Listener
Listeners are the ports where traffic flows into the load balancer. Multiple listeners can be added to a single load balancer, and each listener is connected to one default target group.
- Application Load Balancer (ALB) listeners (HTTP, HTTPS) can distribute traffic in a detailed manner by adding rules and conditions. The HTTPS listener processes encrypted traffic by applying SSL certificates.
- Network Load Balancer (NLB) listeners (TCP, UDP) work at layer 4 and are designed to quickly handle a large number of requests. TLS listeners support the TLS protocol and, like the ALB HTTPS listener, process encrypted traffic by applying SSL certificates.
- Direct Server Return Network Load Balancer (DSRNLB) listeners require the protocol and port number of the listener to match those of the target group. For more details, refer to DSRNLB.
Basic concepts
Common listener concepts that apply to ALB, NLB, and DSRNLB are explained.
Status
Listeners have two status indicators: Provisioning and Operating. The Provisioning status shows whether the resource is being created, modified, or deleted, while the Operating status indicates whether the created resource is available for use. Both statuses are combined with the status of lower-level resources. During the creation, modification, or deletion of a load balancer, changes to the listener or target group cannot be made.
Listener provisioning status
Status | Definition |
---|---|
Active | Listener provisioning successful |
Error | Listener provisioning failed |
Creating | Listener is being created |
Updating | Listener is being updated, or sub-resource creation/modification/deletion is in progress - Sub-resources: (Rules/conditions, target groups, targets, health checks associated with the listener) |
Deleting | Listener is being deleted |
Listener operating status
Status | Definition |
---|---|
Online | Listener is functioning normally |
Offline | Listener is administratively disabled |
Error | Listener is in error state, or some sub-resources are in error state - Sub-resources: (Rules/conditions, target groups, targets, health checks associated with the listener) |
Listener protocol
The listener protocol refers to the communication rule between the load balancer and the client. You can choose one of the following protocols: HTTP
, HTTPS
, TCP
, UDP
, TLS
. Traffic incoming to the listener is distributed to the default target group based on the chosen protocol. The protocol of the listener restricts the protocol of the target group that can be set as the default.
Combinations of listener protocol and target group protocol
Load Balancer | Listener Protocol | Target Group Protocol |
---|---|---|
ALB | HTTP | HTTP , PROXY |
HTTPS | HTTP | |
NLB | TCP | HTTP , HTTPS , TCP , PROXY |
UDP | UDP | |
TLS | TCP | |
DSRNLB | TCP | TCP |
UDP | UDP |
When using the UDP listener in DSRNLB, additional configuration is required for the target instances, and it supports only certain operating systems. For detailed information, refer to How-to Guides.
SSL certificates
If using the HTTPS listener for ALB or the TLS listener for NLB, you must set up at least one SSL certificate on the load balancer. The load balancer uses the registered certificates to handle SSL handshakes and encryption/decryption. Certificates are managed at the account level, and you can choose from the certificates owned by your account. If you don’t have a registered certificate or wish to use an existing certificate, you can add a new certificate by providing the PEM-encoded private key, certificate body, and chain.
Certificate Manager service can be used to register and manage certificates. These certificates can then be linked to HTTPS or TLS listeners when creating or configuring them.
Security policy (SSL/TLS)
You can configure the minimum supported TLS version. This can be set for ALB's HTTPS listener and NLB's TLS listener to help clients establish secure connections. You can select one of the provided TLS versions to apply. The cipher suites are sets of internet security algorithms used in the TLS protocol. The list of supported TLS protocol versions and cipher suites may vary.
Cipher suites
Cipher Suite | TLSv1.0 | TLSv1.1 | TLSv1.2 |
---|---|---|---|
ECDHE-RSA-AES128-GCM-SHA256 | v | ||
ECDHE_RSA_AES128_CBC_SHA | v | v | |
ECDHE-RSA-AES128-SHA | v | v | v |
ECDHE-RSA-AES128-SHA256 | v | ||
ECDHE-RSA-AES256-GCM-SHA384 | v | ||
ECDHE_RSA_AES256_CBC_SHA | v | v | |
ECDHE-RSA-AES256-SHA | v | v | v |
ECDHE-RSA-AES256-SHA384 | v | ||
AES128-GCM-SHA256 | v | ||
AES128-SHA | v | v | v |
AES128-SHA256 | v | ||
AES256-GCM-SHA384 | v | ||
AES256-SHA | v | v | v |
AES256-SHA256 | v | ||
CAMELLIA128-SHA | v | v | v |
CAMELLIA256-SHA | v | v | v |
DHE-RSA-AES128-GCM-SHA256 | v | ||
DHE-RSA-AES128-SHA | v | v | v |
DHE-RSA-AES128-SHA256 | v | ||
DHE-RSA-AES256-GCM-SHA384 | v | ||
DHE-RSA-AES256-SHA | v | v | v |
DHE-RSA-AES256-SHA256 | v |
Default behavior
The default behavior for handling traffic received by the listener is set to Forward
. A single target group can be selected, which will act as the default target group.
