aws-cdk-lib 2.133.0__py3-none-any.whl → 2.135.0__py3-none-any.whl

aws_cdk/aws_elasticloadbalancingv2/__init__.py

@@ -198,7 +198,7 @@ If you do not provide any options for this method, it redirects HTTP port 80 to
 By default all ingress traffic will be allowed on the source port. If you want to be more selective with your
 ingress rules then set `open: false` and use the listener's `connections` object to selectively grant access to the listener.
 
-### Load Balancer attributes
+### Application Load Balancer attributes
 
 You can modify attributes of Application Load Balancers:
 
@@ -225,12 +225,38 @@ lb = elbv2.ApplicationLoadBalancer(self, "LB",
     desync_mitigation_mode=elbv2.DesyncMitigationMode.DEFENSIVE,
 
     # The type of IP addresses to use.
-    ip_address_type=elbv2.IpAddressType.IPV4
+    ip_address_type=elbv2.IpAddressType.IPV4,
+
+    # The duration of client keep-alive connections
+    client_keep_alive=Duration.seconds(500),
+
+    # Whether cross-zone load balancing is enabled.
+    cross_zone_enabled=True,
+
+    # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
+    deny_all_igw_traffic=False
 )
 ```
 
 For more information, see [Load balancer attributes](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#load-balancer-attributes)
 
+### Setting up Access Log Bucket on Application Load Balancer
+
+The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information
+Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
+
+```python
+# vpc: ec2.Vpc
+
+
+bucket = s3.Bucket(self, "ALBAccessLogsBucket",
+    encryption=s3.BucketEncryption.S3_MANAGED
+)
+
+lb = elbv2.ApplicationLoadBalancer(self, "LB", vpc=vpc)
+lb.log_access_logs(bucket)
+```
+
 ## Defining a Network Load Balancer
 
 Network Load Balancers are defined in a similar way to Application Load
@@ -264,6 +290,22 @@ listener.add_targets("AppFleet",
 )
 ```
 
+### Enforce security group inbound rules on PrivateLink traffic for a Network Load Balancer
+
+You can indicate whether to evaluate inbound security group rules for traffic
+sent to a Network Load Balancer through AWS PrivateLink.
+The evaluation is enabled by default.
+
+```python
+# vpc: ec2.Vpc
+
+
+nlb = elbv2.NetworkLoadBalancer(self, "LB",
+    vpc=vpc,
+    enforce_security_group_inbound_rules_on_private_link_traffic=True
+)
+```
+
 One thing to keep in mind is that network load balancers do not have security
 groups, and no automatic security group configuration is done for you. You will
 have to configure the security groups of the target yourself to allow traffic by
@@ -290,6 +332,30 @@ lb = elbv2.NetworkLoadBalancer(self, "LB",
 
 You cannot add UDP or TCP_UDP listeners to a dualstack Network Load Balancer.
 
+### Network Load Balancer attributes
+
+You can modify attributes of Network Load Balancers:
+
+```python
+# vpc: ec2.Vpc
+
+
+lb = elbv2.NetworkLoadBalancer(self, "LB",
+    vpc=vpc,
+    # Whether deletion protection is enabled.
+    deletion_protection=True,
+
+    # Whether cross-zone load balancing is enabled.
+    cross_zone_enabled=True,
+
+    # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
+    deny_all_igw_traffic=False,
+
+    # Indicates how traffic is distributed among the load balancer Availability Zones.
+    client_routing_policy=elbv2.ClientRoutingPolicy.AVAILABILITY_ZONE_AFFINITY
+)
+```
+
 ## Targets and Target Groups
 
 Application and Network Load Balancers organize load balancing targets in Target
@@ -345,6 +411,27 @@ tg2 = elbv2.ApplicationTargetGroup(self, "TG2",
 )
 ```
 
+### Slow start mode for your Application Load Balancer
+
+By default, a target starts to receive its full share of requests as soon as it is registered with a target group and passes an initial health check. Using slow start mode gives targets time to warm up before the load balancer sends them a full share of requests.
+
+After you enable slow start for a target group, its targets enter slow start mode when they are considered healthy by the target group. A target in slow start mode exits slow start mode when the configured slow start duration period elapses or the target becomes unhealthy. The load balancer linearly increases the number of requests that it can send to a target in slow start mode. After a healthy target exits slow start mode, the load balancer can send it a full share of requests.
+
+The allowed range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled).
+
+```python
+# vpc: ec2.Vpc
+
+
+# Target group with slow start mode enabled
+tg = elbv2.ApplicationTargetGroup(self, "TG",
+    target_type=elbv2.TargetType.INSTANCE,
+    slow_start=Duration.seconds(60),
+    port=80,
+    vpc=vpc
+)
+```
+
 For more information see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html#application-based-stickiness
 
 ### Setting the target group protocol version
@@ -684,6 +771,9 @@ target_group = elbv2.ApplicationTargetGroup.from_target_group_attributes(self, "
 target_group_metrics = target_group.metrics
 ```
 '''
+from pkgutil import extend_path
+__path__ = extend_path(__path__, __name__)
+
 import abc
 import builtins
 import datetime
@@ -2619,7 +2709,9 @@ class BaseLoadBalancerLookupOptions:
     jsii_struct_bases=[],
     name_mapping={
         "vpc": "vpc",
+        "cross_zone_enabled": "crossZoneEnabled",
         "deletion_protection": "deletionProtection",
+        "deny_all_igw_traffic": "denyAllIgwTraffic",
         "internet_facing": "internetFacing",
         "load_balancer_name": "loadBalancerName",
         "vpc_subnets": "vpcSubnets",
@@ -2630,7 +2722,9 @@ class BaseLoadBalancerProps:
         self,
         *,
         vpc: _IVpc_f30d5663,
+        cross_zone_enabled: typing.Optional[builtins.bool] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
+        deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
         internet_facing: typing.Optional[builtins.bool] = None,
         load_balancer_name: typing.Optional[builtins.str] = None,
         vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -2638,7 +2732,9 @@ class BaseLoadBalancerProps:
         '''Shared properties of both Application and Network Load Balancers.
 
