Menu
Elastic Load Balancing
Developer Guide

Configure an HTTPS Listener for Your Load Balancer

If you have a load balancer, you can add a new listener that accepts HTTPS requests on port 443 for both the front-end and back-end connections.

For information about creating a new HTTPS listener, see Create an HTTPS Load Balancer.

Prerequisites

To enable HTTPS support for an HTTPS listener, you must deploy an SSL server certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the back-end instances. If you do not have an SSL certificate, you can create one. For more information, see SSL Certificates for Elastic Load Balancing.

Add an HTTPS Listener Using the Console

You can add an HTTPS listener to an existing load balancer.

To add an HTTPS listener to your load balancer

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under LOAD BALANCING, click Load Balancers.

  3. Select your load balancer.

  4. In the bottom pane, select the Listeners tab.

  5. Click Edit.

  6. In the Edit Listeners dialog box, click Add.

  7. In the Load Balancer Protocol column, select HTTPS (Secure HTTP). This updates the Load Balancer Port, Instance Protocol, and Instance Port columns. In the Instance Protocol column, select HTTPS (Secure HTTP). This also updates the Instance Port column.

  8. By default, Elastic Load Balancing selects the current predefined security policy, ELBSecurityPolicy-2015-05, for your HTTPS/SSL listener. This is the recommended setting. This policy uses server order preference (see Predefined SSL Security Policies) to negotiate SSL connections.

    In the Cipher column, click Change, and then do one of the following:

    • (Recommended) Ensure that Predefined Security Policy is selected and set to ELBSecurityPolicy-2015-05, and then click Save.

    • Click Predefined Security Policy, select a policy, and then click Save.

    • Click Custom and enable at least one protocol and one cipher. Under SSL Protocols, select one or more protocols to enable or disable. Under SSL Options, leave Server Order Preference selected, unless you do not want to use server order preference for SSL negotiation. Under SSL Ciphers, select one or more ciphers to enable or disable. Click Save.

      Tip

      The DSA and RSA ciphers are specific to the signing algorithm. If you already have an SSL certificate, you must enable the cipher that was used to create the certificate.

  9. If you already have certificate deployed on your load balancer and want to continue using it, you can skip this step.

    In the SSL Certificate column, click Change, and then do one of the following:

    • If you have a certificate from AWS Certificate Manager, select Choose an existing certificate from AWS Certificate Manager (ACM), select the certificate from ACM Certificate, and then click Save.

      Note

      This option is available only in regions that support AWS Certificate Manager.

    • If you have already uploaded a certificate using IAM, select Choose an existing certificate from AWS Identity and Access Management (IAM), select the certificate from Certificate Name, and then click Save.

    • If you have an SSL certificate to upload, select Upload a new SSL Certificate to AWS Identity and Access Management (IAM). Enter the name of the certificate. In Private Key, copy and paste the contents of the private key file (PEM-encoded). In Public Key Certificate, copy and paste the contents of the public key certificate file (PEM-encoded). In Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.

  10. (Optional) Click Add to add additional listeners.

  11. Click Save to add the listeners you just configured.

Add an HTTPS Listener Using the AWS CLI

You can add an HTTPS listener to an existing load balancer.

To add an HTTPS listener to your load balancer using the AWS CLI

  1. Get the Amazon Resource Name (ARN) of the SSL certificate. For example:

    ACM

    arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

    IAM

    arn:aws:iam::123456789012:server-certificate/my-server-certificate
  2. Use the following create-load-balancer-listeners command to add the listener to your load balancer:

    aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTPS,InstancePort=443,SSLCertificateId=ARN
  3. (Optional) You can use the following describe-load-balancers command to view the updated details of your load balancer:

    aws elb describe-load-balancers --load-balancer-name my-load-balancer

    The following is an example response:

    {
        "LoadBalancerDescriptions": [
            {
                ...
                "ListenerDescriptions": [
                    {
                        "Listener": {
                            "InstancePort": 443, 
                            "SSLCertificateId": "ARN", 
                            "LoadBalancerPort": 443, 
                            "Protocol": "HTTPS", 
                            "InstanceProtocol": "HTTPS"
                        }, 
                        "PolicyNames": [
                            "ELBSecurityPolicy-2015-05"
                        ]
                    }, 
                    {
                        "Listener": {
                            "InstancePort": 80, 
                            "LoadBalancerPort": 80, 
                            "Protocol": "HTTP", 
                            "InstanceProtocol": "HTTP"
                        }, 
                        "PolicyNames": []
                    }
                ], 
                ...
            }
        ]
    }