Configure listeners for an Application Load Balancer (ALB) instance by setting the listeners field in an AlbConfig. This topic covers how to create, update, and delete listeners, and how to configure certificates, TLS policies, timeouts, compression, header forwarding, and network ACLs.
Prerequisites
Before you begin, ensure that you have:
An ACS cluster. See Create an ACS cluster.
Two vSwitches in different zones within the same virtual private cloud (VPC) as the cluster, in zones supported by ALB. See Create and manage vSwitches.
The ALB Ingress controller installed in the cluster. See Manage the ALB Ingress controller.
An AlbConfig created. See Create an AlbConfig.
An IngressClass created. See Create an IngressClass.
kubectl connected to the cluster. See Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Listener parameters at a glance
All listener parameters are set under spec.listeners[] in the AlbConfig. The following table lists the available fields.
| Parameter | Type | Default | Valid values | Description |
|---|---|---|---|---|
port | integer | — | — | Listener port. Together with protocol, uniquely identifies a listener. |
protocol | string | — | HTTP, HTTPS, QUIC | Listener protocol. Together with port, uniquely identifies a listener. |
certificates[].CertificateId | string | — | Certificate ID | The certificate to bind to an HTTPS listener. The first entry is used as the default certificate. |
certificates[].IsDefault | boolean | — | true, false | Whether the certificate is the default certificate. |
caEnabled | boolean | false | true, false | Whether to enable CA certificate authentication for the HTTPS listener. |
securityPolicyId | string | — | Policy ID | TLS security policy to apply to an HTTPS listener. |
requestTimeout | integer | 60 | 1–180 | Connection timeout in seconds. ALB returns HTTP 504 if the backend does not respond within this period. |
gzipEnabled | boolean | — | true, false | Whether to enable data compression (Brotli and Gzip). |
xForwardedForConfig.XForwardedForEnabled | boolean | — | true, false | Whether to include the client IP in the X-Forwarded-For header. HTTP and HTTPS only. |
xForwardedForConfig.XForwardedForProtoEnabled | boolean | — | true, false | Whether to include the ALB listening protocol in the X-Forwarded-For header. HTTP and HTTPS only. |
xForwardedForConfig.XForwardedForSLBIdEnabled | boolean | — | true, false | Whether to include the ALB instance ID in the X-Forwarded-For header. HTTP and HTTPS only. |
xForwardedForConfig.XForwardedForSLBPortEnabled | boolean | — | true, false | Whether to include the ALB listening port in the X-Forwarded-For header. HTTP and HTTPS only. |
xForwardedForConfig.XForwardedForClientSourceIpsEnabled | boolean | — | true, false | Whether to retrieve the real client IP from the X-Forwarded-For header based on trusted proxies. Requires XForwardedForClientSourceIpsTrusted. HTTP and HTTPS only. |
xForwardedForConfig.XForwardedForClientSourceIpsTrusted | string | — | IP addresses or CIDR blocks, semicolon-separated | Trusted proxy IP addresses. ALB traverses the X-Forwarded-For header from right to left; the first IP not in this list is treated as the client IP. Takes effect only when XForwardedForClientSourceIpsEnabled is true. |
aclConfig.aclType | string | — | White, Black | ACL type: White (whitelist) or Black (blacklist). |
aclConfig.aclEntries[] | string array | — | CIDR blocks | IP addresses or CIDR blocks to allow or deny. |
How listener updates work
The listeners field is an array. When you apply a new AlbConfig, each entry is matched against the live configuration and the last-applied-configuration annotation to determine what to add, retain, or delete.
Key concepts
Object configuration file: the YAML file you apply with
kubectl applyorkubectl edit.Live object configuration file: the AlbConfig currently active in the cluster.
`last-applied-configuration`: a Kubernetes annotation that records the content of the last applied configuration. It is not updated in real time when the configuration changes.
Update rules
| New config | Live config | last-applied-configuration | Result |
|---|---|---|---|
| Yes | Yes | — (irrelevant) | Listener is retained. |
| Yes | No | — (irrelevant) | Listener is added. |
| No | — (irrelevant) | Yes | Listener is deleted. Fields may be reset to defaults. |
| No | Yes | No | Listener is retained. |
Example
Given the following three states:
Object configuration file (what you are applying):
listeners:
- port: 8001
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8005 # Adding port 8005.
protocol: HTTPLive object configuration file (current cluster state):
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Not in new config; in last-applied-configuration.
