awsdocs · geoffcline · Oct 22, 2025 · Oct 16, 2025 · Oct 22, 2025
@@ -115,7 +115,7 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl
 * *EFS storage* - If your Pods use Amazon EFS volumes, then before deploying the <<efs-csi,Store an elastic file system with Amazon EFS>>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster.
 * Route53 does not support {aws} PrivateLink. You cannot manage Route53 DNS records from a private Amazon EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns].
 * If you use the EKS Optimized AMI, you should enable the `ec2` endpoint in the table above. Alternatively, you can manually set the Node DNS name. The optimized AMI uses EC2 APIs to set the node DNS name automatically. 
-* You can use the <<aws-load-balancer-controller,{aws} Load Balancer Controller>> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint.
+* You can use the <<aws-load-balancer-controller,{aws} Load Balancer Controller>> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint.
 +
 The controller supports network load balancers with IP targets, which are required for use with Fargate. For more information, see <<alb-ingress>> and <<network-load-balancer>>.
 * https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] is supported. When deploying Cluster Autoscaler Pods, make sure that the command line includes `--aws-use-static-instance-list=true`. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#use-static-instance-list[Use Static Instance List] on GitHub. The worker node VPC must also include the {aws} STS VPC endpoint and autoscaling VPC endpoint.

@@ -43,7 +43,7 @@ This add-on maintains network rules on your Amazon EC2 nodes and enables network
 == Optional {aws} networking add-ons
 
 *{aws} Load Balancer Controller*::
-When you deploy Kubernetes service objects of type `loadbalancer`, the controller creates {aws} Network Load Balancers . When you create Kubernetes ingress objects, the controller creates {aws} Application Load Balancers. We recommend using this controller to provision Network Load Balancers, rather than using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] controller built-in to Kubernetes. For more information, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller[{aws} Load Balancer Controller] documentation.
+When you deploy Kubernetes service objects of type `loadbalancer`, the controller creates {aws} Network Load Balancers . When you create Kubernetes ingress objects, the controller creates {aws} Application Load Balancers. We recommend using this controller to provision Network Load Balancers, rather than using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] controller built-in to Kubernetes. For more information, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller[{aws} Load Balancer Controller] documentation.
 
 
 *{aws} Gateway API Controller*::

@@ -110,7 +110,7 @@ helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
   --set clusterName=my-cluster \
   --set serviceAccount.create=false \
   --set serviceAccount.name=aws-load-balancer-controller \
-  --version 1.13.0
+  --version 1.14.0
 ----
 
 

@@ -22,7 +22,7 @@ If the `aws:SourceArn` value does not contain the account ID, such as an Amazon
 [#cross-service-confused-deputy-cluster-role]
 == Amazon EKS cluster role cross-service confused deputy prevention
 
-An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services.
+An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services.
 These cluster actions can only affect the same account, so we recommend that you limit each cluster role to that cluster and account.
 This is a specific application of the {aws} recommendation to follow the _principle of least privilege_ in your account.
 

@@ -10,14 +10,14 @@ include::../../attributes.txt[]
 Learn how to create and configure the required {aws} Identity and Access Management role for Amazon EKS clusters to manage nodes and load balancers using managed or custom IAM policies.
 --
 
-An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services.
+An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services.
 
 Before you can create Amazon EKS clusters, you must create an IAM role with either of the following IAM policies:
 
 
 
 * link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html[AmazonEKSClusterPolicy,type="documentation"]
-* A custom IAM policy. The minimal permissions that follow allows the Kubernetes cluster to manage nodes, but doesn't allow the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] to create load balancers with Elastic Load Balancing. Your custom IAM policy must have at least the following permissions:
+* A custom IAM policy. The minimal permissions that follow allows the Kubernetes cluster to manage nodes, but doesn't allow the https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] to create load balancers with Elastic Load Balancing. Your custom IAM policy must have at least the following permissions:
 +
 [source,json,subs="verbatim,attributes"]
 ----

@@ -65,7 +65,7 @@ If you're using multiple security groups attached to worker node, exactly one se
 If the subnet role tags aren't explicitly added, the Kubernetes service controller examines the route table of your cluster VPC subnets. This is to determine if the subnet is private or public. We recommend that you don't rely on this behavior. Rather, explicitly add the private or public role tags. The {aws} Load Balancer Controller doesn't examine route tables. It also requires the private and public tags to be present for successful auto discovery.
 
 
-* The https://github.com/kubernetes-sigs/aws-load-balancer-controller[{aws} Load Balancer Controller] creates ALBs and the necessary supporting {aws} resources whenever a Kubernetes ingress resource is created on the cluster with the `kubernetes.io/ingress.class: alb` annotation. The ingress resource configures the ALB to route HTTP or HTTPS traffic to different Pods within the cluster. To ensure that your ingress objects use the {aws} Load Balancer Controller, add the following annotation to your Kubernetes ingress specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/spec/[Ingress specification] on GitHub.
+* The https://github.com/kubernetes-sigs/aws-load-balancer-controller[{aws} Load Balancer Controller] creates ALBs and the necessary supporting {aws} resources whenever a Kubernetes ingress resource is created on the cluster with the `kubernetes.io/ingress.class: alb` annotation. The ingress resource configures the ALB to route HTTP or HTTPS traffic to different Pods within the cluster. To ensure that your ingress objects use the {aws} Load Balancer Controller, add the following annotation to your Kubernetes ingress specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/spec/[Ingress specification] on GitHub.
 +
 [source,yaml,subs="verbatim,attributes"]
 ----
@@ -87,7 +87,7 @@ alb.ingress.kubernetes.io/ip-address-type: dualstack
 NOTE: Your Kubernetes service must specify the `NodePort` or `LoadBalancer` type to use this traffic mode.
 ** *IP*
  – Registers Pods as targets for the ALB. Traffic reaching the ALB is directly routed to Pods for your service. You must specify the `alb.ingress.kubernetes.io/target-type: ip` annotation to use this traffic mode. The IP target type is required when target Pods are running on Fargate or Amazon EKS Hybrid Nodes.
-* To tag ALBs created by the controller, add the following annotation to the controller: `alb.ingress.kubernetes.io/tags`. For a list of all available annotations supported by the {aws} Load Balancer Controller, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/[Ingress annotations] on GitHub.
+* To tag ALBs created by the controller, add the following annotation to the controller: `alb.ingress.kubernetes.io/tags`. For a list of all available annotations supported by the {aws} Load Balancer Controller, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/[Ingress annotations] on GitHub.
 * Upgrading or downgrading the ALB controller version can introduce breaking changes for features that rely on it. For more information about the breaking changes that are introduced in each release, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases[ALB controller release notes] on GitHub.
 
 

@@ -25,7 +25,7 @@ When you create a Kubernetes `Service` of type `LoadBalancer`, the {aws} cloud p
 
 We recommend that you use version `2.7.2` or later of the <<aws-load-balancer-controller,{aws} Load Balancer Controller>> instead of the {aws} cloud provider load balancer controller. The {aws} Load Balancer Controller creates {aws} Network Load Balancers, but doesn't create {aws} Classic Load Balancers. The remainder of this topic is about using the {aws} Load Balancer Controller.
 
-An {aws} Network Load Balancer can load balance network traffic to Pods deployed to Amazon EC2 IP and instance link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[targets,type="documentation"], to {aws} Fargate IP targets, or to Amazon EKS Hybrid Nodes as IP targets. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/targetgroupbinding/targetgroupbinding/#targettype[{aws} Load Balancer Controller] on GitHub.
+An {aws} Network Load Balancer can load balance network traffic to Pods deployed to Amazon EC2 IP and instance link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[targets,type="documentation"], to {aws} Fargate IP targets, or to Amazon EKS Hybrid Nodes as IP targets. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/targetgroupbinding/targetgroupbinding/#targettype[{aws} Load Balancer Controller] on GitHub.
 
 
 == Prerequisites
@@ -62,15 +62,15 @@ If the subnet role tags aren't explicitly added, the Kubernetes service controll
 
 == Considerations 
 
-* The configuration of your load balancer is controlled by annotations that are added to the manifest for your service. Service annotations are different when using the {aws} Load Balancer Controller than they are when using the {aws} cloud provider load balancer controller. Make sure to review the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[annotations] for the {aws} Load Balancer Controller before deploying services.
+* The configuration of your load balancer is controlled by annotations that are added to the manifest for your service. Service annotations are different when using the {aws} Load Balancer Controller than they are when using the {aws} cloud provider load balancer controller. Make sure to review the https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/[annotations] for the {aws} Load Balancer Controller before deploying services.
 * When using the <<managing-vpc-cni,Amazon VPC CNI plugin for Kubernetes>>, the {aws} Load Balancer Controller can load balance to Amazon EC2 IP or instance targets and Fargate IP targets. When using <<alternate-cni-plugins,Alternate compatible CNI plugins>>, the controller can only load balance to instance targets, unless you are load balancing to Amazon EKS Hybrid Nodes. For hybrid nodes, the controller can load balance IP targets. For more information about Network Load Balancer target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers
-* If you want to add tags to the load balancer when or after it's created, add the following annotation in your service specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#aws-resource-tags[{aws} Resource Tags] in the {aws} Load Balancer Controller documentation.
+* If you want to add tags to the load balancer when or after it's created, add the following annotation in your service specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#aws-resource-tags[{aws} Resource Tags] in the {aws} Load Balancer Controller documentation.
 +
 [source,bash,subs="verbatim,attributes"]
 ----
 service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags
 ----
-* You can assign link:AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html[Elastic IP addresses,type="documentation"] to the Network Load Balancer by adding the following annotation. Replace the [.replaceable]`example values` with the `Allocation IDs` of your Elastic IP addresses. The number of `Allocation IDs` must match the number of subnets that are used for the load balancer. For more information, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#eip-allocations[{aws} Load Balancer Controller] documentation.
+* You can assign link:AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html[Elastic IP addresses,type="documentation"] to the Network Load Balancer by adding the following annotation. Replace the [.replaceable]`example values` with the `Allocation IDs` of your Elastic IP addresses. The number of `Allocation IDs` must match the number of subnets that are used for the load balancer. For more information, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#eip-allocations[{aws} Load Balancer Controller] documentation.
 +
 [source,bash,subs="verbatim,attributes"]
 ----
@@ -79,7 +79,7 @@ service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-xxxxxxxxx
 * Amazon EKS adds one inbound rule to the node's security group for client traffic and one rule for each load balancer subnet in the VPC for health checks for each Network Load Balancer that you create. Deployment of a service of type `LoadBalancer` can fail if Amazon EKS attempts to create rules that exceed the quota for the maximum number of rules allowed for a security group. For more information, see link:vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups[Security groups,type="documentation"] in Amazon VPC quotas in the Amazon VPC User Guide. Consider the following options to minimize the chances of exceeding the maximum number of rules for a security group:
 +
 ** Request an increase in your rules per security group quota. For more information, see link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase,type="documentation"] in the Service Quotas User Guide.
-** Use IP targets, rather than instance targets. With IP targets, you can share rules for the same target ports. You can manually specify load balancer subnets with an annotation. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[Annotations] on GitHub.
+** Use IP targets, rather than instance targets. With IP targets, you can share rules for the same target ports. You can manually specify load balancer subnets with an annotation. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/[Annotations] on GitHub.
 ** Use an ingress, instead of a service of type `LoadBalancer`, to send traffic to your service. The {aws} Application Load Balancer requires fewer rules than Network Load Balancers. You can share an ALB across multiple ingresses. For more information, see <<alb-ingress>>. You can't share a Network Load Balancer across multiple services.
 ** Deploy your clusters to multiple accounts.
 * If your Pods run on Windows in an Amazon EKS cluster, a single service with a load balancer can support up to 1024 back-end Pods. Each Pod has its own unique IP address.