         :param vpc: The VPC network to place the load balancer in.
+        :param cross_zone_enabled: Indicates whether cross-zone load balancing is enabled. Default: - false for Network Load Balancers and true for Application Load Balancers.
         :param deletion_protection: Indicates whether deletion protection is enabled. Default: false
+        :param deny_all_igw_traffic: Indicates whether the load balancer blocks traffic through the Internet Gateway (IGW). Default: - false for internet-facing load balancers and true for internal load balancers
         :param internet_facing: Whether the load balancer has an internet-routable address. Default: false
         :param load_balancer_name: Name of the load balancer. Default: - Automatically generated name.
         :param vpc_subnets: Which subnets place the load balancer in. Default: - the Vpc default strategy.
@@ -2660,7 +2756,9 @@ class BaseLoadBalancerProps:
                 vpc=vpc,
             
                 # the properties below are optional
+                cross_zone_enabled=False,
                 deletion_protection=False,
+                deny_all_igw_traffic=False,
                 internet_facing=False,
                 load_balancer_name="loadBalancerName",
                 vpc_subnets=ec2.SubnetSelection(
@@ -2678,15 +2776,21 @@ class BaseLoadBalancerProps:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__36614588a5e075aa6e7ea0a4d41053b09874f2590b227cd5d62f3429901282f2)
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
+            check_type(argname="argument cross_zone_enabled", value=cross_zone_enabled, expected_type=type_hints["cross_zone_enabled"])
             check_type(argname="argument deletion_protection", value=deletion_protection, expected_type=type_hints["deletion_protection"])
+            check_type(argname="argument deny_all_igw_traffic", value=deny_all_igw_traffic, expected_type=type_hints["deny_all_igw_traffic"])
             check_type(argname="argument internet_facing", value=internet_facing, expected_type=type_hints["internet_facing"])
             check_type(argname="argument load_balancer_name", value=load_balancer_name, expected_type=type_hints["load_balancer_name"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "vpc": vpc,
         }
+        if cross_zone_enabled is not None:
+            self._values["cross_zone_enabled"] = cross_zone_enabled
         if deletion_protection is not None:
             self._values["deletion_protection"] = deletion_protection
+        if deny_all_igw_traffic is not None:
+            self._values["deny_all_igw_traffic"] = deny_all_igw_traffic
         if internet_facing is not None:
             self._values["internet_facing"] = internet_facing
         if load_balancer_name is not None:
@@ -2701,6 +2805,15 @@ class BaseLoadBalancerProps:
         assert result is not None, "Required property 'vpc' is missing"
         return typing.cast(_IVpc_f30d5663, result)
 
+    @builtins.property
+    def cross_zone_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether cross-zone load balancing is enabled.
+
+        :default: - false for Network Load Balancers and true for Application Load Balancers.
+        '''
+        result = self._values.get("cross_zone_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def deletion_protection(self) -> typing.Optional[builtins.bool]:
         '''Indicates whether deletion protection is enabled.
@@ -2710,6 +2823,15 @@ class BaseLoadBalancerProps:
         result = self._values.get("deletion_protection")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def deny_all_igw_traffic(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether the load balancer blocks traffic through the Internet Gateway (IGW).
+
+        :default: - false for internet-facing load balancers and true for internal load balancers
+        '''
+        result = self._values.get("deny_all_igw_traffic")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def internet_facing(self) -> typing.Optional[builtins.bool]:
         '''Whether the load balancer has an internet-routable address.
@@ -7972,7 +8094,7 @@ class CfnLoadBalancer(
         ) -> None:
             '''Specifies an attribute for an Application Load Balancer, a Network Load Balancer, or a Gateway Load Balancer.
 
-            :param key: The name of the attribute. The following attributes are supported by all load balancers: - ``deletion_protection.enabled`` - Indicates whether deletion protection is enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``load_balancing.cross_zone.enabled`` - Indicates whether cross-zone load balancing is enabled. The possible values are ``true`` and ``false`` . The default for Network Load Balancers and Gateway Load Balancers is ``false`` . The default for Application Load Balancers is ``true`` , and cannot be changed. The following attributes are supported by both Application Load Balancers and Network Load Balancers: - ``access_logs.s3.enabled`` - Indicates whether access logs are enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``access_logs.s3.bucket`` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket. - ``access_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the access logs. - ``ipv6.deny_all_igw_traffic`` - Blocks internet gateway (IGW) access to the load balancer. It is set to ``false`` for internet-facing load balancers and ``true`` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway. The following attributes are supported by only Application Load Balancers: - ``idle_timeout.timeout_seconds`` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds. - ``connection_logs.s3.enabled`` - Indicates whether connection logs are enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``connection_logs.s3.bucket`` - The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket. - ``connection_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the connection logs. - ``routing.http.desync_mitigation_mode`` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are ``monitor`` , ``defensive`` , and ``strictest`` . The default is ``defensive`` . - ``routing.http.drop_invalid_header_fields.enabled`` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( ``true`` ) or routed to targets ( ``false`` ). The default is ``false`` . - ``routing.http.preserve_host_header.enabled`` - Indicates whether the Application Load Balancer should preserve the ``Host`` header in the HTTP request and send it to the target without any change. The possible values are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.x_amzn_tls_version_and_cipher_suite.enabled`` - Indicates whether the two headers ( ``x-amzn-tls-version`` and ``x-amzn-tls-cipher-suite`` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The ``x-amzn-tls-version`` header has information about the TLS protocol version negotiated with the client, and the ``x-amzn-tls-cipher-suite`` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.xff_client_port.enabled`` - Indicates whether the ``X-Forwarded-For`` header should preserve the source port that the client used to connect to the load balancer. The possible values are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.xff_header_processing.mode`` - Enables you to modify, preserve, or remove the ``X-Forwarded-For`` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are ``append`` , ``preserve`` , and ``remove`` . The default is ``append`` . - If the value is ``append`` , the Application Load Balancer adds the client IP address (of the last hop) to the ``X-Forwarded-For`` header in the HTTP request before it sends it to targets. - If the value is ``preserve`` the Application Load Balancer preserves the ``X-Forwarded-For`` header in the HTTP request, and sends it to targets without any change. - If the value is ``remove`` , the Application Load Balancer removes the ``X-Forwarded-For`` header in the HTTP request before it sends it to targets. - ``routing.http2.enabled`` - Indicates whether HTTP/2 is enabled. The possible values are ``true`` and ``false`` . The default is ``true`` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. - ``waf.fail_open.enabled`` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are ``true`` and ``false`` . The default is ``false`` . The following attributes are supported by only Network Load Balancers: - ``dns_record.client_routing_policy`` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are ``availability_zone_affinity`` with 100 percent zonal affinity, ``partial_availability_zone_affinity`` with 85 percent zonal affinity, and ``any_availability_zone`` with 0 percent zonal affinity.
+            :param key: The name of the attribute. The following attributes are supported by all load balancers: - ``deletion_protection.enabled`` - Indicates whether deletion protection is enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``load_balancing.cross_zone.enabled`` - Indicates whether cross-zone load balancing is enabled. The possible values are ``true`` and ``false`` . The default for Network Load Balancers and Gateway Load Balancers is ``false`` . The default for Application Load Balancers is ``true`` , and cannot be changed. The following attributes are supported by both Application Load Balancers and Network Load Balancers: - ``access_logs.s3.enabled`` - Indicates whether access logs are enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``access_logs.s3.bucket`` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket. - ``access_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the access logs. - ``ipv6.deny_all_igw_traffic`` - Blocks internet gateway (IGW) access to the load balancer. It is set to ``false`` for internet-facing load balancers and ``true`` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway. The following attributes are supported by only Application Load Balancers: - ``idle_timeout.timeout_seconds`` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds. - ``client_keep_alive.seconds`` - The client keep alive value, in seconds. The valid range is 60-604800 seconds. The default is 3600 seconds. - ``connection_logs.s3.enabled`` - Indicates whether connection logs are enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``connection_logs.s3.bucket`` - The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket. - ``connection_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the connection logs. - ``routing.http.desync_mitigation_mode`` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are ``monitor`` , ``defensive`` , and ``strictest`` . The default is ``defensive`` . - ``routing.http.drop_invalid_header_fields.enabled`` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( ``true`` ) or routed to targets ( ``false`` ). The default is ``false`` . - ``routing.http.preserve_host_header.enabled`` - Indicates whether the Application Load Balancer should preserve the ``Host`` header in the HTTP request and send it to the target without any change. The possible values are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.x_amzn_tls_version_and_cipher_suite.enabled`` - Indicates whether the two headers ( ``x-amzn-tls-version`` and ``x-amzn-tls-cipher-suite`` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The ``x-amzn-tls-version`` header has information about the TLS protocol version negotiated with the client, and the ``x-amzn-tls-cipher-suite`` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.xff_client_port.enabled`` - Indicates whether the ``X-Forwarded-For`` header should preserve the source port that the client used to connect to the load balancer. The possible values are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.xff_header_processing.mode`` - Enables you to modify, preserve, or remove the ``X-Forwarded-For`` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are ``append`` , ``preserve`` , and ``remove`` . The default is ``append`` . - If the value is ``append`` , the Application Load Balancer adds the client IP address (of the last hop) to the ``X-Forwarded-For`` header in the HTTP request before it sends it to targets. - If the value is ``preserve`` the Application Load Balancer preserves the ``X-Forwarded-For`` header in the HTTP request, and sends it to targets without any change. - If the value is ``remove`` , the Application Load Balancer removes the ``X-Forwarded-For`` header in the HTTP request before it sends it to targets. - ``routing.http2.enabled`` - Indicates whether HTTP/2 is enabled. The possible values are ``true`` and ``false`` . The default is ``true`` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. - ``waf.fail_open.enabled`` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are ``true`` and ``false`` . The default is ``false`` . The following attributes are supported by only Network Load Balancers: - ``dns_record.client_routing_policy`` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are ``availability_zone_affinity`` with 100 percent zonal affinity, ``partial_availability_zone_affinity`` with 85 percent zonal affinity, and ``any_availability_zone`` with 0 percent zonal affinity.
             :param value: The value of the attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattribute.html
@@ -8018,6 +8140,7 @@ class CfnLoadBalancer(
             The following attributes are supported by only Application Load Balancers:
 
