All Products
Search
Document Center

Container Compute Service:Use QUIC listeners to support HTTP/3 and improve network performance

Last Updated:Jan 14, 2025

You can use QUIC and enable QUICK listening on backend servers in complex networking scenarios, such as mobile networks, networks where low network latency is required based on fluctuating bandwidth usage, and applications that are sensitive to network latency (online games or live streaming). QUIC enables clients to use HTTP/3 to improve the stability and performance of network communication.

How it works

QUIC is based on UDP and is the core of HTTP/3. It supports multiplexing, 0-RTT handshake, congestion control algorithms, and seamless connection migration. Compared with HTTP/2 that uses TLS and TCP, HTTP/3 based on QUIC can efficiently reduce the latency of data retransmission and communication. For more information about QUIC, see QUIC official documentation.

  • After you create a QUIC listener for an ALB instance, you can use a client to access the backend service over HTTP/3.

  • If some clients need to access the service over HTTP/1.1 or HTTP/2, you can use QUIC together with HTTPS listener to ensure the compatibility with different HTTP protocols. To use a combination of QUIC and HTTPS listeners, an ALB instance must work in the following mode. The QUIC listener and HTTPS listener listen on the same port and use the same forwarding rules. After receiving a request, the ALB instance preferably uses the QUIC listener to forward the request to the backend service. When the client does not support HTTP/3, the ALB instance uses the HTTPS listener to forward requests.

    image

Prerequisites

An ALBConfig is created. For more information, see Get started with ALB Ingresses.

Use only a QUIC listener

Step 1: Create a QUIC listener in the ALBConfig

  1. Run the following command to modify the AlbConfig:

    kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
  2. Create a QUIC listener.

    apiVersion: alibabacloud.com/v1
    kind: AlbConfig
    metadata:
      name: alb
    spec:
      config:
        #...
      listeners:
        - port: 443
          protocol: QUIC # The QUIC listener.
          certificates:
          - CertificateId: 756****-cn-hangzhou # The ID of the certificate.
            IsDefault: true 
    Important

    The preceding example uses the ALBConfig to configure a certificate. QUIC listeners also support auto certificate or Secret discovery. For more information, see Configure an HTTPS certificate for encrypted communication.

Step 2: Verify the configuration

  1. Run the following command to query the Ingress:

    kubectl get ingress

    Expected output:

    NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
    https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

    Record the values in the HOSTS and ADDRESS columns.

  2. Run the following command to use HTTP/3 and the traditional method to access the HTTPS service. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values obtained in the preceding step.

    Note

    Some curl versions do not support HTTP/3. Use a curl version that supports HTTP/3.

    curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com

    If the following output is returned, the QUIC listener is configured:

    old

Use a combination of QUIC listeners and HTTPS listeners

Step 1: Create an HTTPS listener

  1. Run the following command to modify the AlbConfig:

    kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
  2. Create an HTTPS listener and add the quicConfig field.

    apiVersion: alibabacloud.com/v1
    kind: AlbConfig
    metadata:
      name: alb
    spec:
      config:
        #...
      listeners:
        - port: 443
          protocol: QUIC # The QUIC listener.
          certificates:
          - CertificateId: 756****-cn-hangzhou # The ID of the certificate.
            IsDefault: true
        - port: 443
          protocol: HTTPS # The HTTPS listener.
          certificates:
          - CertificateId: 756****-cn-hangzhou # The ID of the certificate.
            IsDefault: true
          quicConfig:
            quicListenerId: "" # Leave it empty. This parameter will be specified in the subsequent step.
            quicUpgradeEnabled: false # Set to false.
    Important

    The preceding example uses the ALBConfig to configure a certificate. QUIC listeners also support auto certificate or Secret discovery.

Step 2: Add annotations to an Ingress

You need to add annotations to an Ingress to ensure that the Ingress serves both listeners.

  1. Run the following command to modify an Ingress.

    kubectl edit ingress quic-ingress # Replace quic-ingress with the name of the Ingress.
  2. Add annotations to the Ingress.

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: #...
      annotations:
        alb.ingress.kubernetes.io/listen-ports: '[{"QUIC": 443},{"HTTPS": 443}]' # When multiple listeners are used, you need to add annotations to the ALB Ingress.
    spec:
      #...

Step 3: Associate the listeners

  1. Log on to the ALB console.

  2. On the Instances page, click the ID of your ALB instance. On the Listener tab, find the listener whose Listener Protocol/Port is QUIC:443 and record its ID.

  3. Specify the ID in the ALBConfig.

    1. Run the following command to modify the AlbConfig:

      kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
    2. Set quicListenerId to the ID of the QUIC listener and set quicUpgradeEnabled to true.

      apiVersion: alibabacloud.com/v1
      kind: AlbConfig
      metadata:
        name: alb
      spec:
        config:
          #...
        listeners:
          - port: 443
            protocol: HTTPS
            certificates:
            - CertificateId: 756****-cn-hangzhou
              IsDefault: true 
            quicConfig: 
              quicListenerId: lsn-tnz740dr8p5h65**** # Specify the ID of the QUIC listener. 
              quicUpgradeEnabled: true # Set to true.
          - port: 443
            protocol: QUIC # The QUIC listener.
            certificates:
            - CertificateId: 756****-cn-hangzhou
              IsDefault: true 
  4. Confirm the listener association.

    1. Log on to the ALB console.

    2. On the Instances page, click the ID of the ALB instance that you want to manage. On the instance details page, click the Listener tab. In the listener list, click the name of the HTTPS listener. On the Listener Details page, you can view the associated QUIC listener.

Step 4: Verify the configuration

Use HTTP/3 to access the service through the ALB Ingress.

  1. Run the following command to query the Ingress:

    kubectl get ingress

    Expected output:

    NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
    https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

    Record the values in the HOSTS and ADDRESS columns.

  2. Run the following command to use HTTP/3 and the traditional method to access the HTTPS service. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values obtained in the preceding step.

    Note

    Some curl versions do not support HTTP/3. Use a curl version that supports HTTP/3.

    curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
    curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com

    If the expected output is as follows, the two listeners are associated and compatible with multiple HTTP protocols:

    old
    old

Step 5: (Optional) Delete the association

  1. Run the following command to modify the AlbConfig:

    kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
  2. Leave quicListenerId empty and set quicUpgradeEnabled to false.

    # The preceding content is omitted. 
        port: 443
        protocol: HTTPS
        quicConfig:
          quicListenerId: "" # Leave the parameter empty. 
          quicUpgradeEnabled: false # Set to false.
        requestTimeout: 0
    # Content is omitted.

References