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8004 # Not in new config; not in last-applied-configuration.
protocol: HTTP`last-applied-configuration` annotation:
listeners:
- port: 8001
protocol: HTTP
- port: 8002
protocol: HTTP
- port: 8003
protocol: HTTPAfter applying the new configuration, the result is:
listeners:
- port: 8001
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8005
protocol: HTTP| Port | Rule matched | Result |
|---|---|---|
| 8001 | Rule 1: present in new config and live config | Retained |
| 8003 | Rule 1: present in new config and live config | Retained |
| 8005 | Rule 2: present in new config, not in live config | Added |
| 8002 | Rule 3: absent from new config, present in last-applied-configuration | Deleted |
| 8004 | Rule 4: absent from new config, present in live config, absent from last-applied-configuration | Retained |
Create a listener
ALB listeners receive and forward external requests based on application-layer information. Set port and protocol to create a listener.
port and protocol are the only identifiers of a listener. Changing either field deletes the existing listener and creates a new one. Verify these values carefully before applying changes.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
listeners:
- port: 80
protocol: HTTP # Valid values: HTTP, HTTPS, QUIC.HTTP is compatible with WebSocket. No additional configuration is required.
Apply the configuration:
kubectl edit albconfig <AlbConfig_Name>Specify certificates for an HTTPS listener
Bind a certificate to an HTTPS listener using the certificates field. ALB uses the first certificate in the list as the default certificate and switches to others when the default expires or no longer meets requirements.
If no certificate is specified, ALB does not create the HTTPS listener immediately. Instead, it waits for an Ingress to be associated with the listener and auto-discovers a certificate based on the domain name in the Ingress configuration. This delays listener creation.
For details on certificate configuration, see Configure HTTPS certificates for encrypted communication.
listeners:
- port: 443
protocol: HTTPS
caEnabled: false
certificates:
- CertificateId: 756****-cn-hangzhou # The certificate ID.
IsDefault: trueConfigure a TLS security policy
Apply a TLS security policy to an HTTPS listener using securityPolicyId. Both custom and default TLS security policies are supported. See TLS security policies.
listeners:
- port: 443
protocol: HTTPS
securityPolicyId: tls_cipher_policy_1_1 # The security policy ID.Set the connection timeout
Set requestTimeout to prevent clients from waiting indefinitely for backend responses. If the backend does not respond within the timeout period, ALB returns HTTP 504 to the client.
Valid values: 1–180 seconds
Default: 60 seconds
listeners:
- port: 80
protocol: HTTP
requestTimeout: 60 # Unit: seconds. Valid values: 1–180.Enable data compression
Set gzipEnabled to reduce response payload size and improve transmission efficiency.
true: enables compression. Both Brotli and Gzip algorithms are used.Brotli supports all file types.
Gzip supports:
text/plain,text/css,application/javascript,application/x-javascript,application/rss+xml,application/atom+xml,application/xml,application/json.
false: disables compression.
listeners:
- port: 80
protocol: HTTP
gzipEnabled: false # Set to true to enable compression.Configure X-Forwarded-For headers
The xForwardedForConfig block controls what information ALB appends to the X-Forwarded-For header. HTTP and HTTPS listeners only.
Preserve the client IP
Set XForwardedForEnabled: true to include the originating client IP in the header.
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForEnabled: trueInclude the listening protocol
Set XForwardedForProtoEnabled: true to include the ALB listening protocol in the header.
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForProtoEnabled: trueInclude the ALB instance ID
Set XForwardedForSLBIdEnabled: true to include the ALB instance ID in the header.
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBIdEnabled: trueInclude the listening port
Set XForwardedForSLBPortEnabled: true to include the ALB listening port in the header.
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBPortEnabled: trueRetrieve the real client IP from trusted proxies
When traffic passes through proxy servers, use XForwardedForClientSourceIpsEnabled together with XForwardedForClientSourceIpsTrusted to identify the real client IP. ALB traverses the X-Forwarded-For header from right to left; the first IP not in the trusted list is treated as the client IP, and requests from that IP are throttled.
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForClientSourceIpsEnabled: true # Must be true before XForwardedForClientSourceIpsTrusted takes effect.
XForwardedForClientSourceIpsTrusted: 192.168.x.x;192.168.x.x/16 # Semicolon-separated IP addresses or CIDR blocks.Configure network ACLs
Use aclConfig to allow or deny access from specific IP addresses or CIDR blocks. See Configure an ACL to enable access control.
listeners:
- port: 80
protocol: HTTPS
aclConfig:
aclType: White # White (whitelist) or Black (blacklist).
aclEntries:
- 127.0.0.1/32 # IP address or CIDR block to allow or deny.Delete a listener
To delete a listener, remove its entry from spec.listeners in the AlbConfig.
Disassociate all Ingresses from the listener before deleting it. Failing to do so causes the deletion to fail with an error.
# Before deletion:
listeners:
- port: 8001
protocol: HTTP
- port: 8002
protocol: HTTP
# After deletion (port 8002 removed):
listeners:
- port: 8001
protocol: HTTP