All Products
Search

This Product

    Server Load Balancer:Create and manage listeners

    Document Center

    Server Load Balancer:Create and manage listeners

    Last Updated:Apr 15, 2026

    A listener is a process that checks for connection requests. You can create listeners for an Application Load Balancer (ALB) instance to forward client requests based on your business requirements. You can also manage listeners, including modifying, starting, stopping, and deleting them.

    Choose a listener protocol

    Before you create a listener, choose a listener protocol that meets your business requirements. ALB supports three Layer 7 listener protocols: HTTP, HTTPS, and QUIC. The following table describes the use cases and configuration requirements for each protocol.

    Protocol

    Use cases

    SSL certificate required

    Supported backend protocols

    Features

    HTTP

    Applications that need to inspect content, such as web apps and mobile mini-games.

    No

    HTTP, HTTPS

    Supports the WebSocket protocol by default.

    HTTPS

    Applications that require encrypted data transmission. Establishes SSL/TLS encrypted sessions between the ALB instance and clients.

    Yes (a server certificate is required; a CA certificate is required for mutual authentication).

    HTTP, HTTPS, and gRPC (requires HTTP/2 to be enabled).

    Supports HTTP/2, mutual authentication (with a CA certificate), TLS security policies, and QUIC upgrade. Supports the WebSocket Secure (WSS) protocol by default.

    QUIC

    Scenarios with weak network signals or frequent switching between Wi-Fi and mobile networks. It reduces stuttering for audio and video, improves access efficiency for streaming resources, and keeps data transmission secure.

    Yes (a server certificate is required).

    HTTP

    Based on UDP for faster connection establishment and supports connection migration, ensuring connections are not lost during network changes.

    Learn about QUIC

    QUIC protocol

    QUIC (Quick UDP Internet Connections) provides security comparable to SSL and offers benefits such as multiplexing. It performs well on unreliable networks and can still provide usable services when packet loss and network latency are severe. At the application layer, QUIC can implement different congestion control algorithms without relying on operating system or kernel support. Compared with traditional TCP, QUIC offers more flexibility for optimization and is a good fit when TCP-based optimization reaches a bottleneck.

    With the rapid growth of new services such as short videos and live streaming, streaming media transmission faces both bandwidth and latency demands. QUIC effectively reduces network and video stuttering, improves access efficiency for audio and video resources, and keeps data transmission secure.

    Supported QUIC types

    ALB supports gQUIC and iQUIC. HTTP/3 is an application-layer protocol built on iQUIC. It relies on iQUIC for features such as multiplexing, congestion control, loss detection, and retransmission. HTTP/3 can start client connections faster, eliminates head-of-line blocking in multiplexed streams, and supports connection migration when a client IP address changes.

    • ALB supports gQUIC versions Q46, Q43, and Q39, which correspond to Chrome versions 74 to 81.

    • ALB supports HTTP/3 version h3, which corresponds to Chrome 87 and later.

    Use cases

    Scenario

    Description

    Use a QUIC listener only

    All clients must support HTTP/3.

    Use a QUIC listener with an HTTPS listener

    If not all clients support HTTP/3, ALB automatically negotiates with each client and prefers HTTP/3. If negotiation fails, the connection falls back to HTTPS or HTTP/2.

    Prerequisites

    Create or delete a listener

    Console

    ALB supports the following ways to create a listener:

    • Create Listener: A step-by-step wizard that supports custom advanced settings.

    • Quick Create Listener: Requires only the listener protocol, listener port, and server group. For HTTPS or QUIC listeners, you must also configure a server certificate. For HTTPS listeners, you must also select a TLS security policy.

    Create Listener

    Step 1: Configure Listener

    1. Go to the Instances page in the ALB console, click the ID of the target instance, and go to the Listener tab. Then, click Create Listener.

    2. In the Configure Listener wizard, configure the following parameters and click Next.

      • Listener Protocol: Select HTTP, HTTPS, or QUIC.

      • Listener Port: Specify a port from 1 to 65535. Port 80 is typically used for HTTP, and Port 443 is used for HTTPS.

        Within the same ALB instance, listeners that use the same protocol cannot use the same port. Additionally, HTTP and HTTPS listeners cannot use the same port.

      • Listener Name: Enter a custom name for the listener.

      • Tags: Tag the listener by using key-value pairs.

      • Advanced Settings: Click Modify to expand the section.

      • Enable HTTP/2: This option is available only for HTTPS listeners.

      • Idle Connection Timeout Period: Specify a value from 1 to 600 seconds. The default value is 15 seconds. The connection closes if it remains idle for this period. To request a longer timeout, go to Quota Center.

        If the listener protocol is HTTP, the idle timeout does not apply to HTTP/2 requests.

      • Connection Request Timeout: Specify a value from 1 to 600 seconds. The default value is 60 seconds. ALB returns an HTTP 504 error if a backend server fails to respond within this period. To request a longer timeout, go to Quota Center.

      • Compression: When enabled, ALB compresses a response only if its Content-Length exceeds 1,024 bytes. Brotli (all types) and Gzip are supported. If a client supports both algorithms, Brotli is used.

        Gzip supports the following content types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

      • Retrieve Client IP: When enabled, ALB extracts the real client source IP from the X-Forwarded-For header. You must configure a list of trusted IP addresses:

        • 0.0.0.0/0: Use the leftmost address in the X-Forwarded-For header.

        • proxy1 IP;proxy2 IP;...: ALB scans from right to left and uses the first IP address that is not in the trusted list.

        After you enable this feature, forwarding rules based on SourceIp matching and QPS (Per Client IP) use the real client source IP.

        This setting is not supported for QUIC listeners.
        This feature is available for Standard and WAF-enabled edition instances, but not for Basic edition instances.

      • Add HTTP Header: Select the headers to add. You can use these headers to obtain information such as the client IP address, listener protocol, and port. For details about each header, see HTTP header fields.

      • QUIC Upgrade: This setting applies when you use an HTTPS listener together with a QUIC listener. In the Associated QUIC Listeners drop-down list, select a created QUIC listener. After you enable this feature, ALB advertises HTTP/3 to clients. ALB directs clients that support HTTP/3 to the QUIC listener, while other clients fall back to HTTPS.

        This setting is available only for HTTPS listeners.
    Step 2: Configure SSL Certificate (HTTPS and QUIC listeners only)

    Certificate

    Description

    Required for one-way authentication

    Required for mutual authentication

    Server Certificate

    Proves the server's identity to clients. For more information, see What is an SSL certificate.

    Yes

    Yes

    CA Certificate

    The listener uses the CA certificate to verify the client's certificate. If verification fails, the listener rejects the connection.

    No

    Yes

    • A newly applied certificate typically takes one to three minutes to take effect.

    • A QUIC listener requires only a server certificate and does not support mutual authentication.

    • To support multiple domain names or attach multiple server certificates, you can add additional certificates to the listener.

    1. In the Configure SSL Certificate wizard, select a Server Certificate.

      If no server certificate is available, click Create SSL Certificate to go to Certificate Management Service, and then purchase or upload a server certificate.

    2. HTTPS listeners only: Select a TLS Security Policy.

      ALB provides multiple predefined policies. To customize the TLS protocol versions and cipher suites, click Create TLS Security Policy and then Create Custom Policy. For more information, see TLS security policies.

    3. HTTPS listeners only (optional): Turn on Enable Mutual Authentication, select a CA certificate source, and then select a CA certificate.

      • If you set CA Certificate Source to Alibaba Cloud, select a CA certificate from the Default CA Certificate drop-down list. If no CA certificate is available, click Purchase CA Certificate to create a new CA certificate.

      • If you set CA Certificate Source to Third-party, select a CA certificate from the Default CA Certificate drop-down list. If no CA certificate is available, click Upload Self-signed CA Certificate to upload a self-signed CA certificate by using the certificate application repository.

      Mutual authentication is available for Standard and WAF-enabled edition instances, but not for Basic edition instances.
    Step 3: Select server group

    In the Select Server Group wizard, select a server group, view the backend server information, and then click Next.

    Step 4: Review configurations

    On the Configuration Review page, confirm the configurations and click Submit.

    Quick Create Listener

    1. Go to the Instances page in the ALB console, click the ID of the target instance, and go to the Listener tab. Then, click Quick Create Listener.

    2. In the Quick Create Listener dialog box, configure the following parameters and click OK.

      • Listener Protocol: Select HTTP, HTTPS, or QUIC.

      • Listener Port: Specify a port from 1 to 65535. Port 80 is typically used for HTTP, and Port 443 is used for HTTPS.

      • Server Certificate (HTTPS and QUIC listeners only): Select a server certificate. If no server certificate is available, click Create SSL Certificate to go to Certificate Management Service, and then purchase or upload a server certificate.

      • TLS Security Policy (HTTPS listeners only): Select a TLS security policy. To customize the TLS protocol versions and cipher suites, click Create TLS Security Policy and then Create Custom Policy. For more information, see TLS security policies.

      • Server Group: Select the backend server group type and backend servers.

    Delete a listener

    1. Go to the Instances page in the ALB console and click the ID of the target instance. On the Listener tab, find the target listener. In the Actions column, choose 更多操作 > Delete.

    2. In the dialog box that appears, click OK.

    API

    Modify a listener

    You cannot modify the listener protocol or port after a listener is created. To change these settings, you must delete the listener and create a new one.

