Elastic Load Balancing
Developer Guide (API Version 2012-06-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Configure an HTTPS Listener for Your Load Balancer

If you have a load balancer, you can add a new listener that accepts HTTPS requests on port 443 for both the front-end and back-end connections.

For information about creating a new HTTPS listener, see Create an HTTPS Load Balancer.

Prerequisites

If you do not have an SSL certificate, you can create and upload it. For more information, see SSL Certificates for Elastic Load Balancing.

If you are using a certificate that has not been uploaded yet, ensure that it meets the criteria described in Upload the Signed Certificate. If your certificate does not meet the criteria, you might get an error when you upload it. Create a new SSL certificate and upload it.

Add an HTTPS Listener Using the Console

To enable HTTPS support for your listeners, you must install an SSL server certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the back-end instances.

To add an HTTPS listener to your load balancer

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under NETWORK & SECURITY, click Load Balancers.

  3. Select your load balancer.

  4. In the bottom pane, select the Listeners tab.

  5. Click Edit.

  6. In the Edit Listeners dialog box, click Add.

  7. In the Load Balancer Protocol column, select HTTPS (Secure HTTP). This updates the Load Balancer Port, Instance Protocol, and Instance Port columns. In the Instance Protocol column, select HTTPS (Secure HTTP). This also updates the Instance Port column.

  8. By default, Elastic Load Balancing selects the current predefined security policy, ELBSecurityPolicy-2015-05, for your HTTPS/SSL listener. This is the recommended setting. This policy uses server order preference (see Predefined SSL Security Policies) to negotiate SSL connections.

    In the Cipher column, click Change, and then do one of the following:

    • (Recommended) Ensure that Predefined Security Policy is selected and set to ELBSecurityPolicy-2015-05, and then click Save.

    • Click Predefined Security Policy, select a policy, and then click Save.

    • Click Custom and enable at least one protocol and one cipher. Under SSL Protocols, select one or more protocols to enable or disable. Under SSL Options, leave Server Order Preference selected, unless you do not want to use server order preference for SSL negotiation. Under SSL Ciphers, select one or more ciphers to enable or disable. Click Save.

      Tip

      The DSA and RSA ciphers are specific to the signing algorithm. If you already have an SSL certificate, you must enable the cipher that was used to create the certificate.

  9. If you already have certificate installed on your load balancer and want to continue using it, you can skip this step.

    In the SSL Certificate column, click Change, and then do one of the following:

    • Select Choose from an existing SSL Certificate. Select your certificate from Certificate Name, and then click Save.

    • Select Upload a new SSL Certificate. Enter the name of the certificate. In Private Key, copy and paste the contents of the private key file (PEM-encoded). In Public Key Certificate, copy and paste the contents of the public key certificate file (PEM-encoded). In Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.

      Upload SSL Certificate
  10. (Optional) Click Add to add additional listeners.

  11. Click Save to add the listeners you just configured.

Add an HTTPS Listener Using the AWS CLI

To enable HTTPS support for your listeners, you must install an SSL server certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the back-end instances.

To add an HTTPS listener to your load balancer using the AWS CLI

  1. Get the Amazon Resource Name (ARN) of your SSL certificate. For example, arn:aws:iam::123456789012:server-certificate/my-server-certificate.

  2. Use the following create-load-balancer-listeners command to add the listener to your load balancer:

    aws elb create-load-balancer-listeners --load-balancer-name my-loadbalancer --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTPS,InstancePort=443,SSLCertificateId=arn:aws:iam::123456789012:server-certificate/my-server-certificate
  3. (Optional) You can use the following describe-load-balancers command to view the updated details of your load balancer:

    aws elb describe-load-balancers --load-balancer-name my-loadbalancer

    The following is an example response:

    {
        "LoadBalancerDescriptions": [
            {
                ...
                "ListenerDescriptions": [
                    {
                        "Listener": {
                            "InstancePort": 443, 
                            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", 
                            "LoadBalancerPort": 443, 
                            "Protocol": "HTTPS", 
                            "InstanceProtocol": "HTTPS"
                        }, 
                        "PolicyNames": [
                            "ELBSecurityPolicy-2015-05"
                        ]
                    }, 
                    {
                        "Listener": {
                            "InstancePort": 80, 
                            "LoadBalancerPort": 80, 
                            "Protocol": "HTTP", 
                            "InstanceProtocol": "HTTP"
                        }, 
                        "PolicyNames": []
                    }
                ], 
                ...
            }
        ]
    }