Adding a TLS Listener

Scenarios

If you require ultra-high performance and large-scale TLS offloading, you can add a TLS listener to forward encrypted TCP requests from clients.

TLS is available in certain regions. You can see which regions support TLS on the console.

Constraints

TLS listeners can only be added to network load balancers that support new TLS connections.
TLS listeners can only be associated with TCP and TLS backend server groups.

Procedure

Go to the load balancer list page.
On the displayed page, locate the load balancer and click its name.

On the Listeners tab, click Add Listener and configure parameters based on Table 1.

**Table 1** Parameters for configuring a TLS listener
Parameter	Description
Frontend Protocol	Specifies the protocol that will be used by the load balancer to receive requests from clients. Select TLS.
Listening Port	Specifies a port or port ranges that will be used by the load balancer to receive requests from clients. Single port: The listener listens only on the specified port. Port ranges: The listener listens on all ports in the specified port ranges and routes the received packets to the corresponding ports on the backend servers, if the frontend protocol is TCP, UDP, or TLS.
Name (Optional)	Specifies the listener name.
Transfer Client IP Address	If the frontend protocol is TLS, the source IP addresses of the clients cannot be passed to backend servers. Enable ProxyProtocol to transfer the source IP addresses.
ProxyProtocol	Specifies whether to enable the ProxyProtocol option to pass the source IP addresses of the clients to backend servers. WARNING: Ensure the backend servers support ProxyProtocol. If they do not, services may be interrupted.
Access Control	Specifies how access to the listener is controlled. For details, see What Is Access Control? All IP addresses is selected for access control by default. You can select Whitelist or Blacklist and choose an IP address group. Whitelist: Only IP addresses in the whitelist can access the listener. Requests from the IP addresses or CIDR blocks specified in the IP address group will be forwarded by the listener. Blacklist: IP addresses in the blacklist are not allowed to access the listener. Requests from the IP addresses or CIDR blocks specified in the IP address group will not be forwarded by the listener.
Configure Certificate
SSL Authentication	Specifies whether how you want the clients and backend servers to be authenticated. One-way authentication: Backend servers will be authenticated by clients. Mutual authentication: The clients and backend servers will authenticate each other.
CA Certificate	Specifies the certificate that will be used to authenticate the client when SSL Authentication is set to Mutual authentication. CA certificates are also called client CA public key certificate. They are used to verify the issuer of a client certificate. HTTPS connections can only be established when the client provides a certificate issued by a specific CA.
Server Certificate	Specifies a server certificate that will be used to authenticate the server when TLS is used as the frontend protocol. Both the certificate and private key are required.
SNI	Server Name Indication (SNI) is an extension to TLS. It allows clients to specify which domain name of a listener they are trying to connect in the first request. Once receiving the request, the load balancer searches for the certificate based on the domain name. The client includes the domain name in the initial SSL handshake. Once receiving the request, the load balancer searches for the certificate based on the domain name. If an SNI certificate is found, this certificate will be used for authentication. If no SNI certificates are found, the server certificate is used for authentication. For details, see Using SNI Certificates for Access Through Multiple Domain Names.
SNI Certificate	Specifies one or more certificates associated with the domain name when the frontend protocol is TLS and SNI is enabled. You can only select the server certificate with SNI domain names.
More (Optional)
Security Policy	Specifies the security policy you can use if you select TLS as the frontend protocol. For more information, see Configuring TLS Security Policies for Encrypted Communication.
Idle Timeout (s)	Specifies the length of time for a connection to keep alive, in seconds. If no request is received within this period, the load balancer closes the connection and establishes a new one with the client when the next request arrives. The idle timeout duration ranges from 0 to 4000.
Maximum New Connections per AZ	Specifies the maximum number of new connections that a listener can handle per second in each AZ. Unlimited is selected by default. You can select Limit request to set the maximum number of new connections. The value ranges from 1 to 1,000,000. If the value is greater than the number defined in the load balancer specifications, the latter is used as the limit. NOTE: This option is available in certain regions. You can see which regions support this option on the console.
Maximum Concurrent Connections per AZ	Specifies the maximum number of concurrent connections that a listener can handle per second in each AZ. Unlimited is selected by default. You can select Limit request to set the maximum number of concurrent connections. The value ranges from 1 to 1,000,000. If the value is greater than the number defined in the load balancer specifications, the latter is used as the limit. Reducing the concurrent connection limit does not interrupt established connections. NOTE: This option is available in certain regions. You can see which regions support this option on the console.
Tag	Adds tags to the listener. Each tag is a key-value pair, and the tag key is unique.
Description	Provides supplementary information about the listener. You can enter a maximum of 255 characters.

Click Next: Configure Request Routing Policy.
1. You are advised to select an existing backend server group.
2. You can also select Create new to create a backend server group.
  1. Configure the backend server group based on Table 3.
  2. Click Next: Add Backend Server. Add backend servers and configure the health check for the backend server group.
    For details about how to add backend servers, see Backend Server Overview. For the parameters required for configuring a health check, see Table 4.
Click Next: Confirm.
Confirm the configuration and click Submit.

Helpful Links

Are There Any Constraints on TLS Concurrent Connections?

TLS listeners use fullNAT to forward traffic. If a TLS listener is used, the maximum number of concurrent connections that a backend server can handle cannot exceed 200,000. If the number is exceeded, 5-tuple ports may be insufficient, affecting your services.

Parent Topic: Network Listeners

Previous topic: Adding a UDP Listener (with a QUIC Backend Server Group Associated)

Next topic: Application Listeners

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot