# Listeners for your Network Load Balancers Listeners A *listener* is a process that checks for connection requests, using the protocol and port that you configure. Before you start using your Network Load Balancer, you must add at least one listener. If your load balancer has no listeners, it can't receive traffic from clients. The rule that you define for a listener determines how the load balancer routes requests to the targets that you register, such as EC2 instances. **Topics** + [ ## Listener configuration ](#listener-configuration) + [ ## Default actions ](#default-actions) + [ ## Listener attributes ](#listener-attributes) + [ ## Secure listeners ](#secure-listeners) + [ ## ALPN policies ](#alpn-policies) + [Create a listener](create-listener.md) + [Server certificates](tls-listener-certificates.md) + [Security policies](describe-ssl-policies.md) + [Update a listener](listener-update-rules.md) + [Update idle timeout](update-idle-timeout.md) + [Update a TLS listener](listener-update-certificates.md) + [Delete a listener](delete-listener.md) ## Listener configuration Listeners support the following protocols and ports: + **Protocols**: TCP, TLS, UDP, TCP\$1UDP, QUIC, TCP\$1QUIC + **Ports**: 1-65535 You can use a TLS listener to offload the work of encryption and decryption to your load balancer so that your applications can focus on their business logic. If the listener protocol is TLS, you must deploy at least one SSL server certificate on the listener. For more information, see [Server certificates](tls-listener-certificates.md). If you must ensure that the targets decrypt TLS traffic instead of the load balancer, you can create a TCP listener on port 443 instead of creating a TLS listener. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it. You can use a QUIC listener to accept QUIC traffic. The Network Load Balancer acts as a pass through load balancer in accordance with [RFC9000](https://tools.ietf.org/html/rfc9000). Utilize a QUIC listener and QUIC enabled backends to enable seamless connection migration for mobile devices. To support both TCP and UDP on the same port, create a TCP\$1UDP listener. The target groups for a TCP\$1UDP listener must use the TCP\$1UDP protocol. To support both TCP and QUIC on the same port, create a TCP\$1QUIC listener. The target groups for a TCP\$1QUIC listener must use the TCP\$1QUIC protocol. A UDP listener for a dualstack load balancer requires IPv6 target groups. WebSockets is supported only on TCP, TLS, TCP\$1UDP, and TCP\$1QUIC listeners. QUIC traffic does not support version negotiation. QUIC v1 is the only supported QUIC version. All network traffic sent to a configured listener is classified as intended traffic. Network traffic that does not match a configured listener is classified as unintended traffic. ICMP requests other than Type 3 are also considered unintended traffic. Network Load Balancers drop unintended traffic without forwarding it to any targets. TCP data packets sent to the listener port for a configured listeners that are not new connections or part of an active TCP connection are rejected with a TCP reset (RST). For more information, see [Request routing](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html#request-routing) in the *Elastic Load Balancing User Guide*. ## Default actions When you create a listener, you specify a default action for routing requests. The default action forwards requests to the target groups that you specify. **Distribute traffic to multiple target groups** If you specify multiple target groups for a default action, requests are distributed to these target groups based on their relative weights. You must specify a weight from 0 to 999 for each target group. A target group with a weight of 0 receives no traffic. After you add a target group or update the target group weights, new connections are routed based on the new target group weights. Existing connections are not affected and continue until they are closed as usual. As an example, if you specify two target groups, each with a weight of 10, each target group receives half the requests. If you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the target group with a weight of 10. A common use case is migrating traffic from one target group to another. Meaning that you gradually increase the weight of the new target group while decreasing the weight of the original target group until it is 0. If you update the weight of a target group to 0, after a short period of time, it receives no new connections and existing connections are closed. **Sticky sessions and weighted target groups** Forward actions on listeners can specify whether to enable target group stickiness. When enabled, target group stickiness causes subsequent connections from the same source IP address to prefer the previously chosen target group. **Considerations** + For TLS listeners, you can't add both TCP target groups and TLS target groups to the listener rule. All target groups must use the same protocol. + For TLS listeners, target group stickiness is not supported. + For dualstack load balancers, you can't add both IPv4 target groups and IPv6 target groups to the same default action. All target groups in the default action must use the same IP address type. + For listeners, if a forward action contains multiple target groups and any of them have stickiness enabled, then the forward action must also have target group stickiness enabled. ## Listener attributes The following are the listener attributes for Network Load Balancers: `tcp.idle_timeout.seconds` The tcp idle timeout value, in seconds. The valid range is 60-6000 seconds. The default is 350 seconds. For more information, see [Update idle timeout](update-idle-timeout.md). ## Secure listeners To use a TLS listener, you must deploy at least one server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then to decrypt requests from clients before sending them to the targets. Note that if you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. The load balancer passes the request to the target as is, without decrypting it. Elastic Load Balancing uses a TLS negotiation configuration, known as a security policy, to negotiate TLS connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. The first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection. Network Load Balancers do not support mutual TLS authentication (mTLS). For mTLS support, create a TCP listener instead of a TLS listener. The load balancer passes the request through as is, so you can implement mTLS on the target. Network Load Balancers support TLS resumption using PSK for TLS 1.3, and session tickets for TLS 1.2 and older. Resumptions with session ID, or when multiple certificates are configured in the listener using SNI, are not supported. The 0-RTT data feature and early\$1data extension are not implemented. For related demos, see [TLS Support on Network Load Balancer](https://exampleloadbalancer.com/nlbtls_demo.html) and [SNI Support on Network Load Balancer](https://exampleloadbalancer.com/nlbsni_demo.html). ## ALPN policies Application-Layer Protocol Negotiation (ALPN) is a TLS extension that is sent on the initial TLS handshake hello messages. ALPN enables the application layer to negotiate which protocols should be used over a secure connection, such as HTTP/1 and HTTP/2. When the client initiates an ALPN connection, the load balancer compares the client ALPN preference list with its ALPN policy. If the client supports a protocol from the ALPN policy, the load balancer establishes the connection based on the preference list of the ALPN policy. Otherwise, the load balancer does not use ALPN.Supported ALPN Policies The following are the supported ALPN policies: `HTTP1Only` Negotiate only HTTP/1.