This topic describes how to add an HTTPS listener to an Application Load Balancer (ALB) instance. HTTPS is intended for applications that require encrypted data transmission. You can create HTTPS listeners to distribute HTTPS requests. HTTPS listeners enable traffic encryption between an ALB instance and clients that initiate SSL or TLS sessions.
Prerequisites
- An ALB instance is created. For more information, see Create an ALB instance.
- At least one SSL server certificate and one TLS security policy are deployed on the ALB instance. For more information, see TLS security policies.
- A group of backend servers is specified in the default forwarding rule of the listener to receive requests. For more information, see Manage server groups.
Step 1: Configure a listener
To configure an HTTPS listener, perform the following operations:
Step 2: Configure an SSL certificate
To create an HTTPS listener, you must configure an SSL certificate for identity authentication to ensure secure data transfer.
Certificate | Description | Required for one-way authentication | Required for mutual authentication |
---|---|---|---|
Server certificate | A server certificate is used to authenticate the identity of a server.
Your browser uses the server certificate to check whether the certificate sent by the server is signed and issued by a trusted certificate authority (CA). For more information, see SSL Certificates. |
Yes
You must upload the server certificate to the ALB system. |
Yes
You must upload the server certificate to the ALB system. |
Client certificate | A client certificate is used to authenticate the identity of a client.
A server authenticates the identity of a client by verifying the certificate sent by the client. |
No | Yes
You must install the client certificate on the client. |
CA certificate | A CA certificate is used by a server to verify the signature on a client certificate. If the signature is invalid, the connection request is denied. | No | Yes
You must upload the CA certificate to the ALB system. |
TLS security policy | A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information, see TLS security policies. | Yes | Yes |
Step 3: Select a server group
On the Select Server Group wizard page, specify Server Type and select a server group based on the specified Server Type, confirm the backend servers, and then click Next.
Step 4: Review the configuration
On the Confirm wizard page, confirm the configuration and click Submit.
FAQ
- What are the TLS versions supported by HTTPS listeners?
HTTPS listeners support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. For more information, see TLS security policies.
- Can backend servers retrieve the TLS version used by the associated HTTPS listener?
Yes, backend servers can retrieve the TLS version used by the associated HTTPS listener.
- Which HTTP version is used by HTTPS listeners to distribute network traffic to backend
servers?
- If client requests use HTTP/1.1 or HTTP/2, Layer 7 listeners use HTTP/1.1 to distribute network traffic to backend servers.
- If client requests use protocols other than HTTP/1.1 and HTTP/2, Layer 7 listeners use HTTP/1.0 to distribute network traffic to backend servers.