Infra Foundation module

ALB Pro: production-ready AWS Application Load Balancer module

A focused Terraform module for teams that need a reusable ALB entry point with secure listener defaults, health-checked targets, configurable traffic exposure, and optional access logging.

See what is included
ALB Pro architecture diagram

Load balancing without repetitive wiring

ALB Pro packages the common Application Load Balancer pieces into a reusable Terraform module: ALB security group, target group, listener behavior, health checks, access logging hooks, and production-friendly toggles.

ALB Pro supports internet-facing or internal load balancers, HTTP forwarding, optional HTTPS when an ACM certificate ARN is provided, optional HTTP-to-HTTPS redirect, target group deregistration delay, slow start, deletion protection, and optional S3 access logs.

It is designed to pair with VPC Pro or any existing VPC where you can pass a VPC ID and subnet IDs.

What is included

ALB foundation
  • Internet-facing or internal ALB mode
  • Configurable subnet placement
  • ALB security group managed by the module
  • Configurable ingress CIDR blocks
Listener behavior
  • HTTP listener on port 80
  • HTTPS listener when an ACM certificate is provided
  • Modern default SSL policy
  • Optional HTTP to HTTPS redirect
Target group controls
  • Instance target group
  • Configurable target port and protocol
  • Health check path, matcher, timeout, and interval
  • Deregistration delay and slow start controls
Production guardrails
  • Deletion protection enabled by default
  • Configurable idle timeout
  • Consistent tagging
  • Optional ALB access logs to S3

Module structure

ALB Pro is delivered as a clean Terraform module layout with separate files for resources, variables, outputs, and provider requirements. The structure is easy to review, extend, and wire into an existing VPC or the AWS Foundation Bundle.

infra/modules/alb/
├── main.tf
├── variables.tf
├── outputs.tf
└── versions.tf

Key resources:
├── aws_security_group.alb
├── aws_lb.this
├── aws_lb_target_group.http
├── aws_lb_listener.http_forward
├── aws_lb_listener.http_redirect
└── aws_lb_listener.https

Frequently asked questions

Can it be internal or public?

Yes. The module exposes an internal toggle, so it can be used for public internet-facing entry points or private internal traffic.

Does it support HTTPS?

Yes. Pass an ACM certificate ARN and the module creates the HTTPS listener. It can also redirect HTTP to HTTPS.

Does it include WAF?

WAF is not bundled by default. It can be added as an extension or custom engagement when your workload requires managed rules or additional edge protection.

What targets does it use?

The target group uses instance targets, which pairs cleanly with EC2 or Auto Scaling groups.