\$1. The ALPN preference list is http/1.1, http/1.0. `HTTP2Only` Negotiate only HTTP/2. The ALPN preference list is h2. `HTTP2Optional` Prefer HTTP/1.\$1 over HTTP/2 (which can be useful for HTTP/2 testing). The ALPN preference list is http/1.1, http/1.0, h2. `HTTP2Preferred` Prefer HTTP/2 over HTTP/1.\$1. The ALPN preference list is h2, http/1.1, http/1.0. `None` Do not negotiate ALPN. This is the default. **Enable ALPN Connections** You can enable ALPN connections when you create or modify a TLS listener. For more information, see [Add a listener](create-listener.md#add-listener) and [Update the ALPN policy](listener-update-certificates.md#update-alpn-policy). # Create a listener for your Network Load Balancer Create a listener A listener is a process that checks for connection requests. You define a listener when you create your load balancer, and you can add listeners to your load balancer at any time. ## Prerequisites + You must specify a target group for the default action. For more information, see [Create a target group for your Network Load Balancer](create-target-group.md). + You must specify an SSL certificate for a TLS listener. The load balancer uses the certificate to terminate the connection and decrypt requests from clients before routing them to targets. For more information, see [Server certificates for your Network Load Balancer](tls-listener-certificates.md). + You can't use an IPv4 target group with a UDP listener for a `dualstack` load balancer. + QUIC and TCP\$1QUIC listeners are not allowed on `dualstack` load balancers or load balancers with associated security groups. + QUIC and TCP\$1QUIC listeners are not allowed on load balancers with associated security groups. + Only one QUIC or TCP\$1QUIC listener is allowed on an Network Load Balancer at any given time. + QUIC and TCP\$1QUIC listeners are not allowed on an Network Load Balancer that has UDP or TCP\$1UDP listeners. ## Add a listener You configure a listener with a protocol and a port for connections from clients to the load balancer, and a target group for the default listener rule. For more information, see [Listener configuration](load-balancer-listeners.md#listener-configuration). ------ #### [ Console ] **To add a listener** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Load Balancers**. 1. Select the name of the load balancer to open its details page. 1. On the **Listeners** tab, choose **Add listener**. 1. For **Protocol**, choose **TCP**, **UDP**, **TCP\$1UDP**, **TLS**, **QUIC**, or **TCP\$1QUIC**. Keep the default port or type a different port. 1. For **Default action**, select a target group to forward traffic to. To add another target group, choose **Add target group** and update the weights as needed. If you don't have a target group that meets your needs, choose **Create target group** to create one now. For more information, see [Create a target group](create-target-group.md). 1. [TLS listeners] For **Security policy**, we recommend that you keep the default security policy. 1. [TLS listeners] For **Default SSL/TLS server certificate**, choose the default certificate. You can select the certificate from one of the following sources: + If you created or imported a certificate using AWS Certificate Manager, choose **From ACM**, then choose the certificate from **Certificate (from ACM)**. + If you imported a certificate using IAM, choose **From IAM**, and then choose the certificate from **Certificate (from IAM)**. + If you have a certificate, choose **Import certificate**. Choose either **Import to ACM** or **Import to IAM**. For **Certificate private key**, copy and paste the contents of the private key file (PEM-encoded). For **Certificate body**, copy and paste the contents of the public key certificate file (PEM-encoded). For **Certificate Chain**, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate. 1. [TLS listeners] For **ALPN policy**, choose a policy to enable ALPN or choose **None** to disable ALPN. For more information, see [ALPN policies](load-balancer-listeners.md#alpn-policies). 1. (Optional) To add tags, expand **Listener tags**. Choose **Add new tag** and enter the tag key and tag value. 1. Choose **Add**. 1. [TLS listeners] To add certificates to the optional certificate list, see [Add certificates to the certificate list](listener-update-certificates.md#add-certificates). ------ #### [ AWS CLI ] **To create a target group** If you don't have a target group that you can use for the default action, use the [create-target-group](https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-target-group.html) command to create one now. For examples, see [Create a target group](create-target-group.md). **To add a TCP listener** Use the [create-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-listener.html) command, specifying the TCP protocol. ``` aws elbv2 create-listener \ --load-balancer-arn load-balancer-arn \ --protocol TCP \ --port 80 \ --default-actions Type=forward,TargetGroupArn=target-group-arn ``` **To add a TCP listener with multiple target groups** Use the [create-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-listener.html) command, specifying the TCP protocol, target groups, and weights. ``` aws elbv2 create-listener \ --load-balancer-arn load-balancer-arn \ --protocol TCP \ --port 80 \ --default-actions '[{ "Type":"forward", "ForwardConfig":{ "TargetGroups":[ {"TargetGroupArn":"target-group-1-arn","Weight":10}, {"TargetGroupArn":"target-group-2-arn","Weight":30} ] } }]' ``` **To add a TLS listener** Use the [create-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-listener.html) command specifying the TLS protocol. ``` aws elbv2 create-listener \ --load-balancer-arn load-balancer-arn \ --protocol TLS \ --port 443 \ --certificates CertificateArn=certificate-arn \ --ssl-policy ELBSecurityPolicy-TLS13-1-2-Res-2021-06 \ --default-actions Type=forward,TargetGroupArn=target-group-arn ``` **To add a UDP listener** Use the [create-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-listener.html) command specifying the UDP protocol. ``` aws elbv2 create-listener \ --load-balancer-arn load-balancer-arn \ --protocol UDP \ --port 53 \ --default-actions Type=forward,TargetGroupArn=target-group-arn ``` **To add a QUIC listener** Use the [create-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-listener.html) command specifying the QUIC protocol. ``` aws elbv2 create-listener \ --load-balancer-arn load-balancer-arn \ --protocol QUIC \ --port 443 \ --default-actions Type=forward,TargetGroupArn=target-group-arn ``` ------ #### [ CloudFormation ] **To add a TCP listener** Define a resource of type [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) using the TCP protocol. ``` Resources: myTCPListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TCP Port: 80 DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup ``` **To add a TCP listener with multiple target groups** Define a resource of type [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) using the TCP protocol. ``` Resources: myTCPListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TCP Port: 80 DefaultActions: - Type: forward ForwardConfig: TargetGroups: - TargetGroupArn: !Ref myTargetGroup1, Weight: 10 - TargetGroupArn: !Ref myTargetGroup2, Weight: 30 TargetGroupStickinessConfig: Enabled: true ``` **To add a TLS listener** Define a resource of type [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) using the TLS protocol. ``` Resources: myTLSListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TLS Port: 443 SslPolicy: "ELBSecurityPolicy-TLS13-1-2-Res-2021-06" Certificates: - CertificateArn: "certificate-arn" DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup ``` **To add a UDP listener** Define a resource of type [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) using the UDP protocol. ``` Resources: myUDPListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: UDP Port: 53 DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup ``` **To add a QUIC listener** Define a resource of type [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) using the QUIC protocol. ``` Resources: myQUICListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: QUIC Port: 443 DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup ``` ------ # Server certificates for your Network Load Balancer Server certificates When you create a secure listener for your Network Load Balancer, you must deploy at least one certificate on the load balancer. The load balancer requires X.509 certificates (server certificate). Certificates are a digital form of identification issued by a certificate authority (CA). A certificate contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer. When you create a certificate for use with your load balancer, you must specify a domain name. The domain name on the certificate must match the custom domain name record so that we can verify the TLS connection. If they do not match, the traffic is not encrypted. You must specify a fully qualified domain name (FQDN) for your certificate, such as `www.example.com` or an apex domain name such as `example.com`. You can also use an asterisk (\$1) as a wild card to protect several site names in the same domain. When you request a wild-card certificate, the asterisk (\$1) must be in the leftmost position of the domain name and can protect only one subdomain level. For instance, `*.example.com` protects `corp.example.com`, and `images.example.com`, but it cannot protect `test.login.example.com`. Also note that `*.example.com` protects only the subdomains of `example.com`, it does not protect the bare or apex domain (`example.com`). The wild-card name appears in the **Subject** field and in the **Subject Alternative Name** extension of the certificate. For more information about public certificates, see [Requesting a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html#request-public-console) in the *AWS Certificate Manager User Guide*. We recommend that you create certificates for your load balancers using [AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/). ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer. For more information, see the [AWS Certificate Manager User Guide](https://docs.aws.amazon.com/acm/latest/userguide/). Alternatively, you can use TLS tools to create a certificate signing request (CSR), then get the CSR signed by a CA to produce a certificate, then import the certificate into ACM or upload the certificate to AWS Identity and Access Management (IAM). For more information, see [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* or [Working with server certificates](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) in the *IAM User Guide*. ## Supported key algorithms + RSA 1024-bit + RSA 2048-bit + RSA 3072-bit + ECDSA 256-bit + ECDSA 384-bit + ECDSA 521-bit ## Default certificate When you create a TLS listener, you must specify at least one certificate. This certificate is known as the *default certificate*. You can replace the default certificate after you create the TLS listener. For more information, see [Replace the default certificate](listener-update-certificates.md#replace-default-certificate). If you specify additional certificates in a [certificate list](#sni-certificate-list), the default certificate is used only if a client connects without using the Server Name Indication (SNI) protocol to specify a hostname or if there are no matching certificates in the certificate list. If you do not specify additional certificates but need to host multiple secure applications through a single load balancer, you can use a wildcard certificate or add a Subject Alternative Name (SAN) for each additional domain to your certificate. ## Certificate list After you create a TLS listener, it has a default certificate and an empty certificate list. You can optionally add certificates to the certificate list for the listener. Using a certificate list enables the load balancer to support multiple domains on the same port and provide a different certificate for each domain. For more information, see [Add certificates to the certificate list](listener-update-certificates.md#add-certificates). The load balancer uses a smart certificate selection algorithm with support for SNI. If the hostname provided by a client matches a single certificate in the certificate list, the load balancer selects this certificate. If a hostname provided by a client matches multiple certificates in the certificate list, the load balancer selects the best certificate that the client can support. Certificate selection is based on the following criteria in the following order: + Public key algorithm (prefer ECDSA over RSA) + Hashing algorithm (prefer