             - ``idle_timeout.timeout_seconds`` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.
+            - ``client_keep_alive.seconds`` - The client keep alive value, in seconds. The valid range is 60-604800 seconds. The default is 3600 seconds.
             - ``connection_logs.s3.enabled`` - Indicates whether connection logs are enabled. The value is ``true`` or ``false`` . The default is ``false`` .
             - ``connection_logs.s3.bucket`` - The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.
             - ``connection_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the connection logs.
@@ -10398,6 +10521,42 @@ class CfnTrustStoreRevocationProps:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.ClientRoutingPolicy")
+class ClientRoutingPolicy(enum.Enum):
+    '''Indicates how traffic is distributed among the load balancer Availability Zones.
+
+    :see: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#zonal-dns-affinity
+    :exampleMetadata: infused
+
+    Example::
+
+        # vpc: ec2.Vpc
+        
+        
+        lb = elbv2.NetworkLoadBalancer(self, "LB",
+            vpc=vpc,
+            # Whether deletion protection is enabled.
+            deletion_protection=True,
+        
+            # Whether cross-zone load balancing is enabled.
+            cross_zone_enabled=True,
+        
+            # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
+            deny_all_igw_traffic=False,
+        
+            # Indicates how traffic is distributed among the load balancer Availability Zones.
+            client_routing_policy=elbv2.ClientRoutingPolicy.AVAILABILITY_ZONE_AFFINITY
+        )
+    '''
+
+    AVAILABILITY_ZONE_AFFINITY = "AVAILABILITY_ZONE_AFFINITY"
+    '''100 percent zonal affinity.'''
+    PARTIAL_AVAILABILITY_ZONE_AFFINITY = "PARTIAL_AVAILABILITY_ZONE_AFFINITY"
+    '''85 percent zonal affinity.'''
+    ANY_AVAILABILITY_ZONE = "ANY_AVAILABILITY_ZONE"
+    '''No zonal affinity.'''
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.DesyncMitigationMode")
 class DesyncMitigationMode(enum.Enum):
     '''How the load balancer handles requests that might pose a security risk to your application.
@@ -10429,7 +10588,16 @@ class DesyncMitigationMode(enum.Enum):
             desync_mitigation_mode=elbv2.DesyncMitigationMode.DEFENSIVE,
         
             # The type of IP addresses to use.
-            ip_address_type=elbv2.IpAddressType.IPV4
+            ip_address_type=elbv2.IpAddressType.IPV4,
+        
+            # The duration of client keep-alive connections
+            client_keep_alive=Duration.seconds(500),
+        
+            # Whether cross-zone load balancing is enabled.
+            cross_zone_enabled=True,
+        
+            # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
+            deny_all_igw_traffic=False
         )
     '''
 
@@ -13460,6 +13628,17 @@ class INetworkLoadBalancer(
         '''All metrics available for this load balancer.'''
         ...
 
+    @builtins.property
+    @jsii.member(jsii_name="enforceSecurityGroupInboundRulesOnPrivateLinkTraffic")
+    def enforce_security_group_inbound_rules_on_private_link_traffic(
+        self,
+    ) -> typing.Optional[builtins.str]:
+        '''Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink.
+
+        :default: on
+        '''
+        ...
+
     @builtins.property
     @jsii.member(jsii_name="ipAddressType")
     def ip_address_type(self) -> typing.Optional["IpAddressType"]:
@@ -13525,6 +13704,17 @@ class _INetworkLoadBalancerProxy(
         '''All metrics available for this load balancer.'''
         return typing.cast("INetworkLoadBalancerMetrics", jsii.get(self, "metrics"))
 
+    @builtins.property
+    @jsii.member(jsii_name="enforceSecurityGroupInboundRulesOnPrivateLinkTraffic")
+    def enforce_security_group_inbound_rules_on_private_link_traffic(
+        self,
+    ) -> typing.Optional[builtins.str]:
+        '''Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink.
+
+        :default: on
+        '''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "enforceSecurityGroupInboundRulesOnPrivateLinkTraffic"))
+
     @builtins.property
     @jsii.member(jsii_name="ipAddressType")
     def ip_address_type(self) -> typing.Optional["IpAddressType"]:
@@ -14531,7 +14721,16 @@ class IpAddressType(enum.Enum):
             desync_mitigation_mode=elbv2.DesyncMitigationMode.DEFENSIVE,
         
             # The type of IP addresses to use.
-            ip_address_type=elbv2.IpAddressType.IPV4
+            ip_address_type=elbv2.IpAddressType.IPV4,
+        
+            # The duration of client keep-alive connections
+            client_keep_alive=Duration.seconds(500),
+        
+            # Whether cross-zone load balancing is enabled.
+            cross_zone_enabled=True,
+        
+            # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
+            deny_all_igw_traffic=False
         )
     '''
 
@@ -15653,24 +15852,18 @@ class NetworkLoadBalancer(
 
     Example::
 
-        import aws_cdk.aws_elasticloadbalancingv2 as elbv2
+        from aws_cdk.aws_apigatewayv2_integrations import HttpNlbIntegration
         
         
         vpc = ec2.Vpc(self, "VPC")
-        nlb = elbv2.NetworkLoadBalancer(self, "NLB",
-            vpc=vpc
-        )
-        link = apigateway.VpcLink(self, "link",
-            targets=[nlb]
+        lb = elbv2.NetworkLoadBalancer(self, "lb", vpc=vpc)
+        listener = lb.add_listener("listener", port=80)
+        listener.add_targets("target",
+            port=80
         )
         
-        integration = apigateway.Integration(
-            type=apigateway.IntegrationType.HTTP_PROXY,
-            integration_http_method="ANY",
-            options=apigateway.IntegrationOptions(
-                connection_type=apigateway.ConnectionType.VPC_LINK,
-                vpc_link=link
-            )
+        http_endpoint = apigwv2.HttpApi(self, "HttpProxyPrivateApi",
+            default_integration=HttpNlbIntegration("DefaultIntegration", listener)
         )
     '''
 
@@ -15679,11 +15872,14 @@ class NetworkLoadBalancer(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
-        cross_zone_enabled: typing.Optional[builtins.bool] = None,
+        client_routing_policy: typing.Optional[ClientRoutingPolicy] = None,
+        enforce_security_group_inbound_rules_on_private_link_traffic: typing.Optional[builtins.bool] = None,
         ip_address_type: typing.Optional[IpAddressType] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
         vpc: _IVpc_f30d5663,
+        cross_zone_enabled: typing.Optional[builtins.bool] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
+        deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
         internet_facing: typing.Optional[builtins.bool] = None,
         load_balancer_name: typing.Optional[builtins.str] = None,
         vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -15691,11 +15887,14 @@ class NetworkLoadBalancer(
         '''
         :param scope: -
         :param id: -
-        :param cross_zone_enabled: Indicates whether cross-zone load balancing is enabled. Default: false
+        :param client_routing_policy: The AZ affinity routing policy. Default: - AZ affinity is disabled.
+        :param enforce_security_group_inbound_rules_on_private_link_traffic: Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink. Default: true
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
         :param security_groups: Security groups to associate with this load balancer. Default: - No security groups associated with the load balancer.
         :param vpc: The VPC network to place the load balancer in.
+        :param cross_zone_enabled: Indicates whether cross-zone load balancing is enabled. Default: - false for Network Load Balancers and true for Application Load Balancers.
         :param deletion_protection: Indicates whether deletion protection is enabled. Default: false
+        :param deny_all_igw_traffic: Indicates whether the load balancer blocks traffic through the Internet Gateway (IGW). Default: - false for internet-facing load balancers and true for internal load balancers
         :param internet_facing: Whether the load balancer has an internet-routable address. Default: false
         :param load_balancer_name: Name of the load balancer. Default: - Automatically generated name.
         :param vpc_subnets: Which subnets place the load balancer in. Default: - the Vpc default strategy.
@@ -15705,11 +15904,14 @@ class NetworkLoadBalancer(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = NetworkLoadBalancerProps(
-            cross_zone_enabled=cross_zone_enabled,
+            client_routing_policy=client_routing_policy,
+            enforce_security_group_inbound_rules_on_private_link_traffic=enforce_security_group_inbound_rules_on_private_link_traffic,
             ip_address_type=ip_address_type,
             security_groups=security_groups,
             vpc=vpc,
+            cross_zone_enabled=cross_zone_enabled,
             deletion_protection=deletion_protection,
+            deny_all_igw_traffic=deny_all_igw_traffic,
             internet_facing=internet_facing,
             load_balancer_name=load_balancer_name,
             vpc_subnets=vpc_subnets,
@@ -16201,6 +16403,14 @@ class NetworkLoadBalancer(
         '''All metrics available for this load balancer.'''
         return typing.cast(INetworkLoadBalancerMetrics, jsii.get(self, "metrics"))
 
+    @builtins.property
+    @jsii.member(jsii_name="enforceSecurityGroupInboundRulesOnPrivateLinkTraffic")
+    def enforce_security_group_inbound_rules_on_private_link_traffic(
+        self,
+    ) -> typing.Optional[builtins.str]:
+        '''Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "enforceSecurityGroupInboundRulesOnPrivateLinkTraffic"))
+
     @builtins.property
     @jsii.member(jsii_name="ipAddressType")
     def ip_address_type(self) -> typing.Optional[IpAddressType]:
@@ -16436,11 +16646,14 @@ class NetworkLoadBalancerLookupOptions(BaseLoadBalancerLookupOptions):
     jsii_struct_bases=[BaseLoadBalancerProps],
     name_mapping={
         "vpc": "vpc",
+        "cross_zone_enabled": "crossZoneEnabled",
         "deletion_protection": "deletionProtection",
+        "deny_all_igw_traffic": "denyAllIgwTraffic",
         "internet_facing": "internetFacing",
         "load_balancer_name": "loadBalancerName",
         "vpc_subnets": "vpcSubnets",
-        "cross_zone_enabled": "crossZoneEnabled",
+        "client_routing_policy": "clientRoutingPolicy",
+        "enforce_security_group_inbound_rules_on_private_link_traffic": "enforceSecurityGroupInboundRulesOnPrivateLinkTraffic",
         "ip_address_type": "ipAddressType",
         "security_groups": "securityGroups",
     },
@@ -16450,22 +16663,28 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
         self,
         *,
         vpc: _IVpc_f30d5663,
+        cross_zone_enabled: typing.Optional[builtins.bool] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
+        deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
         internet_facing: typing.Optional[builtins.bool] = None,
         load_balancer_name: typing.Optional[builtins.str] = None,
         vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
-        cross_zone_enabled: typing.Optional[builtins.bool] = None,
+        client_routing_policy: typing.Optional[ClientRoutingPolicy] = None,
+        enforce_security_group_inbound_rules_on_private_link_traffic: typing.Optional[builtins.bool] = None,
         ip_address_type: typing.Optional[IpAddressType] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
     ) -> None:
         '''Properties for a network load balancer.
 
         :param vpc: The VPC network to place the load balancer in.
+        :param cross_zone_enabled: Indicates whether cross-zone load balancing is enabled. Default: - false for Network Load Balancers and true for Application Load Balancers.
         :param deletion_protection: Indicates whether deletion protection is enabled. Default: false
+        :param deny_all_igw_traffic: Indicates whether the load balancer blocks traffic through the Internet Gateway (IGW). Default: - false for internet-facing load balancers and true for internal load balancers
         :param internet_facing: Whether the load balancer has an internet-routable address. Default: false
         :param load_balancer_name: Name of the load balancer. Default: - Automatically generated name.
         :param vpc_subnets: Which subnets place the load balancer in. Default: - the Vpc default strategy.
-        :param cross_zone_enabled: Indicates whether cross-zone load balancing is enabled. Default: false
+        :param client_routing_policy: The AZ affinity routing policy. Default: - AZ affinity is disabled.
+        :param enforce_security_group_inbound_rules_on_private_link_traffic: Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink. Default: true
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
         :param security_groups: Security groups to associate with this load balancer. Default: - No security groups associated with the load balancer.
 
@@ -16473,24 +16692,18 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
 
         Example::
 
-            import aws_cdk.aws_elasticloadbalancingv2 as elbv2
+            from aws_cdk.aws_apigatewayv2_integrations import HttpNlbIntegration
             
             
             vpc = ec2.Vpc(self, "VPC")
-            nlb = elbv2.NetworkLoadBalancer(self, "NLB",
-                vpc=vpc
-            )
-            link = apigateway.VpcLink(self, "link",
-                targets=[nlb]
+            lb = elbv2.NetworkLoadBalancer(self, "lb", vpc=vpc)
+            listener = lb.add_listener("listener", port=80)
+            listener.add_targets("target",
+                port=80
             )
             
-            integration = apigateway.Integration(
-                type=apigateway.IntegrationType.HTTP_PROXY,
-                integration_http_method="ANY",
-                options=apigateway.IntegrationOptions(
-                    connection_type=apigateway.ConnectionType.VPC_LINK,
-                    vpc_link=link
-                )
+            http_endpoint = apigwv2.HttpApi(self, "HttpProxyPrivateApi",
+                default_integration=HttpNlbIntegration("DefaultIntegration", listener)
             )
         '''
         if isinstance(vpc_subnets, dict):
@@ -16498,26 +16711,35 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__195ab659ca9cd1c401d6d2d1a1f5cb0aaf7dd80f06dbc724020ac0cc391d75da)
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
+            check_type(argname="argument cross_zone_enabled", value=cross_zone_enabled, expected_type=type_hints["cross_zone_enabled"])
             check_type(argname="argument deletion_protection", value=deletion_protection, expected_type=type_hints["deletion_protection"])
+            check_type(argname="argument deny_all_igw_traffic", value=deny_all_igw_traffic, expected_type=type_hints["deny_all_igw_traffic"])
             check_type(argname="argument internet_facing", value=internet_facing, expected_type=type_hints["internet_facing"])
             check_type(argname="argument load_balancer_name", value=load_balancer_name, expected_type=type_hints["load_balancer_name"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
-            check_type(argname="argument cross_zone_enabled", value=cross_zone_enabled, expected_type=type_hints["cross_zone_enabled"])
+            check_type(argname="argument client_routing_policy", value=client_routing_policy, expected_type=type_hints["client_routing_policy"])
+            check_type(argname="argument enforce_security_group_inbound_rules_on_private_link_traffic", value=enforce_security_group_inbound_rules_on_private_link_traffic, expected_type=type_hints["enforce_security_group_inbound_rules_on_private_link_traffic"])
             check_type(argname="argument ip_address_type", value=ip_address_type, expected_type=type_hints["ip_address_type"])
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "vpc": vpc,
         }
+        if cross_zone_enabled is not None:
+            self._values["cross_zone_enabled"] = cross_zone_enabled
         if deletion_protection is not None:
             self._values["deletion_protection"] = deletion_protection
+        if deny_all_igw_traffic is not None:
+            self._values["deny_all_igw_traffic"] = deny_all_igw_traffic
         if internet_facing is not None:
             self._values["internet_facing"] = internet_facing
         if load_balancer_name is not None:
             self._values["load_balancer_name"] = load_balancer_name
         if vpc_subnets is not None:
             self._values["vpc_subnets"] = vpc_subnets
-        if cross_zone_enabled is not None:
-            self._values["cross_zone_enabled"] = cross_zone_enabled
+        if client_routing_policy is not None:
+            self._values["client_routing_policy"] = client_routing_policy
+        if enforce_security_group_inbound_rules_on_private_link_traffic is not None:
+            self._values["enforce_security_group_inbound_rules_on_private_link_traffic"] = enforce_security_group_inbound_rules_on_private_link_traffic
         if ip_address_type is not None:
             self._values["ip_address_type"] = ip_address_type
         if security_groups is not None:
@@ -16530,6 +16752,15 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
         assert result is not None, "Required property 'vpc' is missing"
         return typing.cast(_IVpc_f30d5663, result)
 
+    @builtins.property
+    def cross_zone_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether cross-zone load balancing is enabled.
+
+        :default: - false for Network Load Balancers and true for Application Load Balancers.
+        '''
+        result = self._values.get("cross_zone_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def deletion_protection(self) -> typing.Optional[builtins.bool]:
         '''Indicates whether deletion protection is enabled.
@@ -16539,6 +16770,15 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
         result = self._values.get("deletion_protection")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def deny_all_igw_traffic(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether the load balancer blocks traffic through the Internet Gateway (IGW).
+
+        :default: - false for internet-facing load balancers and true for internal load balancers
+        '''
+        result = self._values.get("deny_all_igw_traffic")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def internet_facing(self) -> typing.Optional[builtins.bool]:
         '''Whether the load balancer has an internet-routable address.
@@ -16567,12 +16807,25 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
         return typing.cast(typing.Optional[_SubnetSelection_e57d76df], result)
 
     @builtins.property
-    def cross_zone_enabled(self) -> typing.Optional[builtins.bool]:
-        '''Indicates whether cross-zone load balancing is enabled.
+    def client_routing_policy(self) -> typing.Optional[ClientRoutingPolicy]:
+        '''The AZ affinity routing policy.
 
-        :default: false
+        :default: - AZ affinity is disabled.
+
+        :see: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#zonal-dns-affinity
         '''
-        result = self._values.get("cross_zone_enabled")
+        result = self._values.get("client_routing_policy")
+        return typing.cast(typing.Optional[ClientRoutingPolicy], result)
+
+    @builtins.property
+    def enforce_security_group_inbound_rules_on_private_link_traffic(
+        self,
+    ) -> typing.Optional[builtins.bool]:
+        '''Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink.
+
+        :default: true
+        '''
+        result = self._values.get("enforce_security_group_inbound_rules_on_private_link_traffic")
         return typing.cast(typing.Optional[builtins.bool], result)
 
     @builtins.property
@@ -18863,10 +19116,13 @@ class ApplicationLoadBalancerLookupOptions(BaseLoadBalancerLookupOptions):
     jsii_struct_bases=[BaseLoadBalancerProps],
     name_mapping={
         "vpc": "vpc",
+        "cross_zone_enabled": "crossZoneEnabled",
         "deletion_protection": "deletionProtection",
+        "deny_all_igw_traffic": "denyAllIgwTraffic",
         "internet_facing": "internetFacing",
         "load_balancer_name": "loadBalancerName",
         "vpc_subnets": "vpcSubnets",
+        "client_keep_alive": "clientKeepAlive",
         "desync_mitigation_mode": "desyncMitigationMode",
         "drop_invalid_header_fields": "dropInvalidHeaderFields",
         "http2_enabled": "http2Enabled",
@@ -18880,10 +19136,13 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         self,
         *,
         vpc: _IVpc_f30d5663,
+        cross_zone_enabled: typing.Optional[builtins.bool] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
+        deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
         internet_facing: typing.Optional[builtins.bool] = None,
         load_balancer_name: typing.Optional[builtins.str] = None,
         vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
+        client_keep_alive: typing.Optional[_Duration_4839e8c3] = None,
         desync_mitigation_mode: typing.Optional[DesyncMitigationMode] = None,
         drop_invalid_header_fields: typing.Optional[builtins.bool] = None,
         http2_enabled: typing.Optional[builtins.bool] = None,
@@ -18894,10 +19153,13 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         '''Properties for defining an Application Load Balancer.
 
         :param vpc: The VPC network to place the load balancer in.
+        :param cross_zone_enabled: Indicates whether cross-zone load balancing is enabled. Default: - false for Network Load Balancers and true for Application Load Balancers.
         :param deletion_protection: Indicates whether deletion protection is enabled. Default: false
+        :param deny_all_igw_traffic: Indicates whether the load balancer blocks traffic through the Internet Gateway (IGW). Default: - false for internet-facing load balancers and true for internal load balancers
         :param internet_facing: Whether the load balancer has an internet-routable address. Default: false
         :param load_balancer_name: Name of the load balancer. Default: - Automatically generated name.
         :param vpc_subnets: Which subnets place the load balancer in. Default: - the Vpc default strategy.
+        :param client_keep_alive: The client keep alive duration. The valid range is 60 to 604800 seconds (1 minute to 7 days). Default: - Duration.seconds(3600)
         :param desync_mitigation_mode: Determines how the load balancer handles requests that might pose a security risk to your application. Default: DesyncMitigationMode.DEFENSIVE
         :param drop_invalid_header_fields: Indicates whether HTTP headers with invalid header fields are removed by the load balancer (true) or routed to targets (false). Default: false
         :param http2_enabled: Indicates whether HTTP/2 is enabled. Default: true
@@ -18909,21 +19171,34 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
 
         Example::
 
-            # cluster: ecs.Cluster
-            # task_definition: ecs.TaskDefinition
+            from aws_cdk.aws_autoscaling import AutoScalingGroup
+            # asg: AutoScalingGroup
             # vpc: ec2.Vpc
             
-            service = ecs.FargateService(self, "Service", cluster=cluster, task_definition=task_definition)
             
-            lb = elbv2.ApplicationLoadBalancer(self, "LB", vpc=vpc, internet_facing=True)
-            listener = lb.add_listener("Listener", port=80)
-            service.register_load_balancer_targets(
-                container_name="web",
-                container_port=80,
-                new_target_group_id="ECS",
-                listener=ecs.ListenerConfig.application_listener(listener,
-                    protocol=elbv2.ApplicationProtocol.HTTPS
-                )
+            # Create the load balancer in a VPC. 'internetFacing' is 'false'
+            # by default, which creates an internal load balancer.
+            lb = elbv2.ApplicationLoadBalancer(self, "LB",
+                vpc=vpc,
+                internet_facing=True
+            )
+            
+            # Add a listener and open up the load balancer's security group
+            # to the world.
+            listener = lb.add_listener("Listener",
+                port=80,
+            
+                # 'open: true' is the default, you can leave it out if you want. Set it
+                # to 'false' and use `listener.connections` if you want to be selective
+                # about who can access the load balancer.
+                open=True
+            )
+            
+            # Create an AutoScaling group and add it as a load balancing
+            # target to the listener.
+            listener.add_targets("ApplicationFleet",
+                port=8080,
+                targets=[asg]
             )
         '''
         if isinstance(vpc_subnets, dict):
@@ -18931,10 +19206,13 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e43cf75024913d9be0d5d621a5f2c2c7be60a57898a54967cd54179b2b3d1584)
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
+            check_type(argname="argument cross_zone_enabled", value=cross_zone_enabled, expected_type=type_hints["cross_zone_enabled"])
             check_type(argname="argument deletion_protection", value=deletion_protection, expected_type=type_hints["deletion_protection"])
+            check_type(argname="argument deny_all_igw_traffic", value=deny_all_igw_traffic, expected_type=type_hints["deny_all_igw_traffic"])
             check_type(argname="argument internet_facing", value=internet_facing, expected_type=type_hints["internet_facing"])
             check_type(argname="argument load_balancer_name", value=load_balancer_name, expected_type=type_hints["load_balancer_name"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
+            check_type(argname="argument client_keep_alive", value=client_keep_alive, expected_type=type_hints["client_keep_alive"])
             check_type(argname="argument desync_mitigation_mode", value=desync_mitigation_mode, expected_type=type_hints["desync_mitigation_mode"])
             check_type(argname="argument drop_invalid_header_fields", value=drop_invalid_header_fields, expected_type=type_hints["drop_invalid_header_fields"])
             check_type(argname="argument http2_enabled", value=http2_enabled, expected_type=type_hints["http2_enabled"])
@@ -18944,14 +19222,20 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "vpc": vpc,
         }
+        if cross_zone_enabled is not None:
+            self._values["cross_zone_enabled"] = cross_zone_enabled
         if deletion_protection is not None:
             self._values["deletion_protection"] = deletion_protection
+        if deny_all_igw_traffic is not None:
+            self._values["deny_all_igw_traffic"] = deny_all_igw_traffic
         if internet_facing is not None:
             self._values["internet_facing"] = internet_facing
         if load_balancer_name is not None:
             self._values["load_balancer_name"] = load_balancer_name
         if vpc_subnets is not None:
             self._values["vpc_subnets"] = vpc_subnets
+        if client_keep_alive is not None:
+            self._values["client_keep_alive"] = client_keep_alive
         if desync_mitigation_mode is not None:
             self._values["desync_mitigation_mode"] = desync_mitigation_mode
         if drop_invalid_header_fields is not None:
@@ -18972,6 +19256,15 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         assert result is not None, "Required property 'vpc' is missing"
         return typing.cast(_IVpc_f30d5663, result)
 
+    @builtins.property
+    def cross_zone_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether cross-zone load balancing is enabled.
+
+        :default: - false for Network Load Balancers and true for Application Load Balancers.
+        '''
+        result = self._values.get("cross_zone_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def deletion_protection(self) -> typing.Optional[builtins.bool]:
         '''Indicates whether deletion protection is enabled.
@@ -18981,6 +19274,15 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         result = self._values.get("deletion_protection")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def deny_all_igw_traffic(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether the load balancer blocks traffic through the Internet Gateway (IGW).
+
+        :default: - false for internet-facing load balancers and true for internal load balancers
+        '''
+        result = self._values.get("deny_all_igw_traffic")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def internet_facing(self) -> typing.Optional[builtins.bool]:
         '''Whether the load balancer has an internet-routable address.
@@ -19008,6 +19310,17 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         result = self._values.get("vpc_subnets")
         return typing.cast(typing.Optional[_SubnetSelection_e57d76df], result)
 
+    @builtins.property
+    def client_keep_alive(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The client keep alive duration.
+
+        The valid range is 60 to 604800 seconds (1 minute to 7 days).
+
+        :default: - Duration.seconds(3600)
+        '''
+        result = self._values.get("client_keep_alive")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
     @builtins.property
     def desync_mitigation_mode(self) -> typing.Optional[DesyncMitigationMode]:
         '''Determines how the load balancer handles requests that might pose a security risk to your application.
@@ -19134,20 +19447,15 @@ class ApplicationTargetGroupProps(BaseTargetGroupProps):
             # vpc: ec2.Vpc
             
             
-            # Target group with duration-based stickiness with load-balancer generated cookie
-            tg1 = elbv2.ApplicationTargetGroup(self, "TG1",
-                target_type=elbv2.TargetType.INSTANCE,
-                port=80,
-                stickiness_cookie_duration=Duration.minutes(5),
-                vpc=vpc
-            )
-            
-            # Target group with application-based stickiness
-            tg2 = elbv2.ApplicationTargetGroup(self, "TG2",
-                target_type=elbv2.TargetType.INSTANCE,
-                port=80,
-                stickiness_cookie_duration=Duration.minutes(5),
-                stickiness_cookie_name="MyDeliciousCookie",
+            tg = elbv2.ApplicationTargetGroup(self, "TG",
+                target_type=elbv2.TargetType.IP,
+                port=50051,
+                protocol=elbv2.ApplicationProtocol.HTTP,
+                protocol_version=elbv2.ApplicationProtocolVersion.GRPC,
+                health_check=elbv2.HealthCheck(
+                    enabled=True,
+                    healthy_grpc_codes="0-99"
+                ),
                 vpc=vpc
             )
         '''
@@ -20973,6 +21281,7 @@ class ApplicationLoadBalancer(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
+        client_keep_alive: typing.Optional[_Duration_4839e8c3] = None,
         desync_mitigation_mode: typing.Optional[DesyncMitigationMode] = None,
         drop_invalid_header_fields: typing.Optional[builtins.bool] = None,
         http2_enabled: typing.Optional[builtins.bool] = None,
@@ -20980,7 +21289,9 @@ class ApplicationLoadBalancer(
         ip_address_type: typing.Optional[IpAddressType] = None,
         security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
         vpc: _IVpc_f30d5663,
+        cross_zone_enabled: typing.Optional[builtins.bool] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
+        deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
         internet_facing: typing.Optional[builtins.bool] = None,
         load_balancer_name: typing.Optional[builtins.str] = None,
         vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -20988,6 +21299,7 @@ class ApplicationLoadBalancer(
         '''
         :param scope: -
         :param id: -
+        :param client_keep_alive: The client keep alive duration. The valid range is 60 to 604800 seconds (1 minute to 7 days). Default: - Duration.seconds(3600)
         :param desync_mitigation_mode: Determines how the load balancer handles requests that might pose a security risk to your application. Default: DesyncMitigationMode.DEFENSIVE
         :param drop_invalid_header_fields: Indicates whether HTTP headers with invalid header fields are removed by the load balancer (true) or routed to targets (false). Default: false
         :param http2_enabled: Indicates whether HTTP/2 is enabled. Default: true
@@ -20995,7 +21307,9 @@ class ApplicationLoadBalancer(
         :param ip_address_type: The type of IP addresses to use. Default: IpAddressType.IPV4
         :param security_group: Security group to associate with this load balancer. Default: A security group is created
         :param vpc: The VPC network to place the load balancer in.
+        :param cross_zone_enabled: Indicates whether cross-zone load balancing is enabled. Default: - false for Network Load Balancers and true for Application Load Balancers.
         :param deletion_protection: Indicates whether deletion protection is enabled. Default: false
+        :param deny_all_igw_traffic: Indicates whether the load balancer blocks traffic through the Internet Gateway (IGW). Default: - false for internet-facing load balancers and true for internal load balancers
         :param internet_facing: Whether the load balancer has an internet-routable address. Default: false
         :param load_balancer_name: Name of the load balancer. Default: - Automatically generated name.
         :param vpc_subnets: Which subnets place the load balancer in. Default: - the Vpc default strategy.
@@ -21005,6 +21319,7 @@ class ApplicationLoadBalancer(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = ApplicationLoadBalancerProps(
+            client_keep_alive=client_keep_alive,
             desync_mitigation_mode=desync_mitigation_mode,
             drop_invalid_header_fields=drop_invalid_header_fields,
             http2_enabled=http2_enabled,
@@ -21012,7 +21327,9 @@ class ApplicationLoadBalancer(
             ip_address_type=ip_address_type,
             security_group=security_group,
             vpc=vpc,
+            cross_zone_enabled=cross_zone_enabled,
             deletion_protection=deletion_protection,
+            deny_all_igw_traffic=deny_all_igw_traffic,
             internet_facing=internet_facing,
             load_balancer_name=load_balancer_name,
             vpc_subnets=vpc_subnets,
@@ -21165,6 +21482,26 @@ class ApplicationLoadBalancer(
             check_type(argname="argument security_group", value=security_group, expected_type=type_hints["security_group"])
         return typing.cast(None, jsii.invoke(self, "addSecurityGroup", [security_group]))
 
