kubernetes-sigs · swarner1033 · Sep 16, 2025 · Sep 16, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md
@@ -83,7 +83,8 @@ You can add annotations to kubernetes Ingress and Service objects to customize t
 | [alb.ingress.kubernetes.io/frontend-nlb-healthcheck-unhealthy-threshold-count](#frontend-nlb-healthcheck-unhealthy-threshold-count) | integer                     |3| Ingress | N/A           |
 | [alb.ingress.kubernetes.io/frontend-nlb-healthcheck-success-codes](#frontend-nlb-healthcheck-success-codes) | string                                     |200| Ingress | N/A           |
 | [alb.ingress.kubernetes.io/frontend-nlb-tags](#frontend-nlb-tags) | stringMap | N/A | Ingress | Exclusive |
-| [alb.ingress.kubernetes.io/frontend-nlb-eip-allocation](#frontend-nlb-eip-allocation) | stringList                                     |200| Ingress | N/A           |
+| [alb.ingress.kubernetes.io/frontend-nlb-eip-allocation](#frontend-nlb-eip-allocation) | stringList                                     |N/A| Ingress | N/A           |
+| [alb.ingress.kubernetes.io/frontend-nlb-attributes](#frontend-nlb-attributes) | stringList                                     |N/A| Ingress | N/A           |
 
 ## IngressGroup
 IngressGroup feature enables you to group multiple Ingress resources together.
@@ -1221,3 +1222,30 @@ When this option is set to true, the controller will automatically provision a N
         ```
         alb.ingress.kubernetes.io/frontend-nlb-eip-allocation: eipalloc-xyz, eipalloc-zzz
         ```
+
+- <a name="frontend-nlb-attributes">`alb.ingress.kubernetes.io/frontend-nlb-attributes`</a> specifies [Load Balancer Attributes](http://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_LoadBalancerAttribute.html) that should be applied to the ALB.
+
+    !!!warning ""
+        Only attributes defined in the annotation will be updated. To unset any AWS defaults(e.g. Disabling access logs after having them enabled once), the values need to be explicitly set to the original values(`access_logs.s3.enabled=false`) and omitting them is not sufficient.
+
+    !!!note ""
+        - If `deletion_protection.enabled=true` is in annotation, the controller will not be able to delete the ALB during reconciliation. Once the attribute gets edited to `deletion_protection.enabled=false` during reconciliation, the deployer will force delete the resource.
+        - Please note, if the deletion protection is not enabled via annotation (e.g. via AWS console), the controller still deletes the underlying resource.
+
+    !!!example
+        - enable access log to s3
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=my-access-log-bucket,access_logs.s3.prefix=my-app
+        ```
+        - enable NLB deletion protection
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-attributes: deletion_protection.enabled=true
+        ```
+        - enable cross zone load balancing
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-attributes: load_balancing.cross_zone.enabled=true
+        ```
+        - enable client availability zone affinity
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-attributes: dns_record.client_routing_policy=availability_zone_affinity
+        ```
diff --git a/pkg/annotations/constants.go b/pkg/annotations/constants.go
@@ -65,7 +65,7 @@ const (
 	IngressSuffixFrontendNlbSubnets                            = "frontend-nlb-subnets"
 	IngressSuffixFrontendNlbSecurityGroups                     = "frontend-nlb-security-groups"
 	IngressSuffixFrontendNlbListenerPortMapping                = "frontend-nlb-listener-port-mapping"
-	IngressSuffixFrontendNlbEipAlloactions                     = "frontend-nlb-eip-allocations"
+	IngressSuffixFrontendNlbEipAllocations                     = "frontend-nlb-eip-allocations"
 	IngressSuffixFrontendNlbHealthCheckPort                    = "frontend-nlb-healthcheck-port"
 	IngressSuffixFrontendNlbHealthCheckProtocol                = "frontend-nlb-healthcheck-protocol"
 	IngressSuffixFrontendNlbHealthCheckPath                    = "frontend-nlb-healthcheck-path"
@@ -74,6 +74,7 @@ const (
 	IngressSuffixFrontendNlbHealthCheckHealthyThresholdCount   = "frontend-nlb-healthcheck-healthy-threshold-count"
 	IngressSuffixFrontendNlHealthCheckbUnhealthyThresholdCount = "frontend-nlb-healthcheck-unhealthy-threshold-count"
 	IngressSuffixFrontendNlbHealthCheckSuccessCodes            = "frontend-nlb-healthcheck-success-codes"
+	IngressSuffixFrontendNlbAttributes                         = "frontend-nlb-attributes"
 	IngressSuffixFrontendNlbTags                               = "frontend-nlb-tags"
 
 	// NLB annotation suffixes

diff --git a/pkg/ingress/model_build_frontend_nlb.go b/pkg/ingress/model_build_frontend_nlb.go
@@ -8,6 +8,7 @@ import (
 	"strconv"
 
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_utils"
 
 	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
@@ -161,7 +162,7 @@ func (t *defaultModelBuildTask) buildFrontendNlbSubnetMappings(ctx context.Conte
 			explicitSubnetNameOrIDsList = append(explicitSubnetNameOrIDsList, rawSubnetNameOrIDs)
 		}
 		var rawEIP []string
-		if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixFrontendNlbEipAlloactions, &rawEIP, member.Ing.Annotations); exists {
+		if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixFrontendNlbEipAllocations, &rawEIP, member.Ing.Annotations); exists {
 			eipAllocationsList = append(eipAllocationsList, rawEIP)
 		}
 	}
@@ -211,6 +212,45 @@ func (t *defaultModelBuildTask) buildFrontendNlb(ctx context.Context, scheme elb
 	return nil
 }
 
+func (t *defaultModelBuildTask) buildFrontendNlbAttributes() ([]elbv2model.LoadBalancerAttribute, error) {
+	loadBalancerAttributes, err := t.getFrontendNlbAttributes()
+	if err != nil {
+		return []elbv2model.LoadBalancerAttribute{}, err
+	}
+	return shared_utils.MakeAttributesSliceFromMap(loadBalancerAttributes), nil
+}
+
+func (t *defaultModelBuildTask) getFrontendNlbAttributes() (map[string]string, error) {
+	var chosenAttributes map[string]string
+	for _, member := range t.ingGroup.Members {
+		var attributes map[string]string
+		if _, err := t.annotationParser.ParseStringMapAnnotation(annotations.IngressSuffixFrontendNlbAttributes, &attributes, member.Ing.Annotations); err != nil {
+			return nil, err
+		}
+		if chosenAttributes == nil {
+			chosenAttributes = attributes
+		} else {
+			if !cmp.Equal(chosenAttributes, attributes) {
+				return nil, errors.Errorf("conflicting frontend NLB attributes: %v | %v", chosenAttributes, attributes)
+			}
+		}
+	}
+
+	dnsRecordClientRoutingPolicy, exists := chosenAttributes[shared_constants.LBAttributeLoadBalancingDnsClientRoutingPolicy]
+	if exists {
+		switch dnsRecordClientRoutingPolicy {
+		case shared_constants.LBAttributeAvailabilityZoneAffinity:
+		case shared_constants.LBAttributePartialAvailabilityZoneAffinity:
+		case shared_constants.LBAttributeAnyAvailabilityZone:
+		default:
+			return nil, errors.Errorf("invalid dns_record.client_routing_policy set in annotation %s: got '%s' expected one of ['%s', '%s', '%s']",
+				annotations.SvcLBSuffixLoadBalancerAttributes, dnsRecordClientRoutingPolicy,
+				shared_constants.LBAttributeAnyAvailabilityZone, shared_constants.LBAttributePartialAvailabilityZoneAffinity, shared_constants.LBAttributeAvailabilityZoneAffinity)
+		}
+	}
+	return chosenAttributes, nil
+}
+
 func (t *defaultModelBuildTask) buildFrontendNlbSpec(ctx context.Context, scheme elbv2model.LoadBalancerScheme,
 	alb *elbv2model.LoadBalancer) (elbv2model.LoadBalancerSpec, error) {
 	securityGroups, err := t.buildFrontendNlbSecurityGroups(ctx)
@@ -238,14 +278,20 @@ func (t *defaultModelBuildTask) buildFrontendNlbSpec(ctx context.Context, scheme
 		return elbv2model.LoadBalancerSpec{}, err
 	}
 
+	lbAttributes, err := t.buildFrontendNlbAttributes()
+	if err != nil {
+		return elbv2model.LoadBalancerSpec{}, err
+	}
+
 	spec := elbv2model.LoadBalancerSpec{
-		Name:           name,
-		Type:           elbv2model.LoadBalancerTypeNetwork,
-		Scheme:         scheme,
-		IPAddressType:  alb.Spec.IPAddressType,
-		SecurityGroups: securityGroups,
-		SubnetMappings: subnetMappings,
-		Tags:           tags,
+		Name:                   name,
+		Type:                   elbv2model.LoadBalancerTypeNetwork,
+		Scheme:                 scheme,
+		IPAddressType:          alb.Spec.IPAddressType,
+		LoadBalancerAttributes: lbAttributes,
+		SecurityGroups:         securityGroups,
+		SubnetMappings:         subnetMappings,
+		Tags:                   tags,
 	}
 
 	return spec, nil
@@ -802,7 +848,7 @@ func buildFrontendNlbResourceID(resourceType string, protocol elbv2model.Protoco
 	if port != nil && protocol != "" {
 		return fmt.Sprintf("FrontendNlb-%s-%v-%v", resourceType, protocol, *port)
 	}
-	return fmt.Sprintf("FrontendNlb")
+	return "FrontendNlb"
 }
 
 func mergeHealthCheckField[T comparable](fieldName string, finalValue **T, currentValue *T, explicit map[string]bool, explicitFields map[string]bool, configIndex int) error {