SHA over MD5) + Key length (prefer the largest) + Validity period The load balancer access log entries indicate the hostname specified by the client and the certificate presented to the client. For more information, see [Access log entries](load-balancer-access-logs.md#access-log-entry-format). ## Certificate renewal Each certificate comes with a validity period. You must ensure that you renew or replace each certificate for your load balancer before its validity period ends. This includes the default certificate and certificates in a certificate list. Renewing or replacing a certificate does not affect in-flight requests that were received by the load balancer node and are pending routing to a healthy target. After a certificate is renewed, new requests use the renewed certificate. After a certificate is replaced, new requests use the new certificate. You can manage certificate renewal and replacement as follows: + Certificates provided by AWS Certificate Manager and deployed on your load balancer can be renewed automatically. ACM attempts to renew certificates before they expire. For more information, see [Managed renewal](https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html) in the *AWS Certificate Manager User Guide*. + If you imported a certificate into ACM, you must monitor the expiration date of the certificate and renew it before it expires. For more information, see [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide*. + If you imported a certificate into IAM, you must create a new certificate, import the new certificate to ACM or IAM, add the new certificate to your load balancer, and remove the expired certificate from your load balancer. # Security policies for your Network Load Balancer Security policies When you create a TLS listener, you must select a security policy. A security policy determines which ciphers and protocols are supported during SSL negotiations between your load balancer and clients. You can update the security policy for your load balancer if your requirements change or when we release a new security policy. For more information, see [Update the security policy](listener-update-certificates.md#update-security-policy). **Considerations** + A TLS listener requires a security policy. If you do not specify a security policy when you create the listener, we use the default security policy. The default security policy depends on how you created the TLS listener: + **Console** – The default security policy is `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`. + **Other methods** (for example, the AWS CLI, AWS CloudFormation, and the AWS CDK) – The default security policy is `ELBSecurityPolicy-2016-08`. + Security policies with PQ in their names offer hybrid post-quantum key exchange. For compatibility, they support both classical and post-quantum ML-KEM key exchange algorithms. Clients must support the ML-KEM key exchange to use hybrid post-quantum TLS for key exchange. The hybrid post-quantum policies support SecP256r1MLKEM768, SecP384r1MLKEM1024 and X25519MLKEM768 algorithms. For more information, see [Post-quantum Cryptography](https://aws.amazon.com/security/post-quantum-cryptography/). + AWS recommends implementing the new post-quantum TLS (PQ-TLS) based security policy  `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09` or `ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09`. This policy ensures backward compatibility by supporting clients capable of negotiating hybrid PQ-TLS, TLS 1.3 only, or TLS 1.2 only, thereby minimizing service disruption during the transition to post-quantum cryptography. You can progressively migrate to more restrictive security policies as your client applications develop the capability to negotiate PQ-TLS for key exchange operations. + You can enable access logs for information about the TLS requests sent to your Network Load Balancer, analyze TLS traffic patterns, manage security policy upgrades, and troubleshoot issues. Enable access logging for your load balancer and examine the corresponding access log entries. For more information, see [Access logs](load-balancer-access-logs.md) and [Network Load Balancer Example Queries](https://docs.aws.amazon.com/athena/latest/ug/networkloadbalancer-classic-logs.html#query-nlb-example). + To view the TLS protocol version (log field position 5) and key exchange (log field position 13) for access requests to your load balancer, enable access logging and examine the corresponding log entries. For more information, see [Access logs](load-balancer-access-logs.md). + You can restrict which security policies are available to users across your AWS accounts and AWS Organizations by using the [ Elastic Load Balancing condition keys](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html) in your IAM and service control policies (SCPs), respectively. For more information, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*. + Policies that support only TLS 1.3 support Forward Secrecy (FS). Policies that support TLS 1.3 and TLS 1.2 that have only ciphers of the form TLS\$1\$1 and ECDHE\$1\$1 also provide FS. + Network Load Balancers support the Extended Master Secret (EMS) extension for TLS 1.2. **Backend Connections** You can choose the security policy that is used for front-end connections, but not backend connections. The security policy for backend connections depends on the listener's security policy. If any of your listeners are using: + **FIPS post-quantum TLS policy** - Backend connections use `ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09` + **FIPS policy** - Backend connections use `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` + **Post-quantum TLS policy** - Backend connections use `ELBSecurityPolicy-TLS13-1-0-PQ-2025-09` + **TLS 1.3 policy** - Backend connections use `ELBSecurityPolicy-TLS13-1-0-2021-06` + All other TLS policies backend connections use `ELBSecurityPolicy-2016-08` You can describe the protocols and ciphers using the [describe-ssl-policies](https://docs.aws.amazon.com/cli/latest/reference/elbv2/describe-ssl-policies.html) AWS CLI command, or refer to the tables below. **Contents** + [ ## TLS security policies ](#tls-security-policies) + [ ### Protocols by policy ](#tls-protocols) + [ ### Ciphers by policy ](#tls-policy-ciphers) + [ ### Policies by cipher ](#tls-cipher-policies) + [ ## FIPS security policies ](#fips-security-policies) + [ ### Protocols by policy ](#fips-protocols) + [ ### Ciphers by policy ](#fips-policy-ciphers) + [ ### Policies by cipher ](#fips-cipher-policies) + [ ## FS supported security policies ](#fs-security-policies) + [ ### Protocols by policy ](#fs-protocols) + [ ### Ciphers by policy ](#fs-policy-ciphers) + [ ### Policies by cipher ](#fs-cipher-policies) ## TLS security policies You can use the TLS security policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers. Policies that support only TLS 1.3 support Forward Secrecy (FS). Policies that support TLS 1.3 and TLS 1.2 that have only ciphers of the form TLS\$1\$1 and ECDHE\$1\$1 also provide FS. **Topics** + [ ### Protocols by policy ](#tls-protocols) + [ ### Ciphers by policy ](#tls-policy-ciphers) + [ ### Policies by cipher ](#tls-cipher-policies) ### Protocols by policy The following table describes the protocols that each TLS security policy supports. | Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | | --- | --- | --- | --- | --- | | ELBSecurityPolicy-TLS13-1-3-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Res-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-1-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-0-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | | ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | | ELBSecurityPolicy-TLS-1-2-Ext-2018-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS-1-2-2017-01 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS-1-1-2017-01 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-2016-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | | ELBSecurityPolicy-2015-05 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ### Ciphers by policy The following table describes the ciphers that each TLS security policy supports. | Security policy | Ciphers | | --- | --- | | ELBSecurityPolicy-TLS13-1-3-2021-06 ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-2-2021-06 ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-2-Res-2021-06 ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-1-2021-06 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-0-2021-06 ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS-1-2-Ext-2018-06 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS-1-2-2017-01 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS-1-1-2017-01 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-2016-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-2015-05 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | ### Policies by cipher The following table describes the TLS security policies that support each cipher. | Cipher name | Security policies | Cipher suite | | --- | --- | --- | | **OpenSSL** – TLS\$1AES\$1128\$1GCM\$1SHA256 **IANA** – TLS\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1301 | | **OpenSSL** – TLS\$1AES\$1256\$1GCM\$1SHA384 **IANA** – TLS\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1302 | | **OpenSSL** – TLS\$1CHACHA20\$1POLY1305\$1SHA256 **IANA** – TLS\$1CHACHA20\$1POLY1305\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1303 | | **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02b | | **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02f | | **OpenSSL** – ECDHE-ECDSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c023 | | **OpenSSL** – ECDHE-RSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c027 | | **OpenSSL** – ECDHE-ECDSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c009 | | **OpenSSL** – ECDHE-RSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c013 | | **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02c | | **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c030 | | **OpenSSL** – ECDHE-ECDSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c024 | | **OpenSSL** – ECDHE-RSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c028 | | **OpenSSL** – ECDHE-ECDSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c00a | | **OpenSSL** – ECDHE-RSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c014 | | **OpenSSL** – AES128-GCM-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9c | | **OpenSSL** – AES128-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3c | | **OpenSSL** – AES128-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 2f | | **OpenSSL** – AES256-GCM-SHA384 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9d | | **OpenSSL** – AES256-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3d | | **OpenSSL** – AES256-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 35 | ## FIPS security policies The Federal Information Processing Standard (FIPS) is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. To learn more, see [Federal Information Processing Standard (FIPS) 140](https://aws.amazon.com/compliance/fips/) on the *AWS Cloud Security Compliance* page. All FIPS policies leverage the AWS-LC FIPS validated cryptographic module. To learn more, see the [ AWS-LC Cryptographic Module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) page on the *NIST Cryptographic Module Validation Program* site. **Important** Policies `ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04` and `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` are provided for legacy compatibility only. While they utilize FIPS cryptography using the FIPS140 module, they may not conform to the latest NIST guidance for TLS configuration. **Topics** + [ ### Protocols by policy ](#fips-protocols) + [ ### Ciphers by policy ](#fips-policy-ciphers) + [ ### Policies by cipher ](#fips-cipher-policies) ### Protocols by policy The following table describes the protocols that each FIPS security policy supports. | Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | | --- | --- | --- | --- | --- | | ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | | ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ### Ciphers by policy The following table describes the ciphers that each FIPS security policy supports. | Security policy | Ciphers | | --- | --- | | ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | ### Policies by cipher The following table describes the FIPS security policies that support each cipher. | Cipher name | Security policies | Cipher suite | | --- | --- | --- | | **OpenSSL** – TLS\$1AES\$1128\$1GCM\$1SHA256 **IANA** – TLS\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1301 | | **OpenSSL** – TLS\$1AES\$1256\$1GCM\$1SHA384 **IANA** – TLS\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1302 | | **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02b | | **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02f | | **OpenSSL** – ECDHE-ECDSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c023 | | **OpenSSL** – ECDHE-RSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c027 | | **OpenSSL** – ECDHE-ECDSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c009 | | **OpenSSL** – ECDHE-RSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c013 | | **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02c | | **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c030 | | **OpenSSL** – ECDHE-ECDSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c024 | | **OpenSSL** – ECDHE-RSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c028 | | **OpenSSL** – ECDHE-ECDSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c00a | | **OpenSSL** – ECDHE-RSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c014 | | **OpenSSL** – AES128-GCM-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9c | | **OpenSSL** – AES128-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3c | | **OpenSSL** – AES128-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 2f | | **OpenSSL** – AES256-GCM-SHA384 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9d | | **OpenSSL** – AES256-SHA256 **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3d | | **OpenSSL** – AES256-SHA **IANA** – TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 35 | ## FS supported security policies FS (Forward Secrecy) supported security policies provide additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised. The policies in this section support FS, and "FS" is included in their names. However, these are not the only policies that support FS. Policies that support only TLS 1.3 support FS. Policies that support TLS 1.3 and TLS 1.2 that have only ciphers of the form TLS\$1\$1 and ECDHE\$1\$1 also provide FS. **Topics** + [ ### Protocols by policy ](#fs-protocols) + [ ### Ciphers by policy ](#fs-policy-ciphers) + [ ### Policies by cipher ](#fs-cipher-policies) ### Protocols by policy The following table describes the protocols that each FS supported security policy supports. | Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | | --- | --- | --- | --- | --- | | ELBSecurityPolicy-FS-1-2-Res-2020-10 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-FS-1-2-Res-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-FS-1-2-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-FS-1-1-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | | ELBSecurityPolicy-FS-2018-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/images/success_icon.svg) Yes | ### Ciphers by policy The following table describes the ciphers that each FS supported security policy supports. | Security policy | Ciphers | | --- | --- | | ELBSecurityPolicy-FS-1-2-Res-2020-10 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-FS-1-2-Res-2019-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-FS-1-2-2019-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-FS-1-1-2019-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | | ELBSecurityPolicy-FS-2018-06 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | ### Policies by cipher The following table describes the FS supported security policies that support each cipher. | Cipher name | Security policies | Cipher suite | | --- | --- | --- | | **OpenSSL** – ECDHE-ECDSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02b | | **OpenSSL** – ECDHE-RSA-AES128-GCM-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02f | | **OpenSSL** – ECDHE-ECDSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c023 | | **OpenSSL** – ECDHE-RSA-AES128-SHA256 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c027 | | **OpenSSL** – ECDHE-ECDSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c009 | | **OpenSSL** – ECDHE-RSA-AES128-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c013 | | **OpenSSL** – ECDHE-ECDSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02c | | **OpenSSL** – ECDHE-RSA-AES256-GCM-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c030 | | **OpenSSL** – ECDHE-ECDSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c024 | | **OpenSSL** – ECDHE-RSA-AES256-SHA384 **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c028 | | **OpenSSL** – ECDHE-ECDSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c00a | | **OpenSSL** – ECDHE-RSA-AES256-SHA **IANA** – TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c014 | # Update a listener for your Network Load Balancer Update a listener You can update the listener protocol, listener port or the target group which receives traffic from the forwarding action. The default action, also known as the default rule, forwards requests to the selected target group. If you change the protocol from TCP, UDP, or QUIC to TLS, you must specify a security policy and server certificate. If you change the protocol from TLS to TCP, UDP, or QUIC, the security policy and server certificate are removed. When the target group for the default action of a TCP, TLS, or QUIC listener is updated, new connections are routed to the newly configured target group. However, this has no effect on any active connections that were created prior to this change. These active connections remain associated to the target in the original target group for up to one hour if traffic is being sent, or up to when the idle-timeout period elapses if no traffic is sent, whichever occurs first. The parameter `Connection termination on deregistration` is not applied when updating the listener, as it's applied when deregistering targets. Port updates for QUIC or TCP\$1QUIC listeners are not allowed. To update the port for listeners that handle QUIC traffic, the listener must be deleted and re-created with the new port. ------ #### [ Console ] **To update a listener** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Load Balancers**. 1. Choose the name of the load balancer to open its detail page. 1. On the **Listeners** tab, choose the text in the **Protocol:Port** column to open the detail page for the listener. 1. Choose **Actions**, **Edit listener**. 1. Update the values as needed. + (Optional) Change the **Protocol**. + (Optional) Change the **Port**. + (Optional) Choose different target groups for the **Default action**. + (Optional) To add another target group, choose **Add target group** and update the weights as needed. + (Optional) To remove a target group, choose **Remove**. 1. (Optional) Add, update, or remove tags as needed. 1. Choose **Save changes**. ------ #### [ AWS CLI ] **To update the default action** Use the following [modify-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener.html) command to change the target group. ``` aws elbv2 modify-listener \ --listener-arn listener-arn \ --default-actions Type=forward,TargetGroupArn=new-target-group-arn ``` The following example updates a listener with multiple target groups. ``` aws elbv2 modify-listener \ --listener-arn listener-arn \ --default-actions '[{ "Type":"forward", "ForwardConfig":{ "TargetGroups":[ {"TargetGroupArn":"target-group-1-arn","Weight":10}, {"TargetGroupArn":"target-group-2-arn","Weight":30} ] } }]' ``` **To add tags** Use the [add-tags](https://docs.aws.amazon.com/cli/latest/reference/elbv2/add-tags.html) command. The following example adds two tags. ``` aws elbv2 add-tags \ --resource-arns listener-arn \ --tags "Key=project,Value=lima" "Key=department,Value=digital-media" ``` **To remove tags** Use the [remove-tags](https://docs.aws.amazon.com/cli/latest/reference/elbv2/remove-tags.html) command. The following example removes the tags with the specified keys. ``` aws elbv2 remove-tags \ --resource-arns listener-arn \ --tag-keys project department ``` ------ #### [ CloudFormation ] **To update the default action** Update the [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) resource to include the new target group. ``` Resources: myTCPListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TCP Port: 80 DefaultActions: - Type: forward TargetGroupArn: !Ref newTargetGroup ``` Alternatively, to distribute traffic between multiple target groups, define `DefaultActions` as follows. ``` DefaultActions: - Type: forward ForwardConfig: TargetGroups: - TargetGroupArn: !Ref TargetGroup1 Weight: 10 - TargetGroupArn: !Ref TargetGroup2 Weight: 30 ``` **To add tags** Update the [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) resource to include the Tags property. ``` Resources: myTCPListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TCP Port: 80 DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup Tags: - Key: 'project' Value: 'lima' - Key: 'department' Value: 'digital-media' ``` ------ # Update the TCP idle timeout for your Network Load Balancer listener Update idle timeout For each TCP request made through a Network Load Balancer, the state of that connection is tracked. If no data is sent through the connection by either the client or target for longer than the idle timeout, the connection is closed. **Considerations** + The default idle timeout value for TCP flows is 350 seconds. + The connection idle timeout for TLS listeners is 350 seconds and can't be modified. ------ #### [ Console ] **To update the TCP idle timeout** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, under **Load Balancing**, choose **Load Balancers**. 1. Select the check box for the Network Load Balancer. 1. On the listeners tab, select the check box for the TCP listener and then choose **Actions**, **View listener details**. 1. On the listener details page, in the **Attributes** tab, select **Edit**. If the listener uses a protocol other than TCP, this tab is not present. 1. Enter a value for **TCP idle timeout** from 60-6000 seconds. 1. Choose **Save changes**. ------ #### [ AWS CLI ] **To update the TCP idle timeout** Use the [modify-listener-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener-attributes.html) command with the `tcp.idle_timeout.seconds` attribute. ``` aws elbv2 modify-listener-attributes \ --listener-arn listener-arn \ --attributes Key=tcp.idle_timeout.seconds,Value=500 ``` The following is example output. ``` { "Attributes": [ { "Key": "tcp.idle_timeout.seconds", "Value": "500" } ] } ``` ------ #### [ CloudFormation ] **To update the TCP idle timeout** Update the [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) resource to include the `tcp.idle_timeout.seconds` listener attribute. ``` Resources: myTCPListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TCP Port: 80 DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup ListenerAttributes: - Key: "tcp.idle_timeout.seconds" Value: "500" ``` ------ # Update a TLS listener for your Network Load Balancer Update a TLS listener After you create a TLS listener, you can replace the default certificate, add or remove certificates from the certificate list, update the security policy, or update the ALPN policy. **Topics** + [ ## Replace the default certificate ](#replace-default-certificate) + [ ## Add certificates to the certificate list ](#add-certificates) + [ ## Remove certificates from the certificate list ](#remove-certificates) + [ ## Update the security policy ](#update-security-policy) + [ ## Update the ALPN policy ](#update-alpn-policy) ## Replace the default certificate You can replace the default certificate for your TLS listener as needed. For more information, see [Default certificate](tls-listener-certificates.md#default-certificate). ------ #### [ Console ] **To replace the default certificate** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. On the navigation pane, choose **Load Balancers**. 1. Select the load balancer. 1. On the **Listeners** tab, choose the text in the **Protocol:Port** column to open the detail page for the listener. 1. On the **Certificates** tab, choose **Change default**. 1. Within the **ACM and IAM certificates** table, select a new default certificate. 1. (Optional) By default, we select **Add previous default certificate to listener certificate list**. We recommend that you keep this option selected, unless you currently have no listener certificates for SNI and rely on TLS session resumption. 1. Choose **Save as default**. ------ #### [ AWS CLI ] **To replace the default certificate** Use the [modify-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener.html) command. ``` aws elbv2 modify-listener \ --listener-arn listener-arn \ --certificates CertificateArn=new-default-certificate-arn ``` ------ #### [ CloudFormation ] **To replace the default certificate** Update the [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) resource with the new default certificate. ``` Resources: myTLSListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TLS Port: 443 DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup SslPolicy: "ELBSecurityPolicy-TLS13-1-2-2021-06" Certificates: - CertificateArn: "new-default-certificate-arn" ``` ------ ## Add certificates to the certificate list You can add certificates to the certificate list for your listener using the following procedure. When you first create a TLS listener, the certificate list is empty. You can add the default certificate to the certificate list to ensure that this certificate is used with the SNI protocol even if it is replaced as the default certificate. For more information, see [Certificate list](tls-listener-certificates.md#sni-certificate-list). ------ #### [ Console ] **To add certificates to the certificate list** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Load Balancers**. 1. Choose the name of the load balancer to open its detail page. 1. On the **Listeners** tab, choose the text in the **Protocol:Port** column to open the detail page for the listener. 1. Choose the **Certificates** tab. 1. To add the default certificate to the list, choose **Add default to list**. 1. To add nondefault certificates to the list, do the following: 1. Choose **Add certificate**. 1. To add certificates that are already managed by ACM or IAM, select the check boxes for the certificates and choose **Include as pending below**. 1. To add a certificate that isn't managed by ACM or IAM, choose **Import certificate**, complete the form, and choose **Import**. 