5) so it is evaluated first.
Forgetting to configure a default target group: Candidates assume that if no rule matches, the ALB will forward to a default group automatically. In reality, you must explicitly set a default action. If not, the ALB returns 503.
Using path-based routing with HTTP method conditions incorrectly: The exam may ask to route GET requests to one target and POST to another. Candidates try to use path-pattern alone, but they need to add an http-request-method condition.
Specific Numbers and Terms That Appear on the Exam
Maximum rules per listener: 100
Maximum conditions per rule: 5
Maximum values per condition: 5
Priority range: 1 to 50000
Wildcard characters: * (matches any sequence) and ? (matches single character)
Default idle timeout: 60 seconds
Supported actions: forward, redirect, fixed-response, authenticate
Target group types: instance, ip, lambda
Edge Cases and Exceptions
If you have a rule with both host-header and path-pattern, both must match (AND). There is no OR logic within a single rule.
If you want OR logic, you must create separate rules with the same action.
Path patterns are case-sensitive by default. You can enable case-insensitive matching at the listener level using the http-request-method condition? No, case-insensitivity is a listener-level setting for path patterns.
Header-based routing matches header values case-sensitively.
You cannot use path-based routing with a Lambda target group if the Lambda function expects the entire request? Actually, ALB can invoke Lambda functions and passes the request as a JSON event. Path-based routing works the same way.
How to Eliminate Wrong Answers
If the scenario requires routing based on HTTP header or URL path, eliminate NLB and CLB.
If the scenario mentions microservices or containerized applications, ALB is usually the best choice.
If the scenario requires static IP addresses for whitelisting, consider NLB with ALB behind it, or Global Accelerator.
If the scenario requires WebSocket support, ALB supports WebSocket natively.
If the scenario requires gRPC, ALB supports HTTP/2 which gRPC requires.
ALB routing rules are evaluated in order of priority (lowest number first).
Each rule can have up to 5 conditions, all must match (AND logic).
Path patterns use glob-style wildcards: `*` matches any sequence, `?` matches single character.
Host-header conditions support wildcard domains like `*.example.com`.
Default action is mandatory; if no rule matches, the default action is used.
You can use weighted target groups for canary deployments (e.g., 90% blue, 10% green).
ALB supports WebSocket and HTTP/2 (for gRPC).
Header-based routing can use custom headers (not standard ones like Host).
Maximum 100 rules per listener, maximum 5 values per condition.
Sticky sessions can be enabled per target group using AWSALB cookie.
These come up on the exam all the time. Here's how to tell them apart.
Path-Based Routing
Routes based on URL path (e.g., `/api/*`, `/images/*`).
Useful for separating microservices within the same domain.
Supports wildcard patterns with `*` and `?`.
Can be combined with HTTP method or query string conditions.
Common for single-domain multi-service architectures.
Host-Based Routing
Routes based on Host header (e.g., `api.example.com`, `www.example.com`).
Useful for multi-tenant or multi-domain setups.
Supports wildcards like `*.example.com`.
Often used with path-based routing for fine-grained control.
Common for SaaS platforms with custom domains.
Mistake
ALB routing rules are evaluated in random order.
Correct
Rules are evaluated in strict ascending order of priority number (lower number = higher priority). The first matching rule wins.
Mistake
You can have multiple rules with the same priority.
Correct
Each rule must have a unique priority within a listener. If you try to create a rule with an existing priority, the API will return an error.
Mistake
Path patterns support regular expressions.
Correct
Path patterns use glob-style wildcards (`*` and `?`), not regex. For example, `/api/*` matches any path starting with `/api/`, but `/api/.*` is not valid.
Mistake
The default action can be deleted.
Correct
The default action is mandatory and cannot be deleted. You can only modify its target group or action type.
Mistake
Header-based routing can match on any HTTP header, including standard headers like `Content-Type`.
Correct
You can match on any custom header, but standard headers like `Content-Type` are not allowed. The header name must start with `X-` or be a custom header. Actually, you can use any header except for the `Host`, `Connection`, and `Content-Length` headers which are reserved.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, you can combine multiple conditions in a single rule. For example, you can have a rule that matches host-header = `api.example.com` AND path-pattern = `/v1/*`. Both conditions must be satisfied for the rule to trigger. This allows very granular routing. On the exam, remember that conditions within a rule are ANDed together; if you need OR logic, you must create separate rules with the same action.
If no user-defined rule matches, the ALB uses the default action. You must configure a default target group or action (like a fixed response). If you haven't set a default target group, the ALB returns a 503 Service Unavailable error. Always ensure your default action handles unmatched requests appropriately, such as redirecting to a main page or returning a 404.
Yes. ALB can invoke Lambda functions as targets. The path-based routing works the same way: the ALB evaluates rules and forwards matching requests to the Lambda target group. The Lambda function receives the request as a JSON event with the path, headers, and body. This is common for serverless APIs.
You can use the `http-request-method` condition in your rule. For example, you can create a rule with condition http-request-method = `GET` and forward to one target group, and another rule for `POST`. This is often used for REST APIs where read and write operations are handled by different backends.
Yes, you can use the `*` wildcard in host-header conditions. For example, `*.example.com` matches any subdomain of example.com. You can also use `*` alone to match any host header, but that is rarely useful. Wildcards can appear at the beginning or end of the pattern, but not in the middle. For example, `*sub*.example.com` is not valid.
ALB operates at Layer 7 and can route based on HTTP/HTTPS content (headers, paths, methods). NLB operates at Layer 4 and routes based on TCP/UDP traffic, source IP, and port. NLB cannot inspect HTTP headers or paths. For path-based, host-based, or header-based routing, you must use ALB. NLB is used for ultra-low latency, static IP addresses, or when you need to handle non-HTTP protocols.
Sticky sessions (session affinity) are configured at the target group level, not the rule level. You enable stickiness on a target group, and the ALB uses a cookie (AWSALB) to bind a client to a specific target. This works regardless of which rule matched. However, if you have multiple target groups, each can have its own stickiness settings.
You've just covered ALB: Path-Based, Host-Based, and Header Routing — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?