Create a listener that uses SSL over TCP

You can add a listener that uses SSL over TCP to a Network Load Balancer (NLB) instance to forward encrypted TCP traffic from clients. You can use SSL over TCP in scenarios that require high performance and large-scale TLS offloading.

Prerequisites

A NLB instance is created. For more information, see Create and manage an NLB instance.
A server group is created. For more information, see Create and manage a server group.

Procedure

You can use one of the following methods to create a listener that uses SSL over TCP:

Create a listener that uses SSL over TCP: the standard configuration method. You can enable the listener to listen by port range and configure advanced settings.
Create a listener that uses SSL over TCP (quick configuration): the quick configuration method. You need to only specify a listening protocol, listening port, server certificate, TLS security policy, and server group.

Step 1: Configure an HTTPS listener

Log on to the NLB console.
In the top navigation bar, select the region of the NLB instance.
On the Instances page, find the NLB instance that you want to manage and use one of the following methods to open the listener configuration wizard:
- Click Create Listener in the Actions column.
- Click the ID of the NLB instance and click the Listener tab. On the Listener tab, click Create Listener above the listener list.
- Click the instance ID. On the instance details page, click Create Listener in the wizard.
- Click the instance ID. In the upper-right corner of the instance details page, click Create Listener.

On the Configure Listener wizard page, set the following parameters and click Next.


Parameter	Description
Listener Protocol	Select a listening protocol. In this example, SSL over TCP is selected.
Listen by Port Range	Specify whether to enable the listener to listen by port range. If you enable this feature, the NLB instance listens on all ports that fall within the specified listener port range, and redirects requests destined for the ports to the backend servers. Note Each NLB instance supports only one TCP listener that listens by port range, including listeners that use SSL over TCP, and one UDP listener that listens by port range. This feature must be enabled for server groups associated with a listener that listens by port range.
Listener Port Range	Specify the first and last port to define the listener port range if you want to enable the listener to listen by port range.
Listener Port	Specify a port on which the NLB instance listens. The NLB instance uses the port to receive requests and forward the requests to backend servers. You can select a commonly used port, or enter a port number. Valid values: 1 to 65535. If Listen by Port Range is enabled, you do not need to set Listener Port.
Listener Name	Specify a name for the listener.
Advanced	Click to show the advanced settings.
Idle Timeout	Specify a timeout period for idle TCP connections that are secured with SSL. If no request is received within the timeout period, NLB closes the current connection. When another request is received, NLB establishes a new connection.
Limit on New Connections	Specify whether to limit the number of new connections.
Maximum New Connections per Second	If Limit on New Connections is enabled, you must specify the maximum number of new connections per second.
Enable Proxy Protocol	Specify whether to enable Proxy Protocol. After Proxy Protocol is enabled, client IP addresses are passed to backend servers.

Step 2: Configure an SSL certificate

To create an HTTPS listener, you must configure an SSL certificate for identity authentication to ensure secure data transfer.


Certificate	Description	Required for one-way authentication	Required for mutual authentication
Server certificate	A server certificate is used to authenticate the identity of a server. Your browser checks whether the certificate sent by the server is signed and issued by a trusted certificate authority (CA). For more information, see Certificate Management Service.	Yes You can create or upload a server certificate in Certificate Center. Then, you must upload the server certificate to the NLB system.	Yes You can create or upload a server certificate in Certificate Center. Then, you must upload the server certificate to the NLB system.
Client certificate	A client certificate is used to authenticate the identity of a client. A server authenticates the identity of a client by verifying the certificate sent by the client.	No	Yes You must install the client certificate on the client.
CA certificate	A CA certificate is used by a server to verify the signature on a client certificate. If the signature is invalid, the connection request is denied.	No	Yes You can create or upload a CA certificate in Certificate Center. Then, you must upload the CA certificate to the NLB system.
TLS Security Policies	A TLS security policy contains TLS protocol versions and cipher suites that are available for SSL over TCP. For more information, see TLS security policies.	Yes	Yes

On the Configure SSL Certificate wizard page, select a server certificate from the Server Certificate drop-down list.
If no server certificates are available, click Create Certificate from the drop-down list to create a certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
Optional:Turn on Enable Mutual Authentication in Advanced Settings, select Alibaba Cloud in the CA Certificate Source drop-down list, and select a CA certificate from the Default CA Certificate drop-down list.
If no CA certificates are available, click Create Certificate from the drop-down list to create a certificate. For more information, see Purchase and enable a private CA.
Note If you want to disable mutual authentication, perform the following operations:
1. On the Instances page, click the ID of the NLB instance that you want to manage.
2. On the Listener tab, click the ID of the HTTPS listener that you want to manage.
3. On the Listener Details tab, go to the SSL Certificate section and disable mutual authentication.
Select a TLS security policy from the TLS Security Policies drop-down list and click Next.
If no TLS security policy is available, click Create TLS Security Policy to create one. For more information, see TLS security policies.

Step 3: Select a server group

On the Select Server Group wizard page, specify Server Type and select a server group based on the specified Server Type, confirm the backend servers, and then click Next.

Note You cannot associate listeners that use SSL over TCP with server groups for which client IP preservation is enabled.

Step 4: Confirm configurations

On the Confirm wizard page, confirm the configurations and click Submit.

Create a listener that uses SSL over TCP (quick configuration)

If you select this method, you need to only specify a listening protocol, listening port, server certificate, TLS security policy, and server group.

In the left-side navigation pane, choose NLB > Instances.
On the Instances page, find the NLB instance that you want to manage and click its ID.
Click the Listener tab. On the Listener tab, click Quick Create Listener.

In the Quick Create Listener dialog box, set the following parameters and click OK.


Parameter	Description
Listener Protocol	Select a listening protocol. In this example, SSL over TCP is selected.
Listening Port	Specify the frontend port that is used to receive and forward requests to the backend servers. You can select a commonly used port, or enter a port number. Valid values: 1 to 65535.
Server Certificate	Select a server certificate from the drop-down list. If no server certificate is available, click Create Certificate to create one. For more information, see Purchase an SSL certificate
TLS Security Policies	Select a TLS security policy from the drop-down list. If no TLS security policy is available, click Create TLS Security Policy to create one. For more information, see TLS security policies
Server Group	Set Server Type and select a server group based on Server Type.

References

CreateListener: creates a TCP or UDP listener, or a listener that uses SSL over TCP for an NLB instance.
DeleteListener: deletes an NLB listener.
ListListeners: queries listeners added to an NLB instance.
UpdateListenerAttribute: modifies the configurations of NLB listeners.
StartListener: enables an NLB listener.
StopListener: disables an NLB listener.
GetListenerAttribute: queries the details about an NLB listener.
GetListenerHealthStatus: queries the health status of an NLB listener.