1. Choose **Add pending certificates**. ------ #### [ AWS CLI ] **To add certificates to the certificate list** Use the [add-listener-certificates](https://docs.aws.amazon.com/cli/latest/reference/elbv2/add-listener-certificates.html) command. ``` aws elbv2 add-listener-certificates \ --listener-arn listener-arn \ --certificates \ CertificateArn=certificate-arn-1 \ CertificateArn=certificate-arn-2 \ CertificateArn=certificate-arn-3 ``` ------ #### [ CloudFormation ] **To add certificates to the certificate list** Define a resource of type [AWS::ElasticLoadBalancingV2::ListenerCertificate](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listenercertificate.html). ``` Resources: myCertificateList: Type: 'AWS::ElasticLoadBalancingV2::ListenerCertificate' Properties: ListenerArn: !Ref myTLSListener Certificates: - CertificateArn: "certificate-arn-1" - CertificateArn: "certificate-arn-2" - CertificateArn: "certificate-arn-3" myTLSListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TLSS Port: 443 SslPolicy: "ELBSecurityPolicy-TLS13-1-2-2021-06" Certificates: - CertificateArn: "certificate-arn-1" DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup ``` ------ ## Remove certificates from the certificate list You can remove certificates from the certificate list for a TLS listener using the following procedure. After you remove a certificate, the listener can no longer create connections using that certificate. To ensure that clients are not impacted, add a new certificate to the list and confirm that connections are working before you remove a certificate from the list. To remove the default certificate for a TLS listener, see [Replace the default certificate](#replace-default-certificate). ------ #### [ Console ] **To remove certificates from the certificate list** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Load Balancers**. 1. Choose the name of the load balancer to open its detail page. 1. On the **Listeners** tab, choose the text in the **Protocol:Port** column to open the detail page for the listener. 1. On the **Certificates** tab, select the check boxes for the certificates and choose **Remove**. 1. When prompted for confirmation, enter **confirm** and choose **Remove**. ------ #### [ AWS CLI ] **To remove certificates from the certificate list** Use the [remove-listener-certificates](https://docs.aws.amazon.com/cli/latest/reference/elbv2/remove-listener-certificates.html) command. ``` aws elbv2 remove-listener-certificates \ --listener-arn listener-arn \ --certificates CertificateArn=certificate-arn ``` ------ ## Update the security policy When you create a TLS listener, you can select the security policy that meets your needs. When a new security policy is added, you can update your TLS listener to use the new security policy. Network Load Balancers do not support custom security policies. For more information, see [Security policies for your Network Load Balancer](describe-ssl-policies.md). Updating the security policy can result in disruptions if the load balancer is handling a high volume of traffic. To decrease the possibility of disruptions when your load balancer is handling a high volume of traffic, create an additional load balancer to help handle the traffic or request an LCU reservation. ------ #### [ Console ] **To update the security policy** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Load Balancers**. 1. Choose the name of the load balancer to open its detail page. 1. On the **Listeners** tab, choose the text in the **Protocol:Port** column to open the detail page for the listener. 1. Choose **Actions**, **Edit listener**. 1. In the **Secure listener settings** section, under **Security policy**, choose a new security policy. 1. Choose **Save changes**. ------ #### [ AWS CLI ] **To update the security policy** Use the [modify-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener.html) command. ``` aws elbv2 modify-listener \ --listener-arn listener-arn \ --ssl-policy ELBSecurityPolicy-TLS13-1-2-Res-2021-06 ``` ------ #### [ CloudFormation ] **To update the security policy** Update the [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) resource with the new security policy. ``` Resources: myTLSListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TLS Port: 443 SslPolicy: "ELBSecurityPolicy-TLS13-1-2-2021-06" Certificates: - CertificateArn: "default-certificate-arn" DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup ``` ------ ## Update the ALPN policy You can update the ALPN policy for your TLS listener as needed. For more information, see [ALPN policies](load-balancer-listeners.md#alpn-policies). ------ #### [ Console ] **To update the ALPN policy** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Load Balancers**. 1. Choose the name of the load balancer to open its detail page. 1. On the **Listeners** tab, choose the text in the **Protocol:Port** column to open the detail page for the listener. 1. Choose **Actions**, **Edit listener**. 1. In the **Secure listener settings** section, for **ALPN policy**, choose a policy to enable ALPN or choose **None** to disable ALPN. 1. Choose **Save changes**. ------ #### [ AWS CLI ] **To update the ALPN policy** Use the [modify-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-listener.html) command. ``` aws elbv2 modify-listener \ --listener-arn listener-arn \ --alpn-policy HTTP2Preferred ``` ------ #### [ CloudFormation ] **To update the ALPN policy** Update the [AWS::ElasticLoadBalancingV2::Listener](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-listener.html) resource to include the ALPN policy. ``` Resources: myTLSListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: LoadBalancerArn: !Ref myLoadBalancer Protocol: TLS Port: 443 SslPolicy: "ELBSecurityPolicy-TLS13-1-2-Res-2021-06" AlpnPolicy: - HTTP2Preferred Certificates: - CertificateArn: "certificate-arn" DefaultActions: - Type: forward TargetGroupArn: !Ref myTargetGroup ``` ------ # Delete a listener for your Network Load Balancer Delete a listener Before you delete a listener, consider the impact on your application: + [TCP and TLS listeners] The load balancer immediately stops accepting new connections on the listener. Any TLS handshakes in progress might fail. Existing connections remain open until they naturally close or time out. In-flight requests on existing connections complete successfully. + [UDP and QUIC listeners] Any packets in transit might not reach their destination. ------ #### [ Console ] **To delete a listener** 1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation pane, choose **Load Balancers**. 1. Select the check box for load balancer. 1. On the **Listeners** tab, select the check box for the listener, and then choose **Actions**, **Delete listener**. 1. When prompted for confirmation, enter **confirm** and choose **Delete**. ------ #### [ AWS CLI ] **To delete a listener** Use the [delete-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/delete-listener.html) command. ``` aws elbv2 delete-listener \ --listener-arn listener-arn ``` ------