Configuring HTTP/2 for LoadBalancer Services
Services can be exposed via HTTP/2. By default, HTTP/1.x is used between clients and load balancers. HTTP/2 can improve access performance between clients and load balancers, but HTTP/1.x is still used between load balancers and backend servers.
- An HTTPS-compliant load balancer supports HTTP/2.
- After HTTP/2 is configured, if you delete the advanced configuration for enabling HTTP/2 on the CCE console or delete the target annotation from the YAML file, the configuration on the ELB will be retained.
Prerequisites
- A Kubernetes cluster is available and the cluster version meets the following requirements:
- v1.23: v1.23.13-r0 or later
- v1.25: v1.25.8-r0 or later
- v1.27: v1.27.5-r0 or later
- v1.28: v1.28.3-r0 or later
- Other clusters of later versions
- To create a cluster using commands, ensure kubectl is used. For details, see Accessing a Cluster Using kubectl.
Step 1: Deploy a Sample Application
This section uses a Nginx Deployment as an example.
- Log in to the CCE console and click the cluster name to access the cluster console.
- In the navigation pane, choose Workloads. In the upper right corner, click Create Workload.
- In the Basic Info area, enter the workload name. In this example, the workload name is nginx. Retain the default settings for other parameters.
- In Container Information under Container Settings, specify the image name and tag. Retain the default settings for other parameters.
Parameter
Example
Image Name
Click Select Image. In the displayed dialog box, click Open Source Images under SWR Shared Edition, search for nginx, select it, and click OK.
Image Tag
Select the latest image tag.
- Retain the default settings for other parameters and click Create Workload.
Step 2: Create a LoadBalancer Service and Configure HTTP/2
Use one of the following methods.
In this section, the sample certificate is cert-test. Replace it with the actual one.
- Log in to the CCE console and click the cluster name to access the cluster console.
- In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.
In this example, only mandatory parameters for configuring SNI are listed. Retain the default settings for other parameters. For details, see Using the CCE Console (New Version).
- Configure basic parameters.
Parameter
Description
Example
Service Type
Select LoadBalancer.
None
Service Name
Enter a name, which can be the same as the workload name.
nginx
Namespace
Select the namespace that the workload belongs to.
default
Selector
Add the key and value of a pod label. The Service will be associated with the workload pods based on the label and direct traffic to the pods with this label.
You can also click Reference Workload Label to use the label of an existing workload. In the dialog box displayed, select a workload and click OK.
app:nginx

- Configure load balancer parameters.
Parameter
Description
Example
Load Balancer
Select a load balance type and how the load balancer will be created. To enable HTTP/HTTPS on the listener port of a dedicated load balancer, the type of the load balancer must be Application (HTTP/HTTPS) or Network (TCP/UDP/TLS) & Application (HTTP/HTTPS).- Use existing: Only the load balancers in the same VPC as the cluster can be selected. If no load balancer is available, click Create Load Balancer to create one on the ELB console.
- Auto create: The load balancer will be created in the VPC that the cluster belongs to. For details, see Table 1.
An existing Dedicated load balancer of the Network (TCP/UDP/TLS) & Application (HTTP/HTTPS) type

