Manage the lifecycle of Application Load Balancer (ALB) listeners: modify settings, enable or disable listeners, delete listeners, change associated server groups, manage certificates and TLS security policies, and configure distributed tracing.
Prerequisites
Before you begin, make sure that you have:
An ALB instance
Navigate to the listener
All tasks in this document start from the listener list. To navigate to the listener list:
Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the ALB instance.
Click the Listener tab.
Modify a listener
The listening protocol and port cannot be modified after a listener is created. To use a different protocol or port, create a new listener.
Find the listener and open the modify dialog in one of the following ways:
Click the listener ID. On the Listener Details tab, click Modify Listener in the Basic Information section.
Click View Details in the Actions column. On the Listener Details tab, click Modify Listener in the Basic Information section.
Choose
> Modify Listener in the Actions column.
In the Modify Listener dialog box, change the listener name or click Modify next to Advanced Settings to update advanced settings. Click Save.
Enable or disable a listener
Enable or disable a listener to control whether it forwards traffic.
Disabling a listener stops all request forwarding on that listener. This may cause service interruptions. Proceed with caution.
When a listener is in the Configuring state, you cannot delete, modify, or change its server group.
Enable a listener
Find the listener and use one of the following methods:
Choose
> Enable in the Actions column. In the message that appears, click OK.NoteFor HTTP listeners, click Enable directly in the Actions column instead, then click OK.
Click the listener ID. In the upper-right corner of the Listener Details tab, click Start.
Disable a listener
Find the listener and use one of the following methods:
Choose
> Disable in the Actions column. In the message that appears, click OK.Click the listener ID. In the upper-right corner of the Listener Details tab, click Stop.
Delete a listener
Deleting a listener stops request forwarding. Proceed with caution.
Find the listener and choose > Delete in the Actions column. In the message that appears, click OK.
Change the default server group
Replace the server group associated with a listener's default forwarding rule.
Find the listener and open the change dialog in one of the following ways:
Choose
> Change Server Group (Default Forwarding Rule) in the Actions column.Click the listener ID. On the Listener Details tab, click Change Server Group (Default Forwarding Rule) in the Server Group (Default Forwarding Rule) section.
In the dialog box, select a server group or click Create Server Group to create a new one. Click Save.
Manage certificates
Configure server certificates and CA certificates for HTTPS and QUIC listeners.
Limitations
| Limitation | Description |
|---|---|
| Mutual authentication for Basic ALB | Basic ALB instances do not support mutual authentication |
| Mutual authentication for QUIC | QUIC listeners do not support mutual authentication |
| Authentication for HTTP | HTTP listeners do not support one-way authentication or mutual authentication |
Replace the default server certificate
On the listener list, find the listener and click Manage Certificates in the Actions column.
On the Server Certificates tab, find the default server certificate and click Change in the Actions column.
Select a server certificate and click OK. If no certificate is available, click Create SSL Certificate to go to the Certificate Management Service console. For more information, see Purchase an SSL certificate or Upload an SSL certificate.
Renew certificates before they expire to prevent service disruptions.
Add an additional server certificate
On the Certificates tab, navigate to the Server Certificates tab and click Add EV Certificate.
In the Add Additional Certificate dialog box, select a server certificate and click OK. If no certificate is available, click Purchase Certificate in the upper-right corner to go to the Certificate Management Service console. For more information, see Purchase an SSL certificate or Upload an SSL certificate.
Delete an additional server certificate
After an additional server certificate is deleted, it can no longer be used for server authentication.
On the Server Certificates tab, find the certificate and click Delete in the Actions column.
In the message that appears, click Delete.
Enable mutual authentication
Mutual authentication requires clients to present a certificate for verification. Only standard and WAF-enabled ALB instances with HTTPS listeners support this feature.
On the Certificates tab, click the CA Certificates tab.
Turn on Mutual Authentication or click Enable Mutual Authentication.
In the Enable Mutual Authentication dialog box, select Alibaba Cloud as the certificate source, select a CA certificate from the Default CA Certificate drop-down list, and click OK. If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.
Disable mutual authentication
Disabling mutual authentication reverts the listener to one-way authentication.
On the Certificates tab, click the CA Certificates tab.
Turn off Mutual Authentication.
