You can use QUIC and enable QUICK listening on backend servers in complex networking scenarios, such as mobile networks, networks where low network latency is required based on fluctuating bandwidth usage, and applications that are sensitive to network latency (online games or live streaming). QUIC enables clients to use HTTP/3 to improve the stability and performance of network communication.
How it works
QUIC is based on UDP and is the core of HTTP/3. It supports multiplexing, 0-RTT handshake, congestion control algorithms, and seamless connection migration. Compared with HTTP/2 that uses TLS and TCP, HTTP/3 based on QUIC can efficiently reduce the latency of data retransmission and communication. For more information about QUIC, see QUIC official documentation.
After you create a QUIC listener for an ALB instance, you can use a client to access the backend service over HTTP/3.
If some clients need to access the service over HTTP/1.1 or HTTP/2, you can use QUIC together with HTTPS listener to ensure the compatibility with different HTTP protocols. To use a combination of QUIC and HTTPS listeners, an ALB instance must work in the following mode. The QUIC listener and HTTPS listener listen on the same port and use the same forwarding rules. After receiving a request, the ALB instance preferably uses the QUIC listener to forward the request to the backend service. When the client does not support HTTP/3, the ALB instance uses the HTTPS listener to forward requests.
Prerequisites
An ALBConfig is created. For more information, see Get started with ALB Ingresses.
Use only a QUIC listener
Step 1: Create a QUIC listener in the ALBConfig
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Create a QUIC listener.
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb spec: config: #... listeners: - port: 443 protocol: QUIC # The QUIC listener. certificates: - CertificateId: 756****-cn-hangzhou # The ID of the certificate. IsDefault: true
ImportantThe preceding example uses the ALBConfig to configure a certificate. QUIC listeners also support auto certificate or Secret discovery. For more information, see Configure an HTTPS certificate for encrypted communication.
Step 2: Verify the configuration
Run the following command to query the Ingress:
kubectl get ingress
Expected output:
NAME CLASS HOSTS ADDRESS PORTS AGE https-ingress https-ingressclass demo.alb.ingress.top alb-********.alb.aliyuncs.com 80, 443 83m
Record the values in the
HOSTS
andADDRESS
columns.Run the following command to use HTTP/3 and the traditional method to access the HTTPS service. Replace
demo.alb.ingress.top
andalb-********.alb.aliyuncs.com
with the values obtained in the preceding step.NoteSome
curl
versions do not support HTTP/3. Use a curl version that supports HTTP/3.curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
If the following output is returned, the QUIC listener is configured:
old
Use a combination of QUIC listeners and HTTPS listeners
Step 1: Create an HTTPS listener
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Create an HTTPS listener and add the
quicConfig
field.apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb spec: config: #... listeners: - port: 443 protocol: QUIC # The QUIC listener. certificates: - CertificateId: 756****-cn-hangzhou # The ID of the certificate. IsDefault: true - port: 443 protocol: HTTPS # The HTTPS listener. certificates: - CertificateId: 756****-cn-hangzhou # The ID of the certificate. IsDefault: true quicConfig: quicListenerId: "" # Leave it empty. This parameter will be specified in the subsequent step. quicUpgradeEnabled: false # Set to false.
ImportantThe preceding example uses the ALBConfig to configure a certificate. QUIC listeners also support auto certificate or Secret discovery.
Step 2: Add annotations to an Ingress
You need to add annotations to an Ingress to ensure that the Ingress serves both listeners.
Run the following command to modify an Ingress.
kubectl edit ingress quic-ingress # Replace quic-ingress with the name of the Ingress.
Add
annotations
to the Ingress.apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: #... annotations: alb.ingress.kubernetes.io/listen-ports: '[{"QUIC": 443},{"HTTPS": 443}]' # When multiple listeners are used, you need to add annotations to the ALB Ingress. spec: #...
Step 3: Associate the listeners
Log on to the ALB console.
On the Instances page, click the ID of your ALB instance. On the Listener tab, find the listener whose Listener Protocol/Port is QUIC:443 and record its ID.
Specify the ID in the ALBConfig.
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Set
quicListenerId
to the ID of the QUIC listener and setquicUpgradeEnabled
totrue
.apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb spec: config: #... listeners: - port: 443 protocol: HTTPS certificates: - CertificateId: 756****-cn-hangzhou IsDefault: true quicConfig: quicListenerId: lsn-tnz740dr8p5h65**** # Specify the ID of the QUIC listener. quicUpgradeEnabled: true # Set to true. - port: 443 protocol: QUIC # The QUIC listener. certificates: - CertificateId: 756****-cn-hangzhou IsDefault: true
Confirm the listener association.
Log on to the ALB console.
On the Instances page, click the ID of the ALB instance that you want to manage. On the instance details page, click the Listener tab. In the listener list, click the name of the HTTPS listener. On the Listener Details page, you can view the associated QUIC listener.
Step 4: Verify the configuration
Use HTTP/3 to access the service through the ALB Ingress.
Run the following command to query the Ingress:
kubectl get ingress
Expected output:
NAME CLASS HOSTS ADDRESS PORTS AGE https-ingress https-ingressclass demo.alb.ingress.top alb-********.alb.aliyuncs.com 80, 443 83m
Record the values in the
HOSTS
andADDRESS
columns.Run the following command to use HTTP/3 and the traditional method to access the HTTPS service. Replace
demo.alb.ingress.top
andalb-********.alb.aliyuncs.com
with the values obtained in the preceding step.NoteSome
curl
versions do not support HTTP/3. Use a curl version that supports HTTP/3.curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
If the expected output is as follows, the two listeners are associated and compatible with multiple HTTP protocols:
old old
Step 5: (Optional) Delete the association
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Leave
quicListenerId
empty and setquicUpgradeEnabled
to false.# The preceding content is omitted. port: 443 protocol: HTTPS quicConfig: quicListenerId: "" # Leave the parameter empty. quicUpgradeEnabled: false # Set to false. requestTimeout: 0 # Content is omitted.
References
If your web service is vulnerable to intrusions, you can use WAF-enabled ALB instances. For more information, see Use WAF-enabled ALB instances to protect applications.
For more information about listener configurations, see Use AlbConfigs to configure ALB listeners.