Create an HTTPS listener for your Application Load Balancer (original) (raw)

A listener checks for connection requests. You define a listener when you create your load balancer, and you can add listeners to your load balancer at any time.

To create an HTTPS listener, you must deploy at least one SSL server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets. You must also specify a security policy, which is used to negotiate secure connections between clients and the load balancer.

If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it.

The information on this page helps you create an HTTPS listener for your load balancer. To add an HTTP listener to your load balancer, see Create an HTTP listener for your Application Load Balancer.

Prerequisites

• To create an HTTPS listener, you must specify a certificate and a security policy. The load balancer uses the certificate to terminate the connection and decrypt requests from clients before routing them to targets. The load balancer uses the security policy when negotiating SSL connections with the clients.
  Application Load Balancers do not support ED25519 keys.
• To add a forward action to the default listener rule, you must specify an available target group. For more information, see Create a target group for your Application Load Balancer.
• You can specify the same target group in multiple listeners, but these listeners must belong to the same load balancer. To use a target group with a load balancer, you must verify that it is not used by a listener for any other load balancer.

Add an HTTPS listener

You configure a listener with a protocol and a port for connections from clients to the load balancer, and a target group for the default listener rule. For more information, see Listener configuration.

To add an HTTPS listener using the console

1. Open the Amazon EC2 console athttps://console.aws.amazon.com/ec2/.
2. On the navigation pane, choose Load Balancers.
3. Select the load balancer.
4. On the Listeners and rules tab, chooseAdd listener.
5. For Protocol : Port, chooseHTTPS and keep the default port or enter a different port.
6. (Optional) To enable authentication, under Authentication select Use OpenID or Amazon Cognito, and provide the requested information. For more information, see Authenticate users using an Application Load Balancer.
7. For Routing actions, do one of the following:
   • Forward to target groups – Choose the target groups to forward traffic to. To add target groups chooseAdd target group. If using more than one target group, select a weight for each target group and review the associated percentage. You must enable group-level stickiness on a rule, if you’ve enabled stickiness on one or more of the target groups.
   • Redirect to URL – Enter the URL that client requests will be redirected to. This can be done by entering each part separately on the URI parts tab, or by entering the full address on the Full URL tab. For Status code you can configure redirects as either temporary (HTTP 302) or permanent (HTTP 301) based on your needs.
   • Return fixed response – Enter theResponse code to return to dropped client requests. Optionally, you can specify the Content type and Response body.
8. For Security policy, we recommend that you always use the latest predefined security policy.
9. For Default SSL/TLS certificate, choose the default certificate. We also add the default certificate to the SNI list. You can select the certificate from one of the following sources:
   • If you created or imported a certificate using AWS Certificate Manager, chooseFrom ACM, then choose the certificate fromCertificate (from ACM).
   • If you imported a certificate using IAM, choose From IAM, and then choose the certificate fromCertificate (from IAM).
   • If you have a certificate, choose Import certificate. Choose either Import to ACM or Import to IAM. For Certificate private key, copy and paste the contents of the private key file (PEM-encoded). For Certificate body, copy and paste the contents of the public key certificate file (PEM-encoded). For Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.
10. (Optional) To enable mutual authentication, under Client certificate handling, enable Mutual authentication (mTLS).
    When enabled, the default mutual TLS mode is passthrough.
    If you select Verify with Trust Store:

• By default, connections with expired client certificates are rejected. To change this behavior expand Advanced mTLS settings, then under Client certificate expiration select Allow expired client certificates.
• Under Trust Store choose an existing trust store, or choose New trust store.
  * If you chose New trust store, provide a Trust store name, the S3 URI Certificate Authority location, and optionally an S3 URI Certificate revocation list location.
• (Optional) Choose if you want to enable Advertise TrustStore CA subject names.

1. Choose Add.
2. To add certificates to the optional certificate list, see Add certificates to the certificate list.

To add an HTTPS listener using the AWS CLI

Use the create-listener command to create the listener and default rule, and the create-rule command to define additional listener rules.