Enable HTTP-3 Performance with QUIC Listeners via ALBConfig - Container Service for Kubernetes

In mobile networks, live-streaming, and online gaming environments where low and stable latency matters, QUIC (HTTP/3) outperforms HTTP/2 by reducing retransmission and communication latency and maintaining sessions across network changes. Built on UDP, QUIC supports multiplexing, 0-RTT handshake, congestion control algorithms, and seamless connection migration. ALB Ingress lets you enable QUIC on your ALB instance through the AlbConfig resource, either as a standalone HTTP/3 listener or paired with an HTTPS listener for multi-protocol compatibility.

ALB Ingress supports two configurations:

QUIC only — clients connect over HTTP/3 exclusively.
QUIC + HTTPS — ALB prefers HTTP/3 but falls back to HTTP/1.1 or HTTP/2 for clients that don't support it.

For details on the QUIC protocol, see the QUIC specification (RFC 9000).

How it works

When QUIC and HTTPS listeners are combined, both listen on the same port (443) and share the same forwarding rules. ALB routes each incoming request to the QUIC listener first. If the client doesn't support HTTP/3, ALB falls back to the HTTPS listener.

Prerequisites

Before you begin, make sure you have:

An ALBConfig. For setup instructions, see Get started with ALB Ingresses.

Use a QUIC-only listener

Add a QUIC listener to the AlbConfig

Open the AlbConfig for editing:
```
kubectl edit albconfig <ALBCONFIG_NAME>
```

Add a QUIC listener under spec.listeners:

In addition to a directly specified certificate ID, QUIC listeners support auto certificate and Secret discovery. For details, see Configure an HTTPS certificate for encrypted communication.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    #...
  listeners:
    - port: 443
      protocol: QUIC       # QUIC requires TLS; port 443 is standard for HTTPS/QUIC.
      certificates:
      - CertificateId: 756****-cn-hangzhou   # The ID of the ALBConfig certificate.
        IsDefault: true

Verify the configuration

Get the Ingress details:

kubectl get ingress

Expected output:

NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

Note the values in the HOSTS and ADDRESS columns.

Test HTTP/3 access. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values from the previous step:

Not all curl builds include HTTP/3 support. Use a version compiled with HTTP/3 support.
```
curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
```
If the QUIC listener is active, the command returns:
```
old
```

Use QUIC and HTTPS listeners together

This setup lets ALB serve HTTP/3 clients while remaining compatible with HTTP/1.1 and HTTP/2. The QUIC and HTTPS listeners share port 443 and the same forwarding rules.

Why the setup requires three steps: The QUIC listener ID is only available after ALB provisions the listener. You must first define both listeners (leaving quicListenerId blank), then retrieve the ID from the console, and finally update the AlbConfig to activate the association. Attempting to fill in the ID before the listener exists will fail.

Step 1: Define both listeners in the AlbConfig

The complete AlbConfig for this scenario looks like this:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    #...
  listeners:
    - port: 443
      protocol: QUIC          # Same port as HTTPS — required for protocol compatibility and shared forwarding rules.
      certificates:
      - CertificateId: 756****-cn-hangzhou   # The ID of the certificate.
        IsDefault: true
    - port: 443
      protocol: HTTPS
      certificates:
      - CertificateId: 756****-cn-hangzhou   # Use the same certificate as the QUIC listener.
        IsDefault: true
      quicConfig:
        quicListenerId: ""             # Leave blank — the QUIC listener ID is not yet available.
        quicUpgradeEnabled: false      # Set to true in Step 3 after you retrieve the listener ID.

To apply this configuration:

Open the AlbConfig for editing:
```
kubectl edit albconfig <ALBCONFIG_NAME>
```
Add both listeners as shown above and save.

QUIC listeners support auto certificate and Secret discovery in addition to directly specified certificate IDs.

Step 2: Add annotations to the Ingress

When multiple listeners share a port, add the listen-ports annotation so ALB knows which protocols the Ingress serves:

Open the Ingress for editing:
```
kubectl edit ingress quic-ingress
```

Add the annotation:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: #...
  annotations:
    # Required when multiple listeners share a port — tells ALB which protocols this Ingress handles.
    alb.ingress.kubernetes.io/listen-ports: '[{"QUIC": 443},{"HTTPS": 443}]'
spec:
  #...

Step 3: Associate the QUIC and HTTPS listeners

After ALB provisions both listeners, link them so ALB can prefer QUIC and fall back to HTTPS automatically:

Log on to the ALB console.
Log on to the ALB console.
On the Instances page, click the ID of your ALB instance. On the Listener tab, find the listener with Listener Protocol/Port set to QUIC:443 and copy its ID.
Open the AlbConfig for editing:
```
kubectl edit albconfig <ALBCONFIG_NAME>
```

Set quicListenerId to the ID you copied and set quicUpgradeEnabled to true:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    #...
  listeners:
    - port: 443
      protocol: HTTPS
      certificates:
      - CertificateId: 756****-cn-hangzhou
        IsDefault: true
      quicConfig:
        quicListenerId: lsn-tnz740dr8p5h65****   # The ID of the QUIC listener retrieved from the console.
        quicUpgradeEnabled: true                  # Activates the QUIC-to-HTTPS fallback.
    - port: 443
      protocol: QUIC
      certificates:
      - CertificateId: 756****-cn-hangzhou
        IsDefault: true

Confirm the association in the console:
1. Log on to the ALB console.
2. On the Instances page, click your ALB instance ID. On the Listener tab, click the HTTPS listener name. On the Listener Details page, verify that the associated QUIC listener is listed.

Step 4: Verify the configuration

Get the Ingress details:

kubectl get ingress

Expected output:

NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

Note the values in the HOSTS and ADDRESS columns.

Test both HTTP/3 and standard HTTPS access. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values from the previous step:

Not all curl builds include HTTP/3 support. Use a version compiled with HTTP/3 support.
```
curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
```
If both listeners are associated and working, both commands return:
```
old
old
```

Step 5: (Optional) Remove the association

Open the AlbConfig for editing:
```
kubectl edit albconfig <ALBCONFIG_NAME>
```

Clear quicListenerId and set quicUpgradeEnabled to false:

# Content above is omitted.
    port: 443
    protocol: HTTPS
    quicConfig:
      quicListenerId: ""      # Clear the ID to remove the association.
      quicUpgradeEnabled: false
    requestTimeout: 0
# Content below is omitted.

quicConfig field reference

Field	Description	Value during setup	Value after association
`quicListenerId`	The ID of the QUIC listener to associate with this HTTPS listener.	`""` (leave blank)	The listener ID from the ALB console (e.g., `lsn-tnz740dr8p5h65****`)
`quicUpgradeEnabled`	Whether ALB prefers QUIC and falls back to HTTPS for incompatible clients.	`false`	`true`

What's next

To protect your application with a web application firewall, see Use WAF-enabled ALB instances to protect applications.
For a full reference of AlbConfig listener options, see Use AlbConfigs to configure ALB listeners.