Replace a CA certificate
On the CA Certificates tab, find the default CA certificate and click Change in the Actions column.
In the Change Default CA Certificate dialog box, select Alibaba Cloud as the certificate source, select a CA certificate from the Default CA Certificate drop-down list, and click OK. If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.
Modify TLS security policies
TLS security policies are supported only by HTTPS listeners.
On the listener list, find the HTTPS listener and click the listener ID, or click View Details in the Actions column.
On the Listener Details tab, click the
icon next to TLS Security Policies in the SSL Certificate section.In the Modify TLS Security Policy dialog box, select a TLS security policy and click Save. If no policy is available, click Create TLS Security Policy to create one. For more information, see TLS security policies.
Manage Managed Service for OpenTelemetry
Configure distributed tracing for ALB listeners to monitor and analyze request flows across services.
Before you begin
Only standard and WAF-enabled ALB instances support Managed Service for OpenTelemetry. Basic ALB instances do not.
Enabling tracing automatically activates Managed Service for OpenTelemetry and Simple Log Service. Charges apply for data reports, trace storage, and Simple Log Service. For more information, see Billing overview and Billable items of pay-by-feature.
Managed Service for OpenTelemetry is available in the following regions:
Area Regions China China (Hangzhou), China (Shanghai), China (Shenzhen), China (Chengdu), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Hong Kong), China (Guangzhou), and China (Heyuan) Asia Pacific Singapore, Malaysia (Kuala Lumpur), Japan (Tokyo), and Indonesia (Jakarta) Europe & Americas UK (London), Germany (Frankfurt), US (Virginia), and US (Silicon Valley) Notes on disabling Managed Service for OpenTelemetry:
After you disable tracing, Simple Log Service remains enabled. Manually disable it if no longer needed.
Disabling Simple Log Service while tracing is active causes service unavailability.
After you disable tracing for all listeners on an ALB instance, ALB stops delivering trace data to Managed Service for OpenTelemetry.
Enable tracing
On the listener list, click the ID of the listener.
In the Tracing section of the Listener Details tab, turn on Tracing.
In the Enable Tracing dialog box, configure the following parameters and click Save.
NoteThe system automatically creates service-linked roles for ALB to deliver trace data.
Parameter Description Activate Managed Service for OpenTelemetry Select the Terms of Service to activate Managed Service for OpenTelemetry. Skip this step if already activated. Project Select the Simple Log Service project for resource isolation and management. Choose Select Project to use an existing project, or Create Project to enter a new project name. Logstore Select the Logstore for collecting, storing, and querying log data. Choose Select Logstore to use an existing Logstore, or Create Logstore to enter a new name. If you selected Create Project, select Create Logstore as well. Tracing Type Select a tracing type. The default value is Xtrace, which activates Managed Service for OpenTelemetry. Sampling Rate Set a value from 1 to 100. Default: 100. A lower value reduces the number of reported traces. Optional. In the Task Enabled dialog box, wait until all task statuses change to Successful, then click Close.
Modify tracing settings
Navigate to the listener's Listener Details tab.
In the Tracing section, click Edit Tracing Settings.
In the Edit Tracing Settings dialog box, adjust the Sampling Rate and click Save.
Disable tracing
Navigate to the listener's Listener Details tab.
In the Tracing section, turn off Tracing.
In the Disable Tracing message, click OK.
View traces
In the Tracing section of the Listener Details tab, click View next to Trace Analysis to open the Managed Service for OpenTelemetry console. For more information, see Analyze traces.
WebSocket support
HTTP listeners natively support WebSocket. HTTPS listeners natively support WebSocket Secure. No additional configuration is required.
For more information about WebSocket on ALB, see Use WebSocket to enable real-time messaging.
References
Console
To configure advanced forwarding rules for listeners, see Manage forwarding rules for a listener.
API reference
| API | Description |
|---|---|
| UpdateListenerAttribute | Update listener configuration |
| StartListener | Enable a listener |
| StopListener | Disable a listener |
| DeleteListener | Delete a listener |
| AssociateAdditionalCertificatesWithListener | Associate additional certificates with an HTTPS or QUIC listener |
| DissociateAdditionalCertificatesFromListener | Disassociate additional certificates from an HTTPS or QUIC listener |