- Configure access parameters.
Parameter
Description
Example
Service Affinity
Whether to route external traffic to a local node or a cluster-wide endpoint. For details, see Service Affinity (externalTrafficPolicy).- Cluster-level: The IP addresses and ports of all nodes in a cluster can access the workload associated with the Service. However, accessing the Service may result in performance deterioration due to route redirection, and the client's source IP address may not be obtainable.
- Node-level: Only the IP address and port of the node where the workload is located can access the workload associated with the Service. Accessing the Service will not result in a performance deterioration due to route redirection, and the client's source IP address can be obtained.
Cluster-level
Backend Routing Policy
- Global: All ports use the same backend routing policy. For details about the parameters, see Table 1. CAUTION:
When multiple ports are added, and some of them use different frontend protocols, the global backend routing policy cannot be applied across all protocols simultaneously. For any protocol to which the policy cannot be applied, CCE automatically falls back to the default configuration. For details about the mapping between the frontend and backend protocols of listeners and backend server groups, see Mapping Between Frontend and Backend Protocols for Load Balancing and Configuration Examples. Custom is recommended.
- Custom: Each port can have a unique backend routing policy. You can configure the policy in Port > Backend Routing Policy.
Custom
Port
- Protocol: the protocol used by the Service. If a Service needs to use ELB TLS or HTTP, set Protocol to TCP and select the target frontend protocol. For details, see Protocols for Services.
- Container Port: the port that the workload listens on. For example, Nginx uses port 80 by default.
- Service Port: the port used by the Service.
- Listen on a port: The port ranges from 1 to 65535.
- Listen on ports: ELB allows you to create listeners that listen on ports within specified ranges. Each listener can support up to 10 non-overlapping port ranges.
To configure port ranges for load balancer listeners, ensure the following conditions are met:
- The cluster version must be v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, v1.29.4-r0, v1.30.1-r0, or later.
- A dedicated load balancer must be used with TCP/UDP/TLS selected.
- This function requires ELB. Before using this function, check whether ELB supports full-port listening and forwarding for layer-4 protocols in the current region.
- Frontend Protocol: Set the protocol of the load balancer listener for establishing connections with clients. When a dedicated load balancer is selected, HTTP/HTTPS can be configured only when Application (HTTP/HTTPS) is selected and TLS can be configured only when Network (TCP/UDP/TLS) is selected.
- Backend Routing Policy: If Backend Routing Policy is set to Custom, you can configure backend routing policies for ports that use different protocols. For details about the parameters, see Table 1.
NOTE:When a LoadBalancer Service is created, a random node port number (NodePort) is automatically generated.
- Protocol: TCP
- Container Port: 80
- Service Port: 443
- Frontend Protocol: HTTPS
Table 1 Parameters for configuring the backend routing policy Parameter
Description
Example
Backend Protocol
The service protocol used by the load balancer's backend server group. TCP, HTTP, HTTPS, TLS, QUIC, and UDP are supported. For details about the mapping between the frontend and backend protocols of listeners and backend server groups, see Mapping Between Frontend and Backend Protocols for Load Balancing and Configuration Examples.
HTTP
Load Balancing Algorithm
Load balancers forward requests from clients to the corresponding backend servers based on the configured traffic routing policies.
- Weighted round robin: Requests are forwarded to different backend servers in turn based on the server weights you define in the target group.
- Weighted least connections: Requests are forwarded to the backend server with the smallest connections-to-weight ratio.
- Source IP hash: Requests from the same source IP address are forwarded to the same backend server by hashing the source IP address.
Weighted round robin

- Configure listener parameters.
Parameter
Description
Constraint
Example
SSL Authentication
- One-way authentication: Only the backend server is authenticated. If you also need to authenticate the identity of the client, select two-way authentication.
- Two-way authentication: Both the clients and the load balancer authenticate each other. This ensures only authenticated clients can access the load balancer. No additional backend server configuration is required if you select this option.
This parameter is available only when Frontend Protocol is set to HTTPS or TLS.
Dedicated load balancers are available in clusters v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. Shared load balancers are available in clusters v1.28.15-r60, v1.29.15-r20, v1.30.14-r20, v1.31.10-r20, v1.32.6-r20, v1.33.5-r10, or later.
One-way authentication
CA Certificate
If SSL Authentication is set to Two-way authentication, add a CA certificate to authenticate the client. A CA certificate is issued by a Certificate Authority (CA) and is used to verify the issuer of the client's certificate. If HTTPS two-way authentication is enabled, HTTPS connections can be established only if the client provides a certificate issued by a specific CA.
This parameter is available only when Frontend Protocol is set to HTTPS or TLS and SSL Authentication is set to Two-way authentication.
None
Server Certificate
Select a server certificate. If no certificate is available, create one on the ELB console. For details, see Adding a Certificate.
This parameter is available only when Frontend Protocol is set to HTTPS or TLS.
cert-test
Enable HTTP/2
Whether to enable HTTP/2 for HTTPS requests between the client and the load balancer. Request forwarding using HTTP/2 improves access performance between your application and the load balancer. However, the load balancer still uses HTTP/1.x to forward requests to the backend server.
This parameter is available only when Frontend Protocol is set to HTTPS.
Enable

- Click Create.
- Log in to the CCE console and click the cluster name to access the cluster console.
- In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.
- Configure Service parameters. In this example, only mandatory parameters are listed. For details about how to configure other parameters, see Using the CCE Console (Old Version).
- Service Name: Specify a Service name, which can be the same as the workload name.
- Service Type: Select LoadBalancer.
- Selector: Add a label and click Confirm. The Service will use this label to select pods. You can also click Reference Workload Label to use the label of an existing workload. In the dialog box that is displayed, select a workload and click OK.
- Load Balancer: Select a load balancer type and creation mode.
- A load balancer can be dedicated or shared. To enable HTTPS on the listener port of a dedicated load balancer, the type of the load balancer must be Application (HTTP/HTTPS) or Network (TCP/UDP) & Application (HTTP/HTTPS).
- This section uses an existing load balancer as an example. For details about the parameters for automatically creating a load balancer, see Table 4.
- Port
- Protocol: Select TCP. If you select UDP, HTTP and HTTPS will be unavailable.
- Service Port: the port used by the Service. The port ranges from 1 to 65535.
- Container Port: the port that the workload listens on. For example, Nginx uses port 80 by default.
- Frontend Protocol: In this example, HTTPS must be enabled for the Service to use HTTP/2. For a dedicated load balancer, to use HTTPS, the type of the load balancer must be Application (HTTP/HTTPS).
- Listener
- SSL authentication is available only for dedicated load balancers in clusters v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. Shared load balancers are available in clusters v1.28.15-r60, v1.29.15-r20, v1.30.14-r20, v1.31.10-r20, v1.32.6-r20, v1.33.5-r10, or later.
- One-way authentication: Only the backend server is authenticated. If you also need to authenticate the identity of the client, select two-way authentication.
- Two-way authentication: Both the clients and the load balancer authenticate each other. This ensures only authenticated clients can access the load balancer. No additional backend server configuration is required if you select this option.
- CA Certificate: If SSL Authentication is set to Two-way authentication, add a CA certificate to authenticate the client. A CA certificate is issued by a Certificate Authority (CA) and is used to verify the issuer of the client's certificate. If HTTPS two-way authentication is enabled, HTTPS connections can be established only if the client provides a certificate issued by a specific CA.
- Server Certificate: Select a server certificate when HTTPS is used. If no certificate is available, create one on the ELB console. For details, see Adding a Certificate.
- SNI: Add an SNI certificate containing a domain name. If no certificate is available, create one on the ELB console. For details, see Adding a Certificate.
- Advanced Options: Click Add and enable HTTP/2.
- SSL authentication is available only for dedicated load balancers in clusters v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. Shared load balancers are available in clusters v1.28.15-r60, v1.29.15-r20, v1.30.14-r20, v1.31.10-r20, v1.32.6-r20, v1.33.5-r10, or later.
Figure 1 Enabling HTTP/2
- Click OK.
To enable HTTP/2, add the following annotation:
kubernetes.io/elb.http2-enable: 'true'
apiVersion: v1
kind: Service
metadata:
name: test
labels:
app: test
version: v1
namespace: default
annotations:
kubernetes.io/elb.class: performance
kubernetes.io/elb.id: 35cb350b-23e6-4551-ac77-10d5298f5204
kubernetes.io/elb.protocol-port: https:443
kubernetes.io/elb.cert-id: b64ab636f1614e1a960b5249c497a880
kubernetes.io/elb.http2-enable: 'true'
kubernetes.io/elb.lb-algorithm: ROUND_ROBIN
spec:
selector:
app: test
version: v1
externalTrafficPolicy: Cluster
ports:
- name: cce-service-0
targetPort: 80
nodePort: 0
port: 443
protocol: TCP
type: LoadBalancer
loadBalancerIP: **.**.**.** | Parameter | Type | Description |
|---|---|---|
| kubernetes.io/elb.protocol-port | String | If a Service is HTTP/HTTPS-compliant, configure the protocol and port in the format of "protocol:port". where,
For example, to use HTTPS, the Service port must be 443. Therefore, the parameter value is https:443. |
| kubernetes.io/elb.cert-id | String | ID of an ELB certificate, which is used as the HTTPS server certificate. How to obtain: Log in to the ELB console and choose Certificates. In the certificate list, copy the ID under the target certificate name. |
| kubernetes.io/elb.http2-enable | String | Whether HTTP/2 is enabled. Request forwarding using HTTP/2 improves access performance between your application and the load balancer. However, the load balancer still uses HTTP/1.x to forward requests to the backend server. Options:
Note: HTTP/2 can be enabled or disabled only when the listener uses HTTPS. This parameter is invalid and defaults to false when the listener protocol is HTTP. |
Step 3: Access the Workload
curl -I -k https://example.com --http2 Command output:
HTTP/2 200 date: Wed, 30 Jul 2025 08:03:45 GMT content-type: text/html content-length: 612 last-modified: Tue, 17 Apr 2018 13:46:53 GMT etag: "5ad5facd-264" accept-ranges: bytes server: elb
Certain curl versions may not support HTTP/2. Before running the command, run curl --version to check for HTTP/2 in Features. If your curl version does not meet the requirements, obtain the latest version at the official curl website.

Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot