Create an HTTPS listener for your Application Load Balancer
A listener checks for connection requests. You define a listener when you create your load balancer, and you can add listeners to your load balancer at any time.
To create an HTTPS listener, you must deploy at least one SSL server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets. You must also specify a security policy, which is used to negotiate secure connections between clients and the load balancer.
If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it.
The information on this page helps you create an HTTPS listener for your load balancer. To add an HTTP listener to your load balancer, see Create an HTTP listener for your Application Load Balancer.
Prerequisites
-
To add a forward action to the default listener rule, you must specify an available target group. For more information, see Create a target group for your Application Load Balancer.
-
You can specify the same target group in multiple listeners, but these listeners must belong to the same load balancer. To use a target group with a load balancer, you must verify that it is not used by a listener for any other load balancer.
-
Application Load Balancers do not support ED25519 keys.
Add an HTTPS listener
You configure a listener with a protocol and a port for connections from clients to the load balancer, and a target group for the default listener rule. For more information, see Listener configuration.
To add an HTTPS listener using the console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
On the navigation pane, choose Load Balancers.
-
Select the load balancer.
-
On the Listeners and rules tab, choose Add listener.
-
For Protocol : Port, choose HTTPS and keep the default port or enter a different port.
-
(Optional) To add an authentication rule, select Authenticate users chose an identity provider, and provide the required information. For more information, see Authenticate users using an Application Load Balancer.
-
For Routing action, select one of the following routing actions and provide the required information:
-
Forward to target groups – Choose a target group. To add another target group, choose Add target group, choose a target group, review the relative percentages, and update the weights as needed. You must enable group-level stickiness if you enabled stickiness on any of the target groups.
-
Redirect to URL – Enter the URL by entering each part separately on the URI parts tab, or by entering the full address on the Full URL tab. For Status code, select either temporary (HTTP 302) or permanent (HTTP 301) based on your needs.
-
Return fixed response – Enter the Response code to return for dropped client requests. Optionally, you can specify the Content type and a Response body.
-
-
For Security policy, we select the recommended security policy. You can select a different security policy as needed.
-
For Default SSL/TLS certificate, choose the default certificate. We also add the default certificate to the SNI list. You can select a certificate using one of the following options:
-
From ACM – Choose a certificate from Certificate (from ACM), which displays the certificates available from AWS Certificate Manager.
-
From IAM – Choose a certificate from Certificate (from IAM), which displays the certificates that you imported to AWS Identity and Access Management.
-
Import certificate – Choose a destination for your certificate; either Import to ACM or Import to IAM. For Certificate private key, copy and paste the contents of the private key file (PEM-encoded). For Certificate body, copy and paste the contents of the public key certificate file (PEM-encoded). For Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.
-
-
(Optional) To enable mutual authentication, under Client certificate handling, enable Mutual authentication (mTLS).
The default mode is passthrough. If you select Verify with trust store:
-
By default, connections with expired client certificates are rejected. To change this behavior expand Advanced mTLS settings, then under Client certificate expiration select Allow expired client certificates.
-
For Trust store, choose an existing trust store, or choose New trust store and provide the required information.
-
-
(Optional) To add tags, expand Listener tags. Choose Add new tag and enter the tag key and tag value.
-
Choose Add.
-
To add certificates to the optional certificate list, see Add certificates to the certificate list.
To add an HTTPS listener using the AWS CLI
Use the create-listener command to create the listener and default rule, and the create-rule command to define additional listener rules.