Listener
A listener is a port that receives incoming traffic. You can add multiple listeners to a single load balancer, and each listener is associated with one default target group.
- Application Load Balancer (ALB) listeners (HTTP, HTTPS) can distribute traffic with fine-grained rules and conditions. The HTTPS listener processes encrypted traffic using SSL certificates.
- Network Load Balancer (NLB) listeners (TCP, UDP) operate at Layer 4 and handle large volumes of requests quickly. The TLS listener supports the TLS protocol and processes encrypted traffic using SSL certificates, similar to ALB's HTTPS listener.
- Direct Server Return Network Load Balancer (DSRNLB) listeners must have matching port numbers for the listener's Protocol and the target group's Target. For details, please refer to DSRNLB.
Basic concepts
Explains the basic concepts of Listener that are commonly applied in ALB, NLB, and DSRNLB.
Status
Listeners have two status indicators: Provisioning status, which shows whether the resource is being created, modified, or deleted, and Operating status, which indicates whether the created resource is available.
Both statuses are displayed based on the status of subordinate resources. During the creation, modification, or deletion of the load balancer, changes or deletions to listener and target group information are not possible.
Listener provisioning status
| Status | Definition |
|---|---|
Active | Listener provisioning succeeded |
Error | Listener provisioning failed |
Creating | Listener is being created |
Updating | Listener is being modified or subordinate resource creation/modification/deletion is in progress - Subordinate resources: ALB rules/conditions associated with the listener, target group, target, health checks |
Deleting | Listener is being deleted |
Listener operating status
| Status | Definition |
|---|---|
Online | Listener is operating normally |
Offline | Administrative disabled state |
Error | Listener is in an error state or some subordinate resources are in an error state - Subordinate resources: ALB rules/conditions associated with the listener, target group, target, health checks |
Listener protocol
The listener protocol refers to the communication protocol used between the load balancer and clients. Users can choose from HTTP, HTTPS, TCP, UDP, or TLS. Traffic arriving at the listener is distributed to the default target group. The protocol of the listener restricts the protocol of the target group that can be set as the default.
Combinations of listener protocol and target group protocol
| Load Balancer | Listener protocol | Target group protocol |
|---|---|---|
| ALB | HTTP | HTTP, PROXY |
HTTPS | HTTP | |
| NLB | TCP | HTTP, HTTPS, TCP, PROXY |
UDP | UDP | |
TLS | TCP | |
| DSRNLB | TCP | TCP |
UDP | UDP |
When using UDP listener on DSRNLB, additional settings for the target instance are required, and only certain operating systems are supported. For details, refer to the How-to Guides.
SSL certificates
If you use an HTTPS Listener for ALB or a TLS Listener for NLB, you must configure at least one SSL certificate on the load balancer. The load balancer handles SSL handshake and encryption/decryption based on the registered certificates. Certificates are managed per account, and you can select from the certificates owned by the account. If you have no registered certificates or want to register an existing certificate, you can use the add new certificate feature. To register a new certificate, you need to input a PEM-encoded private key, body, and chain.
Certificate management
| Type | Description |
|---|---|
| Default SSL certificate | The certificate specified when creating the HTTPS/TLS listener, used by default when connecting without specifying a host name using the SNI protocol - The default certificate cannot be removed from the listener; to remove it, another certificate must be registered and replaced |
| Additional SSL certificates | Up to 5 additional certificates can be registered per listener |
| SSL certificate registration and storage | Certificates can be registered during the load balancer creation or listener addition process, or after certificate creation - PEM format private key, certificate body, and certificate chain are converted to PKCS12 format and stored in encrypted storage- Registered certificates can be viewed in the list when setting up HTTPS/TLS listener |
| SSL certificate disconnection | Disconnect the certificate set on the listener - Default certificates cannot be removed; at least one certificate must be specified for HTTPS/TLS listener |
| SSL certificate deletion | Delete stored certificates |
Security policy (SSL/TLS)
In addition to setting up SSL certificates, you can configure the minimum supported TLS version. This is applicable to ALB's HTTPS listener and NLB's TLS listener.
Cipher suites are sets of Internet security algorithms used in transport layer security (TLS). The list of supported TLS protocol versions and cipher suites may change.
Cipher suites
| Cipher Suite | TLSv1.0 | TLSv1.1 | TLSv1.2 |
|---|---|---|---|
| ECDHE-RSA-AES128-GCM-SHA256 | v | ||
| ECDHE_RSA_AES128_CBC_SHA | v | v | |
| ECDHE-RSA-AES128-SHA | v | v | v |
| ECDHE-RSA-AES128-SHA256 | v | ||
| ECDHE-RSA-AES256-GCM-SHA384 | v | ||
| ECDHE_RSA_AES256_CBC_SHA | v | v | |
| ECDHE-RSA-AES256-SHA | v | v | v |
| ECDHE-RSA-AES256-SHA384 | v | ||
| AES128-GCM-SHA256 | v | ||
| AES128-SHA | v | v | v |
| AES128-SHA256 | v | ||
| AES256-GCM-SHA384 | v | ||
| AES256-SHA | v | v | v |
| AES256-SHA256 | v | ||
| CAMELLIA128-SHA | v | v | v |
| CAMELLIA256-SHA | v | v | v |
| DHE-RSA-AES128-GCM-SHA256 | v | ||
| DHE-RSA-AES128-SHA | v | v | v |
| DHE-RSA-AES128-SHA256 | v | ||
| DHE-RSA-AES256-GCM-SHA384 | v | ||
| DHE-RSA-AES256-SHA | v | v | v |
| DHE-RSA-AES256-SHA256 | v |
Default behavior
The default behavior for handling traffic received by the listener is fixed to Forward. You can select one target group, which will act as the default target group.
You can add actions such as Forward, Redirect To URL, and Redirect Prefix by adding rules.
Attributes
Listeners can be configured with a default attribute of connection idle timeout. This setting specifies the time in seconds that the load balancer allows a connection to remain idle before closing it, with a range of 1 to 4,000 seconds. The default is 50 seconds.
Application Load Balancers provide additional attribute settings, including packet settings such as X-Forwarded-For Header processing, X-Forwarded-Port forwarding, and X-Forwarded-Proto forwarding.
Maximum connections
The maximum connections feature is disabled by default. It can be activated to specify a limit on the maximum number of connections that a listener can maintain, helping to ensure service quality by restricting the number of concurrent connections.
Type of load balancer
Describes detailed listener settings for each load balancer type.
Network Load Balancer
NLB allows you to select TCP, UDP, or TLS as the listener protocol. TLS listeners require an SSL certificate to be specified. The load balancer uses this certificate to terminate the connection and decrypt the client request before forwarding it to the target.
TLS listener
Using a TLS listener offloads encryption and decryption tasks to the load balancer. To use a TLS listener, you must deploy and specify one or more server certificates on the load balancer. This certificate is called the default certificate. After creating a TLS listener, you can replace the default certificate.
KakaoCloud NLB supports TLS versions from 1.0 to 1.2. For the list of Cipher Suites per TLS version, refer to the Security policy.
Application Load Balancer
ALB supports HTTP and HTTPS as listener Protocols. ALB allows you to specify detailed rules conditions, actions, and rule priorities. each listener automatically creates a default rule with a default action that is always executed last. You can create and edit additional rules as needed.
Rule action types
ALB supports Forward, Redirect To URL, and Redirect Prefix as rule actions. By default, the rule action type is set to Forward when creating the listener. In the action settings, you can select a target group, which must match the listener and target group protocol relationship. target groups connected to other load balancers cannot be selected. The Forward rule action forwards requests to the specified target group.
The Redirect To URL rule allows you to configure the protocol, URL, and response code. Different condition types within a single rule are processed with AND, while conditions from separate rules are processed with OR. Each condition is evaluated as TRUE or FALSE for incoming traffic, and if ultimately determined to be TRUE, the specified action is performed. The Redirect To URL rule redirects the request to the specified URL.
The Redirect Prefix action allows you to set Protocol, Prefix URL, and response codes. Requests are redirected to all URLs matching the prefix.
| ALB rule action type | Description |
|---|---|
| Forward | Forwards to target group |
| Redirect To URL | Redirects to URL |
| Redirect Prefix | Redirects to all URLs matching the prefix |
Rule conditions
ALB rule conditions consist of Type, Input Fields, and Comparison Method. The Type of condition can be Host-Header, Path, HTTP-Header, File Type, or Cookie. The Input Fields and Comparison Method vary depending on the selected condition type. Multiple conditions can be added to a single rule.
ALB rule condition types
| Type | Description |
|---|---|
| Host-Header | Compares URI host name with the input field and routes based on the comparison method |
| Path | Compares the path portion of the URI with the input field and routes based on the comparison method |
| HTTP-Header | Finds the header defined by the key in the URI headers and compares it with the input field and routes based on the comparison method |
| Cookie | Finds the cookie defined by the key in the URI headers and compares it with the input field and routes based on the comparison method |
| File type | Compares the file type at the end of the URI with the input field and routes based on the comparison method |
ALB rule condition comparison methods
| Comparison Method | Description |
|---|---|
| Equals to / Not equals to | Compares the value or absence of the key with the string value |
| Contains / Not contains | Checks if the string contains or does not contain the value |
| Starts with / Not starts with | Checks if the string starts with or not start with the value |
| Ends with / Not ends with | Checks if the string ends with or does not end with the value |
ALB rule condition types and comparison methods
| Condition type | Comparison method | Input fields |
|---|---|---|
| Host-Header | Equals to, Not equals to | Value |
| Path | All | Value |
| HTTP-Header | All | Key, Value |
| Cookie | All | Key, Value |
| File Type | Equals to, Does Not Equals to | Value |
Detailed settings of ALB attributes
In addition to the default connection idle timeout setting, ALB listeners can also configure packet settings. The X-Forwarded-For, X-Forwarded-Port, and X-Forwarded-Proto request headers can be used for packet settings.
- The
X-Forwarded-Forrequest header helps identify the client's IP address when using ALB. ALB can set the X-Forwarded-For header attribute of HTTP/HTTPS requests before sending them to the target. - The
X-Forwarded-Portrequest header helps identify the target port used by the client for the load balancer connection. - The
X-Forwarded-Protorequest header helps identify the Protocol (HTTP or HTTPS) used by the client for the load balancer connection.
Direct Server Return Network Load Balancer
DSRNLB allows you to choose TCP or UDP as the listener protocol. The port number of the DSRNLB listener protocol must match the target of the target group set for this listener. Additionally, the target instance of DSRNLB requires additional settings.
DSRNLB's UDP listener supports Linux-based operating systems and can be used with additional settings.
For more details, refer to Add and manage listeners.