You can add actions to the rules, such as Forward
, Redirect To URL
, and Redirect Prefix
.
Attributes
Listeners can set basic attributes such as connection idle timeout. The connection idle timeout can be set in seconds, ranging from 1 to 4,000 seconds, with the default set to 50 seconds.
The Application Load Balancer offers more attribute settings, such as X-Forwarded-For Header processing
, X-Forwarded-Port forwarding
, and X-Forwarded-Proto forwarding
.
Maximum connections
The maximum connections feature is disabled by default. You can enable it and specify the maximum number of connections to limit the number of active connections that the listener can handle, ensuring the quality of service.
Load balancer-specific details
Detailed listener settings for each load balancer type.
Network Load Balancer
NLB allows selecting TCP
, UDP
, or TLS
as the listener protocol. TLS listeners require the specification of an SSL certificate, which is used to terminate the connection and decrypt the client request before forwarding it to the target.
TLS listener
Using the TLS listener offloads encryption and decryption to the load balancer. You must register and specify at least one server certificate on the load balancer, which is known as the default certificate. After creating the TLS listener, you can replace the default certificate.
KakaoCloud NLB supports TLS versions 1.0 through 1.2. Refer to the security policy for the list of supported cipher suites for each TLS version.
Application Load Balancer
ALB supports HTTP
and HTTPS
as listener protocols. ALB allows you to specify detailed rule conditions, actions, and priorities. A default rule is automatically created during listener creation, and this rule always executes last. You can add and edit additional rules as needed.
Rule action types
ALB rule actions can be set to Forward
, Redirect To URL
, or Redirect Prefix
. The default rule action type is Forward
. You can select a target group from the list, and the protocol between the listener and the target group must be compatible. Forward actions send requests to the specified target group.
The Redirect To URL
action allows you to set the protocol, URL, and response code. Conditions within a single rule are evaluated with an AND operator, while different rules are evaluated with an OR operator. If a condition is TRUE, the specified action is performed.
The Redirect Prefix
action redirects all URLs that match the specified prefix to a given URL.
ALB rule action types | Description |
---|---|
Forward | Forward to the target group |
Redirect To URL | Redirect to a URL |
Redirect Prefix | Redirect all URLs matching the prefix |
Rule conditions
ALB rule conditions are composed of Type
, Input
, and Comparison Method
. You can choose from various condition types like Host-Header, Path, HTTP-Header, File Type, and Cookie. The Input
and Comparison Method
options vary based on the selected condition type. Multiple conditions can be added to a single rule.
ALB rule condition types
Type | Description |
---|---|
Host-Header | Compares the URI host name with the input and routing method |
Path | Compares the path portion of the URI with the input and routing method |
HTTP-Header | Searches for a header in the URI header based on the key, and compares it with the input |
Cookie | Searches for a cookie in the URI header and compares it with the input |
File Type | Compares the file type at the end of the URI with the input |
ALB rule condition comparison methods
Comparison Method | Description |
---|---|
Match / Does not match | Compares the value of the key or checks if the key is absent |
Contains / Does not contain | Checks if the string contains the value |
Starts with / Does not start with | Checks if the string starts with the value |
Ends with / Does not end with | Checks if the string ends with the value |
ALB rule condition types and comparison methods
Condition Type | Comparison Method | Input |
---|---|---|
Host-Header | Match, Does not match | Value |
Path | All methods | Value |
HTTP-Header | All methods | Key, Value |
Cookie | All methods | Key, Value |
File Type | Match, Does not match | Value |
ALB detailed attribute settings
ALB listeners can be configured with additional packet settings such as X-Forwarded-For
, X-Forwarded-Port
, and X-Forwarded-Proto
headers.
X-Forwarded-For
helps identify the client IP address when using ALB. This header is set before the ALB forwards the HTTP/HTTPS request to the target.X-Forwarded-Port
helps identify the port used by the client for the load balancer connection.X-Forwarded-Proto
helps identify the protocol (HTTP or HTTPS) used by the client for the load balancer connection.
Direct Server Return Network Load Balancer
DSRNLB allows selecting TCP
or UDP
as the listener protocol. The port number of the listener protocol must match the port number of the target group. DSRNLB's target instances require additional configuration.
The UDP listener for DSRNLB supports Linux-based operating systems and requires further setup.
For detailed information, refer to Adding and managing listeners.