Adding a TLS Listener
Scenarios
If you require ultra-high performance and large-scale TLS offloading, you can add a TLS listener to forward encrypted TCP requests from clients.

TLS is available in certain regions. You can see which regions support TLS on the console.
Constraints
- TLS listeners can only be added to network load balancers that support new TLS connections.
- TLS listeners can only be associated with TCP and TLS backend server groups.
Procedure
- Go to the load balancer list page.
- On the displayed page, locate the load balancer and click its name.
- On the Listeners tab, click Add Listener and configure parameters based on Table 1.
Table 1 Parameters for configuring a TLS listener Parameter
Description
Frontend Protocol
Specifies the protocol that will be used by the load balancer to receive requests from clients.
Select TLS.
Listening Port
Specifies a port or port ranges that will be used by the load balancer to receive requests from clients.
- Single port: The listener listens only on the specified port.
- Port ranges: The listener listens on all ports in the specified port ranges and routes the received packets to the corresponding ports on the backend servers, if the frontend protocol is TCP, UDP, or TLS.
Name (Optional)
Specifies the listener name.
Transfer Client IP Address
If the frontend protocol is TLS, the source IP addresses of the clients cannot be passed to backend servers. Enable ProxyProtocol to transfer the source IP addresses.
ProxyProtocol
Specifies whether to enable the ProxyProtocol option to pass the source IP addresses of the clients to backend servers.
WARNING:Ensure the backend servers support ProxyProtocol. If they do not, services may be interrupted.
Access Control
Specifies how access to the listener is controlled. For details, see What Is Access Control?
All IP addresses is selected for access control by default.
You can select Whitelist or Blacklist and choose an IP address group.- Whitelist: Only IP addresses in the whitelist can access the listener. Requests from the IP addresses or CIDR blocks specified in the IP address group will be forwarded by the listener.
- Blacklist: IP addresses in the blacklist are not allowed to access the listener. Requests from the IP addresses or CIDR blocks specified in the IP address group will not be forwarded by the listener.
Configure Certificate
SSL Authentication
Specifies whether how you want the clients and backend servers to be authenticated.
- One-way authentication: Backend servers will be authenticated by clients.
- Mutual authentication: The clients and backend servers will authenticate each other.
CA Certificate
Specifies the certificate that will be used to authenticate the client when SSL Authentication is set to Mutual authentication.
CA certificates are also called client CA public key certificate. They are used to verify the issuer of a client certificate. HTTPS connections can only be established when the client provides a certificate issued by a specific CA.
Server Certificate
Specifies a server certificate that will be used to authenticate the server when TLS is used as the frontend protocol.
Both the certificate and private key are required.
SNI
Server Name Indication (SNI) is an extension to TLS. It allows clients to specify which domain name of a listener they are trying to connect in the first request. Once receiving the request, the load balancer searches for the certificate based on the domain name.
The client includes the domain name in the initial SSL handshake. Once receiving the request, the load balancer searches for the certificate based on the domain name.
If an SNI certificate is found, this certificate will be used for authentication.
If no SNI certificates are found, the server certificate is used for authentication.
For details, see Using SNI Certificates for Access Through Multiple Domain Names.
SNI Certificate
Specifies one or more certificates associated with the domain name when the frontend protocol is TLS and SNI is enabled.
You can only select the server certificate with SNI domain names.
More (Optional)
Security Policy
Specifies the security policy you can use if you select TLS as the frontend protocol. For more information, see Configuring TLS Security Policies for Encrypted Communication.
Idle Timeout (s)
Specifies the length of time for a connection to keep alive, in seconds. If no request is received within this period, the load balancer closes the connection and establishes a new one with the client when the next request arrives.
The idle timeout duration ranges from 0 to 4000.
Maximum New Connections per AZ
Specifies the maximum number of new connections that a listener can handle per second in each AZ. Unlimited is selected by default. You can select Limit request to set the maximum number of new connections.
The value ranges from 1 to 1,000,000. If the value is greater than the number defined in the load balancer specifications, the latter is used as the limit.
NOTE:This option is available in certain regions. You can see which regions support this option on the console.
Maximum Concurrent Connections per AZ
Specifies the maximum number of concurrent connections that a listener can handle per second in each AZ. Unlimited is selected by default. You can select Limit request to set the maximum number of concurrent connections.
The value ranges from 1 to 1,000,000. If the value is greater than the number defined in the load balancer specifications, the latter is used as the limit.
Reducing the concurrent connection limit does not interrupt established connections.
NOTE:This option is available in certain regions. You can see which regions support this option on the console.
Tag
Adds tags to the listener. Each tag is a key-value pair, and the tag key is unique.
Description
Provides supplementary information about the listener.
You can enter a maximum of 255 characters.
- Click Next: Configure Request Routing Policy.
- You are advised to select an existing backend server group.
- You can also select Create new to create a backend server group.
- Configure the backend server group based on Table 3.
- Click Next: Add Backend Server. Add backend servers and configure the health check for the backend server group.
For details about how to add backend servers, see Backend Server Overview. For the parameters required for configuring a health check, see Table 4.
- Click Next: Confirm.
- Confirm the configuration and click Submit.
Helpful Links
Popular Questions
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot