Updated on 2024-11-14 GMT+08:00

Adding a TLS Listener

Scenarios

If you require ultra-high performance and large-scale TLS offloading, you can add a TLS listener to forward encrypted TCP requests from clients.

TLS is available in certain regions. You can see which regions support TLS on the console.

Notes and Constraints

  • TLS listeners can only be added to network (TCP/UDP/TLS) load balancers that support new TLS connections.
  • TLS listeners can only be associated with TCP or TLS backend server groups.

Procedure

  1. Go to the load balancer list page.
  2. On the displayed page, locate the load balancer and click its name.
  3. On the Listeners tab, click Add Listener and configure parameters based on Table 1.
    Table 1 Parameters for configuring a TLS listener

    Parameter

    Description

    Name

    Specifies the listener name.

    Frontend Protocol

    Specifies the protocol that will be used by the load balancer to receive requests from clients.

    Select TLS.

    Forwarding by Port Ranges

    This option is available only for TCP, UDP, and TLS listeners of a dedicated load balancer. It cannot be disabled after it is enabled.

    If this option is enabled, the listener listens to requests from all ports in the port range you specify and routes the requests to the corresponding ports on the backend servers.

    NOTE:

    If you enable Forwarding by Port Ranges, you need to enter a start and end port number as the port range.

    Frontend Port

    Specifies the port that will be used by the load balancer to receive requests from clients.

    The port number ranges from 1 to 65535.

    NOTE:

    If you enable Forwarding by Port Ranges, you need to enter a start and end port number as the port range.

    SSL Authentication

    Specifies whether how you want the clients and backend servers to be authenticated.

    There are two options: One-way authentication or Mutual authentication.

    • If only server authentication is required, select One-way authentication.
    • If you want the clients and the load balancer to authenticate each other, select Mutual authentication. Only authenticated clients will be allowed to access the load balancer.

    Server certificate

    Specifies the certificate that will be used by the backend server to authenticate the client when TLS is used as the frontend protocol.

    Both the certificate and private key are required.

    CA certificate

    Specifies the certificate that will be used by the backend server to authenticate the client when SSL Authentication is set to Mutual authentication.

    A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If HTTPS mutual authentication is required, HTTPS connections can be established only when the client provides a certificate issued by a specific CA.

    Enable SNI

    Specifies whether to enable SNI when TLS is used as the frontend protocol.

    SNI is an extension to TLS and is used when a server uses multiple domain names and certificates.

    This allows the client to submit the domain name information while sending an SSL handshake request. After the load balancer receives the request, the load balancer queries the corresponding certificate based on the domain name and returns it to the client. If no certificate is found, the load balancer will return the default certificate. For details, see SNI Certificate.

    SNI Certificate

    Specifies the certificate associated with the domain name when the frontend protocol is HTTPS and SNI is enabled.

    Select an existing certificate or create one.

    Access Control

    Specifies how access to the listener is controlled. For details, see What Is Access Control? The following options are available:

    • All IP addresses
    • Blacklist
    • Whitelist

    IP Address Group

    Specifies the IP address group associated with a whitelist or blacklist. If there is no IP address group, create one first. For more information, see IP Address Group.

    Transfer Client IP Address

    If the frontend protocol is TLS, the source IP addresses of the clients cannot be passed to backend servers. Enable ProxyProtocol to transfer the source IP addresses.

    ProxyProtocol

    Specifies whether to enable the ProxyProtocol option to pass the source IP addresses of the clients to backend servers.

    NOTE:

    Ensure the backend servers support ProxyProtocol. Otherwise, services may be interrupted.

    Advanced Settings

    Security Policy

    Specifies the security policy you can use if you select TLS as the frontend protocol. For more information, see TLS Security Policy.

    Idle Timeout

    Specifies the length of time for a connection to keep alive, in seconds. If no request is received within this period, the load balancer closes the connection and establishes a new one with the client when the next request arrives.

    The idle timeout duration ranges from 0 to 4000.

    Maximum New Connections per AZ

    Specifies the maximum number of new connections that a listener can handle per second in each AZ.

    The value ranges from 0 to 1000000. 0 indicates that the number is not limited. If the value is greater than the number defined in the load balancer specifications, the latter is used as the limit.

    NOTE:

    This option is available in certain regions. You can see which regions support this option on the console.

    Maximum Concurrent Connections per AZ

    Specifies the maximum number of concurrent connections that a listener can handle per second in each AZ.

    The value ranges from 0 to 1000000. 0 indicates that the number is not limited. If the value is greater than the number defined in the load balancer specifications, the latter is used as the limit.

    Reducing the concurrent connection limit do not interrupt established connections.

    NOTE:

    This option is available in certain regions. You can see which regions support this option on the console.

    Tag

    Adds tags to the listener. Each tag is a key-value pair, and the tag key is unique.

    Description

    Provides supplementary information about the listener.

    You can enter a maximum of 255 characters.

  4. Click Next: Configure Request Routing Policy.
    1. You are advised to select an existing backend server group.
    2. You can also click Create new to create a backend server group.
      1. Configure the backend server group based on Table 3.
      2. Click Next: Add Backend Server. Add backend servers and configure the health check for the backend server group.

        For details about how to add backend servers, see Backend Server Overview. For the parameters required for configuring a health check, see Table 4.

  5. Click Next: Confirm.
  6. Confirm the configuration and click Submit.