ALB DNS name with 3 AZs enabled resolves to 1 IP

Yes, I understand that it should resolve the ALB IP(s) and not the target's IPs.

What I don't understand is: Why does the AWS Web UI (under EC2 -> Load Balancers, when I select the ALB) show the three AZs and subnets and for each of them "IPv4 address: Assigned by AWS". This sounds to me like the ALB has one IP per AZ. How otherwise would there be fault tolerance if one AZ goes down?

Also: On another ALB of ours (also one target, three AZs enabled) looking up the DNS name of the ALB returns two IPs with the order randomized each time.

Depending on a few different factors (mostly scale but sometimes other events) each "single" ALB may have one or more IP addresses. This is normal.

Thanks, that makes sense.

One additional question: If I lookup the AAAA records of our first ALB, I can see that it's returning an IPv6 address within the eu-central-1a subnet of our VPC. Looking up the second ALB, it returns IPv6 addresses in eu-central-1a and eu-central-1b subnets of our VPC, in random order each lookup. So if it scales down to just one AZ, how does fault-tolerance work in case that particular AZ goes down?

(Let me know if I should post this as a separate question)

When you assign an ALB to targets in multiple subnets, that ALB will get an ENI in each of the subnets so that it can communicate with the instances in each one. Those won't be associated with the client-facing DNS name of the ALB (e.g. *.elb.amazonaws.com).

These are the IP addresses to which the console refers when you see "Assigned by AWS" in the Description tab for your ALB.

You can see them if you open the EC2->Network Interfaces pane. The requester ID for these ENIs will be "amazon-elb."