    Console

    1. Go to the Instances page in the ALB console and click the ID of the target instance.

    2. Click the Listener tab, find the target listener, and use one of the following methods to modify its basic information:

      • Click the ID of the target listener or click View Details in the Actions column. On the Listener Details tab, click Modify Listener in the Basic Information section.

      • In the Actions column, choose 更多操作 > Modify Listener.

    3. In the Modify Listener dialog box, modify the listener name or advanced settings, and then click Save.

    API

    Call the UpdateListenerAttribute operation to update the configurations of a listener.

    Start or stop a listener

    When you start or stop a listener, it temporarily enters the Configuring state. During this time, you cannot delete, edit, or replace the server group for the listener.

    Warning

    Stopping a listener interrupts all active connections. Proceed with caution.

    Console

    1. Go to the Instances page in the ALB console and click the ID of the target instance.

    2. Click the Listener tab, find the target listener, and use one of the following methods to start or stop the listener:

      • In the Actions column, choose 更多操作 > Enable or Disable. In the dialog box that appears, click OK.

      • Click the ID of the target listener. In the upper-right corner of the Listener Details tab, click Enable or Disable.

    API

    Replace a server group

    Console

    1. Go to the Instances page in the ALB console and click the ID of the target instance.

    2. Click the Listener tab, find the target listener, and use one of the following methods to replace the server group:

      • In the Actions column, choose 更多操作 > Change Server Group (Default Forwarding Rule).

      • Click the ID of the target listener. On the Listener Details tab, click Change Server Group (Default Forwarding Rule) in the Server Group (Default Forwarding Rule) section.

    3. In the dialog box that appears, select a replacement server group, or click Create Server Group in the drop-down list to create and select a new server group. Then, click Save.

    API

    Call the UpdateListenerAttribute operation to update a listener's configuration, including its associated server group.

    Manage certificates

    Console

    1. Go to the Instances page in the ALB console. Click the ID of the target instance. On the Listener tab, find the target HTTPS or QUIC listener, and click Manage Certificates in the Actions column.

    2. On the Certificates page, you can replace the server certificate and add or remove additional certificates. For detailed instructions, see Manage certificates.

    API

    Modify a TLS security policy (HTTPS listeners only)

    Console

    1. Go to the Instances page in the ALB console. Click the ID of the target instance. On the Listener tab, find the target HTTPS listener and click its ID to go to the Listener Details page.

    2. On the Listener Details tab, find the SSL Certificate section, and click the 修改实例名 icon next to TLS Security Policy.

    3. In the Modify TLS Security Policy dialog box, select a TLS security policy and click Save.

      You can select a predefined policy. To customize the TLS protocol versions and cipher suites, click Create TLS Security Policy and then Create Custom Policy. For more information, see TLS security policies.

    API

    Call the UpdateListenerAttribute operation and use the SecurityPolicyId parameter to specify the TLS security policy.

    Manage tracing

    Tracing is supported only for Standard and WAF-enabled edition ALB instances. For a detailed description and instructions on how to enable tracing, see Use ALB tracing for end-to-end analysis.

    Enabling tracing incurs fees for Managed Service for OpenTelemetry and Log Service.

    1. Go to the Instances page in the ALB console. Click the ID of the target instance. On the Listeners tab, find the target listener and click its ID.

    2. On the Listener Details tab, perform the following operations in the Tracing section as needed.

      Actions

      Description

      Enable Tracing

      Turn on the Tracing switch. In the Enable Tracing dialog box, configure the parameters and click Save.

      Edit Tracing

      Click Edit Tracing Settings. In the dialog box, modify the Sampling Rate and click Save.

      Disable Tracing

      Turn off the Tracing switch. In the Disable Tracing dialog box, click OK.

      View traces

      Next to Trace Analysis, click View to go to the Managed Service for OpenTelemetry console and view request data. For more information, see trace analysis.

    Billing

    Listeners are free of charge, but ALB instances are billed on a pay-as-you-go basis.

    Quotas

    Quota ID

    Description

    Default

    Maximum value

    Adjustable

    alb_quota_loadbalancer_listeners_num_basic_edition

    Maximum number of listeners per Basic edition ALB instance.

    50

    80

    alb_quota_loadbalancer_listeners_num_standard_edition

    Maximum number of listeners per Standard edition ALB instance.

    50

    100

    alb_quota_loadbalancer_listeners_num_standardwithwaf_edition

    Maximum number of listeners per WAF-enabled edition ALB instance.

    50

    100

    alb_quota_max_idle_timeout

    Maximum idle timeout for a listener connection.

    600 seconds

    3,600 seconds

    alb_quota_max_request_timeout

    Maximum request timeout for a listener connection.

    600 seconds

    3,600 seconds

    Only upgraded ALB instances support increasing the alb_quota_max_request_timeout and alb_quota_max_idle_timeout quotas to a maximum of 3,600 seconds. For non-upgraded instances, the maximum value is 900 seconds.