Skip to main content

Listener

Listeners are the ports where traffic flows into the load balancer. Multiple listeners can be added to a single load balancer, and each listener is connected to one default target group.

  • Application Load Balancer (ALB) listeners (HTTP, HTTPS) can distribute traffic in a detailed manner by adding rules and conditions. The HTTPS listener processes encrypted traffic by applying SSL certificates.
  • Network Load Balancer (NLB) listeners (TCP, UDP) work at layer 4 and are designed to quickly handle a large number of requests. TLS listeners support the TLS protocol and, like the ALB HTTPS listener, process encrypted traffic by applying SSL certificates.
  • Direct Server Return Network Load Balancer (DSRNLB) listeners require the protocol and port number of the listener to match those of the target group. For more details, refer to DSRNLB.

Basic concepts

Common listener concepts that apply to ALB, NLB, and DSRNLB are explained.

Status

Listeners have two status indicators: Provisioning and Operating. The Provisioning status shows whether the resource is being created, modified, or deleted, while the Operating status indicates whether the created resource is available for use. Both statuses are combined with the status of lower-level resources. During the creation, modification, or deletion of a load balancer, changes to the listener or target group cannot be made.

Listener provisioning status
StatusDefinition
ActiveListener provisioning successful
ErrorListener provisioning failed
CreatingListener is being created
UpdatingListener is being updated, or sub-resource creation/modification/deletion is in progress
- Sub-resources: (Rules/conditions, target groups, targets, health checks associated with the listener)
DeletingListener is being deleted
Listener operating status
StatusDefinition
OnlineListener is functioning normally
OfflineListener is administratively disabled
ErrorListener is in error state, or some sub-resources are in error state
- Sub-resources: (Rules/conditions, target groups, targets, health checks associated with the listener)

Listener protocol

The listener protocol refers to the communication rule between the load balancer and the client. You can choose one of the following protocols: HTTP, HTTPS, TCP, UDP, TLS. Traffic incoming to the listener is distributed to the default target group based on the chosen protocol. The protocol of the listener restricts the protocol of the target group that can be set as the default.

Combinations of listener protocol and target group protocol
Load BalancerListener ProtocolTarget Group Protocol
ALBHTTP        HTTP, PROXY
HTTPSHTTP
NLBTCPHTTP, HTTPS, TCP, PROXY
UDPUDP
TLSTCP
DSRNLBTCPTCP
UDPUDP
info

When using the UDP listener in DSRNLB, additional configuration is required for the target instances, and it supports only certain operating systems. For detailed information, refer to How-to Guides.

SSL certificates

If using the HTTPS listener for ALB or the TLS listener for NLB, you must set up at least one SSL certificate on the load balancer. The load balancer uses the registered certificates to handle SSL handshakes and encryption/decryption. Certificates are managed at the account level, and you can choose from the certificates owned by your account. If you don’t have a registered certificate or wish to use an existing certificate, you can add a new certificate by providing the PEM-encoded private key, certificate body, and chain.

Certificate Manager service can be used to register and manage certificates. These certificates can then be linked to HTTPS or TLS listeners when creating or configuring them.

Security policy (SSL/TLS)

You can configure the minimum supported TLS version. This can be set for ALB's HTTPS listener and NLB's TLS listener to help clients establish secure connections. You can select one of the provided TLS versions to apply. The cipher suites are sets of internet security algorithms used in the TLS protocol. The list of supported TLS protocol versions and cipher suites may vary.

Cipher suites
Cipher SuiteTLSv1.0TLSv1.1TLSv1.2
ECDHE-RSA-AES128-GCM-SHA256v         
ECDHE_RSA_AES128_CBC_SHAvv
ECDHE-RSA-AES128-SHAvvv
ECDHE-RSA-AES128-SHA256v
ECDHE-RSA-AES256-GCM-SHA384v
ECDHE_RSA_AES256_CBC_SHAvv
ECDHE-RSA-AES256-SHAvvv
ECDHE-RSA-AES256-SHA384v
AES128-GCM-SHA256v
AES128-SHAvvv
AES128-SHA256v
AES256-GCM-SHA384v
AES256-SHAvvv
AES256-SHA256v
CAMELLIA128-SHAvvv
CAMELLIA256-SHAvvv
DHE-RSA-AES128-GCM-SHA256v
DHE-RSA-AES128-SHAvvv
DHE-RSA-AES128-SHA256v
DHE-RSA-AES256-GCM-SHA384v
DHE-RSA-AES256-SHAvvv
DHE-RSA-AES256-SHA256v

Default behavior

The default behavior for handling traffic received by the listener is set to Forward. A single target group can be selected, which will act as the default target group.
You can add actions to the rules, such as Forward, Redirect To URL, and Redirect Prefix.

Attributes

Listeners can set basic attributes such as connection idle timeout. The connection idle timeout can be set in seconds, ranging from 1 to 4,000 seconds, with the default set to 50 seconds.
The Application Load Balancer offers more attribute settings, such as X-Forwarded-For Header processing, X-Forwarded-Port forwarding, and X-Forwarded-Proto forwarding.

Maximum connections

The maximum connections feature is disabled by default. You can enable it and specify the maximum number of connections to limit the number of active connections that the listener can handle, ensuring the quality of service.

Load balancer-specific details

Detailed listener settings for each load balancer type.

Network Load Balancer

NLB allows selecting TCP, UDP, or TLS as the listener protocol. TLS listeners require the specification of an SSL certificate, which is used to terminate the connection and decrypt the client request before forwarding it to the target.

TLS listener

Using the TLS listener offloads encryption and decryption to the load balancer. You must register and specify at least one server certificate on the load balancer, which is known as the default certificate. After creating the TLS listener, you can replace the default certificate.
KakaoCloud NLB supports TLS versions 1.0 through 1.2. Refer to the security policy for the list of supported cipher suites for each TLS version.

Application Load Balancer

ALB supports HTTP and HTTPS as listener protocols. ALB allows you to specify detailed rule conditions, actions, and priorities. A default rule is automatically created during listener creation, and this rule always executes last. You can add and edit additional rules as needed.

Rule action types

ALB rule actions can be set to Forward, Redirect To URL, or Redirect Prefix. The default rule action type is Forward. You can select a target group from the list, and the protocol between the listener and the target group must be compatible. Forward actions send requests to the specified target group.
The Redirect To URL action allows you to set the protocol, URL, and response code. Conditions within a single rule are evaluated with an AND operator, while different rules are evaluated with an OR operator. If a condition is TRUE, the specified action is performed.
The Redirect Prefix action redirects all URLs that match the specified prefix to a given URL.

ALB rule action typesDescription
ForwardForward to the target group
Redirect To URLRedirect to a URL
Redirect PrefixRedirect all URLs matching the prefix
Rule conditions

ALB rule conditions are composed of Type, Input, and Comparison Method. You can choose from various condition types like Host-Header, Path, HTTP-Header, File Type, and Cookie. The Input and Comparison Method options vary based on the selected condition type. Multiple conditions can be added to a single rule.

ALB rule condition types
TypeDescription
Host-HeaderCompares the URI host name with the input and routing method
PathCompares the path portion of the URI with the input and routing method
HTTP-HeaderSearches for a header in the URI header based on the key, and compares it with the input
CookieSearches for a cookie in the URI header and compares it with the input
File TypeCompares the file type at the end of the URI with the input
ALB rule condition comparison methods
Comparison MethodDescription
Match / Does not matchCompares the value of the key or checks if the key is absent
Contains / Does not containChecks if the string contains the value
Starts with / Does not start withChecks if the string starts with the value
Ends with / Does not end withChecks if the string ends with the value
ALB rule condition types and comparison methods
Condition TypeComparison MethodInput
Host-HeaderMatch, Does not matchValue
PathAll methodsValue
HTTP-HeaderAll methodsKey, Value
CookieAll methodsKey, Value
File TypeMatch, Does not matchValue
ALB detailed attribute settings

ALB listeners can be configured with additional packet settings such as X-Forwarded-For, X-Forwarded-Port, and X-Forwarded-Proto headers.

  • X-Forwarded-For helps identify the client IP address when using ALB. This header is set before the ALB forwards the HTTP/HTTPS request to the target.
  • X-Forwarded-Port helps identify the port used by the client for the load balancer connection.
  • X-Forwarded-Proto helps identify the protocol (HTTP or HTTPS) used by the client for the load balancer connection.

Direct Server Return Network Load Balancer

DSRNLB allows selecting TCP or UDP as the listener protocol. The port number of the listener protocol must match the port number of the target group. DSRNLB's target instances require additional configuration.
The UDP listener for DSRNLB supports Linux-based operating systems and requires further setup.
For detailed information, refer to Adding and managing listeners.