DocsICP FilingConsole
官方文档
首页

Create and manage listeners

更新时间:
复制 MD 格式
产品详情
我的收藏

A listener checks for connection requests. You can create listeners for an Application Load Balancer (ALB) instance to forward client requests.

Select a listener protocol

Before you create a listener, select a listener protocol that suits your business needs. Application Load Balancer (ALB) supports three Layer 7 listener protocols: HTTP, HTTPS, and QUIC. The following table describes the use cases and configuration requirements of each protocol.

Protocol

Use cases

SSL certificate required

Supported backend protocols

Features

HTTP

Applications that require content inspection, such as web applications and mobile casual games.

No

HTTP, HTTPS

Supports the WebSocket protocol by default.

HTTPS

Applications that require encrypted data transmission. Establishes SSL/TLS encrypted sessions between the ALB instance and clients.

Yes (a server certificate is required; a CA certificate is required for mutual authentication).

HTTP, HTTPS, gRPC (requires HTTP/2 to be enabled)

Supports HTTP/2, mutual authentication (with a CA certificate), TLS security policies, and QUIC upgrades. Supports the WebSocket Secure (WSS) protocol by default.

QUIC

Scenarios with weak network signals or frequent switching between Wi-Fi and mobile networks. Effectively mitigates network and video stuttering, improves access efficiency for audio and video resources, and ensures secure data transmission.

Yes (a server certificate is required)

HTTP

Runs over UDP, establishes connections faster, and supports connection migration (connections stay alive during network switches). You can use it alone or with an HTTPS listener.

Learn about the QUIC protocol

QUIC overview

QUIC, also known as the Quick UDP Internet Connections protocol, provides security equivalent to SSL and offers advantages such as multiplexing. It performs well in weak network conditions and can still provide a usable service even with significant packet loss and network latency. The QUIC protocol allows implementing different congestion control algorithms at the application layer without requiring support from the operating system or kernel. This makes it more flexible to modify compared to the traditional TCP protocol, making it suitable for services where TCP optimization has hit a bottleneck.

With the rapid growth of new services like short-form video and live streaming, media transmission now requires both high bandwidth and low latency. The QUIC protocol can effectively resolve network and video buffering issues, improve audio and video resource access, and ensure the security of data transmissions.

QUIC protocol types

ALB supports gQUIC and iQUIC. HTTP/3 is an application-layer protocol built on iQUIC. It relies on iQUIC for features such as multiplexing, congestion control, loss detection, and retransmission. HTTP/3 starts client connections faster, eliminates head-of-line blocking in multiplexed streams, and supports connection migration when the client IP address changes.

  • ALB supports gQUIC protocol versions Q46, Q43, and Q39, which correspond to Chrome browser versions 74 to 81.

  • ALB supports HTTP/3 protocol version h3, which corresponds to Chrome browser version 87 and later.

Use cases for QUIC listeners

Scenario

Description

Use a QUIC listener alone

All clients must support the HTTP/3 protocol.

Use a QUIC listener with an HTTPS listener

If some clients do not support HTTP/3, ALB negotiates with them and prioritizes HTTP/3. If negotiation fails, ALB falls back to HTTPS or HTTP/2.

Prerequisites

Create a listener

You can create a listener in one of two ways:

  • Create Listener: A step-by-step wizard that supports custom advanced configurations.

  • Quick Create Listener: A simplified method where you only need to configure the listener protocol, listener port, and server group. For HTTPS and QUIC listeners, you must also configure a server certificate. For HTTPS listeners, you must also select a TLS security policy.

Console

Step 1: Configure Listener

  1. Go to the Instances page in the ALB console, click the ID of the target instance, and then click Create Listener on the Listener tab.

  2. In the Configure Listener wizard, configure the following settings and click Next.

    • Listener Protocol: Select HTTP, HTTPS, or QUIC.

    • Listener Port: Valid values are 1 to 65535. HTTP typically uses port 80, and HTTPS typically uses port 443.

      Within the same ALB instance, listeners with the same protocol cannot use the same port. Additionally, HTTP and HTTPS listeners cannot use the same port.

    • Listener Name: Enter a custom name for the listener.

    • Tags: Tag the listener with key-value pairs.

    • Advanced Settings: Click Modify to expand.

    • Enable HTTP/2: This option is supported only for HTTPS listeners.

    • Idle Connection Timeout Period: Valid values are 1 to 600 seconds. The default value is 15 seconds. After this period, ALB closes the connection. To request a higher maximum timeout, go to Quota Center.

      If the listener protocol is HTTP, the idle timeout does not apply to HTTP/2 requests.

    • Connection Request Timeout: Valid values are 1 to 600 seconds. The default value is 60 seconds. If the timeout is exceeded, ALB returns an HTTP 504 error. To request a higher maximum timeout, go to Quota Center.

