Server Load Balancer:Configure an ALB instance to serve multiple domain names over HTTPS

Scenario

After ALB receives an HTTPS request, ALB matches the requested domain name against the certificates that you uploaded. If one of the certificates is matched, ALB sends the request to a backend server based on the forwarding rule that you configured for the domain name and then returns the corresponding certificate to the client. If no certificate is matched, ALB sends the request to a backend server in the default server group and returns the default certificate to the client. The following configurations are used in this example:

• The default certificate: default. The default server group: RS1.
• The domain name example1.com is associated with the additional certificate example1. Requests destined for example1.com are forwarded to RS1.
• The domain name example.org is associated with the additional certificate example2. Requests destined for example.org are forwarded to RS2.

Prerequisites

• An ALB instance is created. For more information, see Create an ALB instance.
• RS1 and RS2 are created. For more information, see Create and manage a server group.
• An Elastic Compute Service (ECS) instance is added to each server group. In this example, ECS01 is added to RS1 and ECS02 is added to RS2. Different NGINX services are deployed on the ECS instances.
• Required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload them to Certificate Management Service. In addition, make sure that the certificates are associated with your domain name. For more information about how to apply for a certificate, see Submit a certificate application. The following certificates are used in this example:
  • The default certificate.
  • The extended certificate example1 that is associated with the domain name example.com.
  • The extended certificate example2 that is associated with the domain name example.org.

Background information

The number of additional certificates that can be associated with an ALB instance: 10 for a basic ALB instance and 25 for a standard ALB instance. The default certificate is not included in this quota.

Step 1: Create an HTTPS listener

1. Log on to the ALB console.
2. In the top navigation bar, select the region where the ALB instance is deployed.
3. On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
4. On the Configure Listener wizard page, set the following parameters and click Next.
   For more information about the other parameters and how to create an HTTPS listener, see Add an HTTPS listener.

   • Select Server Certificate: In this example, the default certificate is selected.
   • Select Server Group: In this example, RS1 is selected.

Step 2: Add an additional certificate

1. On the Instances page, find the ALB instance that you want to manage and click its ID.
2. On the Listener tab, find the HTTPS listener that you created and click Manage Certificate in the Actions column.
3. On the Certificates tab, click Add Extended Validation Certificate.
4. In the Add Extended Validation Certificate dialog box, select the certificate example1, and click OK. Repeat this step to add the extended certificate example2.

Step 3: Create forwarding rules

1. On the Instances page, find the ALB instance that you want to manage and click its ID.
2. On the Listener tab, find the HTTPS listener that you created and click View/Modify Forwarding Rule in the Actions column.
3. On the Forwarding Rules tab, click Add New Rule.
4. Configure forwarding rules based on the following information and click OK:
   • Set the Domain Name parameter to example.com and the Forward parameter to RS1. Set the weight of the server group to 100.
   • Set the Domain Name parameter to example.org and the Forward parameter to RS2. Set the weight of the server group to 100.

   Note

   • ECS instances in a server group that has a higher weight receive more requests. In this example, the default weight 100 is used.
   • Valid values: 1 to 100.

Step 4: Create CNAME records

Create CNAME records to map example.com and example.org to the publicly accessible domain name of the ALB instance.

1. Log on to the ALB console.
2. In the top navigation bar, select the region where the ALB instance is deployed.
3. Find the ALB instance that you want to manage and copy the domain name.
4. To create a CNAME record, perform the following operations:
   1. Log on to the Alibaba Cloud DNS console.
   2. On the Manage DNS page, click Add Domain Name.
   3. In the Add Domain Name dialog box, enter the domain name of your host and click OK.
      Important Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
   4. In the Actions column of the domain name that you want to manage, click Configure.
   5. On the DNS Settings page, click Add Record.
   6. In the Add Record panel, set the following parameters and click Confirm.

      Parameter	Description
      Type	Select CNAME from the drop-down list.
      Host	Enter the prefix of the domain name of your host.
      ISP Line	Select Default.
      Value	Enter the CNAME. The CNAME is the domain name of the ALB instance.
      TTL	Select the time-to-live (TTL) value of the record on the DNS server. In this example, the default value is used.

      Note

      • Newly created CNAME records immediately take effect. The time that is required for a modified CNAME record to take effect is determined by the TTL value. The default TTL value is 10 minutes.
      • If the CNAME record that you want to create conflicts with an existing record, we recommend that you specify another domain name.

Step 5: Test connectivity