+    @jsii.member(jsii_name="logAccessLogs")
+    def log_access_logs(
+        self,
+        bucket: _IBucket_42e086fd,
+        prefix: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Enable access logging for this load balancer.
+
+        A region must be specified on the stack containing the load balancer; you cannot enable logging on
+        environment-agnostic stacks. See https://docs.aws.amazon.com/cdk/latest/guide/environments.html
+
+        :param bucket: -
+        :param prefix: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__14e58136aa424614ad3deed70de619716d36a85a2336e0d16a5d5e3edc8431cd)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument prefix", value=prefix, expected_type=type_hints["prefix"])
+        return typing.cast(None, jsii.invoke(self, "logAccessLogs", [bucket, prefix]))
+
     @jsii.member(jsii_name="metric")
     def metric(
         self,
@@ -22910,6 +23247,7 @@ __all__ = [
     "CfnTrustStoreProps",
     "CfnTrustStoreRevocation",
     "CfnTrustStoreRevocationProps",
+    "ClientRoutingPolicy",
     "DesyncMitigationMode",
     "FixedResponseOptions",
     "ForwardOptions",
@@ -23159,7 +23497,9 @@ def _typecheckingstub__c636cf30c7688e65af48df2d228f5c138bd07b3c256c82b3692388fb2
 def _typecheckingstub__36614588a5e075aa6e7ea0a4d41053b09874f2590b227cd5d62f3429901282f2(
     *,
     vpc: _IVpc_f30d5663,
+    cross_zone_enabled: typing.Optional[builtins.bool] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,
+    deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
     internet_facing: typing.Optional[builtins.bool] = None,
     load_balancer_name: typing.Optional[builtins.str] = None,
     vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -24448,11 +24788,14 @@ def _typecheckingstub__e1c7a4c1332bdc807d1e25aa5d69eea6e1f3bf6a88ddd30dac9a64c93
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
-    cross_zone_enabled: typing.Optional[builtins.bool] = None,
+    client_routing_policy: typing.Optional[ClientRoutingPolicy] = None,
+    enforce_security_group_inbound_rules_on_private_link_traffic: typing.Optional[builtins.bool] = None,
     ip_address_type: typing.Optional[IpAddressType] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
     vpc: _IVpc_f30d5663,
+    cross_zone_enabled: typing.Optional[builtins.bool] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,
+    deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
     internet_facing: typing.Optional[builtins.bool] = None,
     load_balancer_name: typing.Optional[builtins.str] = None,
     vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -24540,11 +24883,14 @@ def _typecheckingstub__d4dc8b446f6caacf313a46c99f00148ea8982b0018d14d0f1d5004245
 def _typecheckingstub__195ab659ca9cd1c401d6d2d1a1f5cb0aaf7dd80f06dbc724020ac0cc391d75da(
     *,
     vpc: _IVpc_f30d5663,
+    cross_zone_enabled: typing.Optional[builtins.bool] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,
+    deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
     internet_facing: typing.Optional[builtins.bool] = None,
     load_balancer_name: typing.Optional[builtins.str] = None,
     vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
-    cross_zone_enabled: typing.Optional[builtins.bool] = None,
+    client_routing_policy: typing.Optional[ClientRoutingPolicy] = None,
+    enforce_security_group_inbound_rules_on_private_link_traffic: typing.Optional[builtins.bool] = None,
     ip_address_type: typing.Optional[IpAddressType] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
 ) -> None:
@@ -24724,10 +25070,13 @@ def _typecheckingstub__5e4d185ab2bd554850b96481b3fbdc7ee1a86c97629f1b0fd835c6f72
 def _typecheckingstub__e43cf75024913d9be0d5d621a5f2c2c7be60a57898a54967cd54179b2b3d1584(
     *,
     vpc: _IVpc_f30d5663,
+    cross_zone_enabled: typing.Optional[builtins.bool] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,
+    deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
     internet_facing: typing.Optional[builtins.bool] = None,
     load_balancer_name: typing.Optional[builtins.str] = None,
     vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
+    client_keep_alive: typing.Optional[_Duration_4839e8c3] = None,
     desync_mitigation_mode: typing.Optional[DesyncMitigationMode] = None,
     drop_invalid_header_fields: typing.Optional[builtins.bool] = None,
     http2_enabled: typing.Optional[builtins.bool] = None,
@@ -25077,6 +25426,7 @@ def _typecheckingstub__22d249b6cdbe3ce0dfc1a873ef276c65fe89ce6a5dba0603fae0a5755
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
+    client_keep_alive: typing.Optional[_Duration_4839e8c3] = None,
     desync_mitigation_mode: typing.Optional[DesyncMitigationMode] = None,
     drop_invalid_header_fields: typing.Optional[builtins.bool] = None,
     http2_enabled: typing.Optional[builtins.bool] = None,
@@ -25084,7 +25434,9 @@ def _typecheckingstub__22d249b6cdbe3ce0dfc1a873ef276c65fe89ce6a5dba0603fae0a5755
     ip_address_type: typing.Optional[IpAddressType] = None,
     security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
     vpc: _IVpc_f30d5663,
+    cross_zone_enabled: typing.Optional[builtins.bool] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,
+    deny_all_igw_traffic: typing.Optional[builtins.bool] = None,
     internet_facing: typing.Optional[builtins.bool] = None,
     load_balancer_name: typing.Optional[builtins.str] = None,
     vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -25136,6 +25488,13 @@ def _typecheckingstub__57e7fd3d637561416b99cc18ce93e12b3ff0fd16aa199643bcfdcb4f3
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__14e58136aa424614ad3deed70de619716d36a85a2336e0d16a5d5e3edc8431cd(
+    bucket: _IBucket_42e086fd,
+    prefix: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__062c936e075fbff0552978e79ddc8d8cb01378ba1804b2546d14bd0383a824a0(
     metric_name: builtins.str,
     *,