    • Compression: When enabled, this feature compresses response content if its Content-Length exceeds 1024 bytes. This feature supports Brotli (all types) and Gzip (Level 4). If a client supports both, Brotli is prioritized.

      Supported Gzip types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

    • Retrieve Client IP: If enabled, ALB extracts the real client IP from the X-Forwarded-For header. This requires you to configure a trusted IP list:

      • 0.0.0.0/0: Obtains the leftmost address from the X-Forwarded-For header.

      • proxy1 IP;proxy2 IP;..: Retrieves the first value from right to left that is not in the list.

      If this feature is enabled, forwarding rules that use SourceIp matching and the QPS (Per Client IP) action will use the real client IP.

      This option is not supported by QUIC listeners.
      This feature is available only for Standard and WAF-enabled Edition instances. It is not supported by Basic Edition instances.

    • Add HTTP Header: Select the HTTP headers to add for retrieving information such as the client IP address, listener protocol, and listener port. For more information about each header, see HTTP headers.

    • QUIC Upgrade: This option applies when you use an HTTPS listener with a QUIC listener. In the Associated QUIC Listeners dropdown list, select a pre-existing QUIC listener. When this option is enabled, ALB advertises the HTTP/3 protocol to clients. Clients that support HTTP/3 use the QUIC listener, while those that do not automatically fall back to HTTPS.

      This option is supported only for HTTPS listeners.

Step 2: Configure SSL Certificate (for HTTPS and QUIC listeners)

Certificate

Description

Required for one-way authentication

Required for mutual authentication

Server certificate

Proves the identity of the server and is validated by the client to ensure it is trusted. For more information, see What is an SSL certificate?

Yes

Yes

CA certificate

The server uses the CA certificate to verify the signature of the client certificate. If verification fails, the connection is rejected.

No

Yes

  • A new certificate typically takes one to three minutes to take effect after it is applied.

  • QUIC listeners only require a server certificate and do not support mutual authentication.

  • If you need to support multiple domains or use multiple server certificates, you can add additional certificates to the listener.

  1. In the Configure SSL Certificate wizard, select a Server Certificate.

    If no server certificates are available for selection, click Create SSL Certificate to go to Certificate Management Service, where you can purchase or upload a server certificate.

  2. For HTTPS listeners only: Select a TLS Security Policy.

    The system provides multiple predefined policies. If you want to customize the TLS protocol versions and cipher suites, click Create TLS Security Policy and then Create Custom Policy. For more information, see TLS security policies.

  3. For HTTPS listeners only (Optional): Enable Enable Mutual Authentication, then select a CA certificate source and a CA certificate.

    • Set CA Certificate Source to Alibaba Cloud, and select a CA certificate from the Default CA Certificate dropdown list. If no CA certificates are available, click Purchase CA Certificate to create a new CA certificate.

    • Set CA Certificate Source to Third-party, and select a CA certificate from the Default CA Certificate dropdown list. If no CA certificates are available, click Upload Self-signed CA Certificate to upload a self-signed CA certificate by using the certificate repository.

    Mutual authentication is available only for Standard and WAF-enabled Edition instances. It is not supported by Basic Edition instances.

Step 3: Select server group

In the Select Server Group wizard, select a server group, review the backend server information, and then click Next.

Step 4: Configuration review

On the Configuration Review page, confirm the settings and click Submit.

Quick Create Listener

  1. Go to the Instances page in the ALB console, click the ID of the target instance, and then click Quick Create Listener on the Listener tab.

  2. In the Quick Create Listener dialog box, configure the following parameters and then click OK.

    • Listener Protocol: Select HTTP, HTTPS, or QUIC.

    • Listener Port: Valid values are 1 to 65535. HTTP typically uses port 80, and HTTPS typically uses port 443.

    • Server Certificate (for HTTPS and QUIC listeners): Select a server certificate. If no server certificates are available for selection, click Create SSL Certificate to go to Certificate Management Service, where you can purchase or upload a server certificate.

    • TLS Security Policy (for HTTPS listeners only): Select a TLS security policy. If you want to customize the TLS protocol versions and cipher suites, click Create TLS Security Policy and then Create Custom Policy. For more information, see TLS security policies.

    • Server Group: Select a backend server group type and backend servers.

API

Use the CreateListener operation to create a listener.

Modify a listener

You cannot modify the listener protocol or listener port after creating a listener. To change them, you must delete the listener and create a new one.

Console

  1. Go to the Instances page in the ALB console and click the ID of the target instance.

  2. Click the Listener tab, find the target listener, and use one of the following methods to modify its basic information:

    • Click the listener ID or click View Details in the Actions column. On the Listener Details tab, click Modify Listener in the Basic Information section.

    • In the Actions column, choose 更多操作 > Modify Listener.

  3. In the Modify Listener dialog box, modify the listener name or advanced settings, and then click Save.

API

Use the UpdateListenerAttribute operation to update the listener's configuration.

Start or stop a listener

After you start or stop a listener, it briefly enters the Configuring state. During this time, you cannot delete, edit, or change its server group.

Warning

Stopping a listener interrupts traffic. Proceed with caution.

Console

  1. Go to the Instances page in the ALB console and click the ID of the target instance.

  2. Click the Listener tab, find the target listener, and use one of the following methods to start or stop it:

    • In the Actions column, choose 更多操作 > Enable or Disable. In the dialog box that appears, click OK.

    • Click the listener ID, and then click Enable or Disable in the upper-right corner of the Listener Details tab.

API

Change the server group

Console

  1. Go to the Instances page in the ALB console and click the ID of the target instance.

  2. Click the Listener tab, find the target listener, and use one of the following methods to change the server group:

    • In the Actions column, choose 更多操作 > Change Server Group (Default Forwarding Rule).

    • Click the listener ID. In the Server Group (Default Forwarding Rule) section of the Listener Details tab, click Change Server Group (Default Forwarding Rule).

  3. In the dialog box that appears, select the server group that you want to use, or click Create Server Group in the drop-down list to create a new server group and select it. Then, click Save.

API

Use the UpdateListenerAttribute operation to update the listener's configuration, which includes changing the server group.

Manage certificates

Console

  1. Go to the Instances page in the ALB console, click the ID of the target instance. On the Listener tab, find the target HTTPS or QUIC listener and click Manage Certificates in the Actions column.

  2. On the Certificates page, you can replace the server certificate, add or remove additional certificates, and more. For specific operations, see Manage certificates.

API

Modify TLS security policy (HTTPS listeners only)

Console

  1. Go to the Instances page in the ALB console and click the ID of the target instance. On the Listener tab, find the target HTTPS listener and click the listener ID to go to the Listener Details page.

  2. On the Listener Details tab, find the SSL Certificate section and click the 修改实例名 icon to the right of TLS Security Policy.

  3. In the Modify TLS Security Policy dialog box that appears, select a TLS security policy and click Save.

    The system provides multiple predefined policies. If you want to customize the TLS protocol versions and cipher suites, click Create TLS Security Policy and then Create Custom Policy. For more information, see TLS security policies.

API

Call UpdateListenerAttribute to update the listener configuration, and use the SecurityPolicyId parameter to specify the TLS security policy.

Manage distributed tracing

Distributed tracing is supported only for Standard and WAF-enabled Edition ALB instances. For a detailed description and instructions on how to enable distributed tracing, see Analyze end-to-end requests by using ALB distributed tracing.

After you enable distributed tracing, fees are incurred for Managed Service for OpenTelemetry and Log Service.

  1. Go to the Instances page in the ALB console, click the ID of the target instance. On the Listeners tab, find the target listener and click the listener ID.

  2. In the Tracing section of the Listener Details tab, perform the following operations as needed:

    Actions

    Description

    Enable distributed tracing

    Turn on the Tracing switch. In the Enable Tracing dialog box, configure the parameters and click Save.

    Edit distributed tracing

    Click Edit Tracing Settings. In the dialog box, modify the Sampling Rate and click Save.

    Disable distributed tracing

    Turn off the Tracing switch. In the Disable Tracing dialog box, click OK.

    View traces

    Click View to the right of Trace Analysis to go to the Managed Service for OpenTelemetry console and view request data. For more information, see Trace analysis.

Delete a listener

Console

  1. Go to the Instances page in the ALB console, click the ID of the target instance. On the Listener tab, find the target listener and choose 更多操作 > Delete in the Actions column.

  2. In the dialog box that appears, click OK.

API

Use the DeleteListener operation to delete a listener.

Billing

Listeners are not billed separately. However, their traffic and forwarding rule configurations affect LCU charges. For the billing rules of ALB instances, see ALB billing.

Quotas

Quota name

Description

Default

Maximum

Adjustable

alb_quota_loadbalancer_listeners_num_basic_edition

The maximum number of listeners that you can add to a Basic Edition ALB instance

50

80

Yes

alb_quota_loadbalancer_listeners_num_standard_edition

The maximum number of listeners that you can add to a Standard Edition ALB instance

50

100

alb_quota_loadbalancer_listeners_num_standardwithwaf_edition

The maximum number of listeners that you can add to a WAF-enabled Edition ALB instance

50

100

alb_quota_max_idle_timeout

The maximum idle timeout that you can configure for a listener

600 seconds

3,600 seconds

alb_quota_max_request_timeout

The maximum request timeout that you can configure for a listener

600 seconds

3,600 seconds
Only ALB upgraded instances support increasing the alb_quota_max_request_timeout and alb_quota_max_idle_timeout quotas to a maximum of 3600 seconds. Instances that are not upgraded support a maximum of only 900 seconds.
Previous:ListenersNext:Configure listener forwarding rules