Elastic Load Balancing
Developer Guide (API Version 2012-06-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Add a Listener to Your Load Balancer

Elastic Load Balancing supports the load balancing of applications using HTTP, HTTPS (Secure HTTP), TCP, and SSL (Secure TCP) protocols. You can specify the protocols for the front-end connections (client to load balancer) and the back-end connections (load balancer to back-end instance) independently. You choose configurations for the front-end and the back-end connections when you create your load balancer. By default, your load balancer is set to use HTTP for both the connections. The Elastic Load Balancing Listener Configurations Quick Reference table provides information on different configurations, along with the use case best suited for that configuration.

This section describes how to add a new listener on your existing load balancer using the AWS Management Console, the AWS command line interface (AWS CLI), or the Query API. In this example, you configure a new listener for your existing load balancer my-test-loadbalancer that accepts HTTPS requests on port 443 for both the front-end and back-end connections.

Using the AWS Management Console

To add a new listener to your load balancer

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the Amazon EC2 console Resources page, in the EC2 Dashboard pane, under NETWORK & SECURITY, click Load Balancers.

  3. On the Load Balancers page, select your load balancer.

  4. The bottom pane displays the details of your load balancer.

  5. Click the Listeners tab.

  6. In the Listeners pane, click Edit.

  7. In the Edit Listeners page, click Add.

  8. In the Load Balancer Protocol column, click the dialog box and select HTTPS (Secure HTTP) from the drop-down box. This populates the box in the Load Balancer Port column. In the Instance Protocol column, click the dialog box and select HTTPS from the drop-down box. The box in the Instance Port column gets populated.

  9. The Elastic Load Balancing service provides you with security policies that have predefined SSL negotiation configurations used for negotiating SSL connections between the client and the load balancer. You can select one of the predefined security policies, or Custom to create your own security policy.

    For more information about the Security Policies, see SSL Negotiation Configurations for Elastic Load Balancing. For information about the current configuration for all Security Policies, see SSL Security Policy Table.

    By default, Elastic Load Balancing pre-selects ELBSecurityPolicy-2014-01 for your HTTPS/SSL listener. This is the recommended setting. This policy uses server order preference (the order listed in the SSL Security Policy Table ) to negotiate SSL connections.

    1. To specify a Security Policy, in the Cipher column, click Change.

    2. On the Select a Cipher page, select a Security Policy from the following options:

      To keep the recommended setting,

      • On the Select Cipher page, make sure that Predefined Security Policy is selected and the drop-down pane is showing ELBSecurityPolicy-2014-01. Click Save and then go to step 8.

      To select a policy from the predefined security policy list,

      1. On the Select a Cipher page, select Predefined Security Policy.

      2. In the security policy drop-down pane, select a policy.

      3. Click Save and then go to step 8.

      To create your own security policy,

      1. Select Custom.

      2. Under SSL Protocols, select one or more protocols to enable or disable.

      3. Under SSL Options, select Server Order Preference if you want to use the order listed in the SSL Security Policy Table for SSL negotiation.

      4. Under SSL Ciphers, select one or more ciphers to enable or disable.

        Note

        You must enable at least one protocol and one cipher for SSL negotiation to take place.

        The DSA and RSA ciphers are specific to the signing algorithm and are used to create the SSL certificate. If you already have your SSL certificate, make sure to enable the cipher that was used to create your certificate.

      5. Click Save.

  10. To enable HTTPS support for your listeners, you must install an SSL server certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the back-end instances.

    If you already have certificate installed on your load balancer and want to continue using it, skip the following steps for installing a new one and go to step 13.

    If you do not have an SSL certificate, see SSL Certificate for Elastic Load Balancing for instructions on creating and uploading SSL certificates and then complete the following steps to install the certificate on your load balancer.

    To install an SSL server certificate, in the SSL Certificate column, click Change.

  11. To use a previously uploaded certificate

    1. On the Select Certificate page, in the Certificate Type: field, select Choose from an existing SSL Certificate.

    2. Click the Certificate Name: dialog box and select your certificate.

    3. Click Save and then go to step 13.

  12. To upload a signed certificate

    On the Select Certificate page, in the Certificate Type: field, select Upload a new SSL Certificate.

    Before you upload, check if your certificate meets the criteria described in Upload the Signed Certificate

    Note

    If your certificate does not meet the criteria, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using IAM. For instructions on creating and uploading the SSL certificate, see SSL Certificate for Elastic Load Balancing.

    If your certificate meets the criteria, step through the following instructions to continue uploading your SSL certificate.

    1. Enter the name of the certificate to upload.

    2. Copy and paste the contents of the private key file (PEM-encoded) in the Private Key box.

      Note

      The private key cannot be retrieved after you are finished uploading it.

    3. Copy and paste the contents of the public key certificate file (PEM-encoded) in the Public Key Certificate box.

    4. Copy and paste the contents of the certificate chain file (PEM-encoded) in the Certificate Chain box.

      Note

      You can skip this step if you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.

    Upload SSL Certificate

  13. In the Edit Listeners page, click Save to add the listener you just configured.

    Click Add to add additional listeners.

Using the AWS Command Line Interface

To enable HTTPS support for your listeners, you must install an SSL server certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the back-end instances. If you do not have an SSL certificate, see SSL Certificate for Elastic Load Balancing for instructions on creating and uploading SSL certificates.

To add a new listener to your load balancer

  1. Get the Amazon Resource Name (ARN) of your SSL certificate.

  2. Enter the create-load-balancer-listeners command as in the following example.

    aws elb create-load-balancer-listeners --load-balancer-name  my-test-loadbalancer --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTPS,InstancePort=443,SSLCertificateId=arn:aws:iam::55555555555:server-certificate/production/myservercert
  3. Enter the describe-load-balancers command as in the following example to view the updated details of your load balancer my-test-loadbalancer.

    aws elb describe-load-balancers --load-balancer-name my-test-loadbalancer

    Elastic Load Balancing responds with a list of updated configurations of your load balancer.

    {
        "LoadBalancerDescriptions": [
            {
                "Subnets": [], 
                "CanonicalHostedZoneNameID": "Z3DZXE0Q79N41H", 
                "CanonicalHostedZoneName": "my-test-loadbalancer-012345678.us-east-1.elb.amazonaws.com", 
                "ListenerDescriptions": [
                    {
                        "Listener": {
                            "InstancePort": 443, 
                            "SSLCertificateId": "arn:aws:iam::55555555555:server-certificate/production/myservercert", 
                            "LoadBalancerPort": 443, 
                            "Protocol": "HTTPS", 
                            "InstanceProtocol": "HTTPS"
                        }, 
                        "PolicyNames": [
                            "ELBSecurityPolicy-2014-01"
                        ]
                    }, 
                    {
                        "Listener": {
                            "InstancePort": 80, 
                            "LoadBalancerPort": 80, 
                            "Protocol": "HTTP", 
                            "InstanceProtocol": "HTTP"
                        }, 
                        "PolicyNames": []
                    }
                ], 
                "HealthCheck": {
                    "HealthyThreshold": 10, 
                    "Interval": 30, 
                    "Target": "HTTP:80/", 
                    "Timeout": 5, 
                    "UnhealthyThreshold": 2
                }, 
                "BackendServerDescriptions": [],                
                "Instances": [], 
                "DNSName": "my-test-loadbalancer-012345678.us-east-1.elb.amazonaws.com", 
                "SecurityGroups": [], 
                "Policies": {
                    "LBCookieStickinessPolicies": [], 
                    "AppCookieStickinessPolicies": [], 
                    "OtherPolicies": [                    
                        "ELBSecurityPolicy-2014-01"                 
                    ]
                }, 
                "LoadBalancerName": "my-test-loadbalancer", 
                "CreatedTime": "2014-03-19T03:24:02.650Z", 
                "AvailabilityZones": [
                    "us-east-1a"
                ], 
                "Scheme": "internet-facing", 
                "SourceSecurityGroup": {
                    "OwnerAlias": "amazon-elb", 
                    "GroupName": "amazon-elb-sg"
                }
            }
        ]
    }

Using the Query API

To enable HTTPS support for your listeners, you must install an SSL server certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the back-end instances. Elastic Load Balancing uses AWS Identity and Access Management (IAM) to upload your certificate to your load balancer. If you do not have an SSL certificate, see SSL Certificate for Elastic Load Balancing for instructions on creating and uploading SSL certificates.

To add a new listener to your load balancer

  1. Get the Amazon Resource Name (ARN) of your SSL certificate.

  2. Call the CreateLoadBalancerListeners action with the following parameters:

    • Listener

      • Protocol = HTTPS

      • InstanceProtocol = HTTPS

      • InstancePort = 443

      • LoadBalancerPort = 443

      • SSLCertificateId = arn:aws:iam::55555555555:server-certificate/production/myservercert

    • LoadBalancerName = my-test-loadbalancer

  3. Call the DescribeLoadBalancers action with the following parameter to view the updated configuration information of your load balancer.

    • LoadBalancerName = my-test-loadbalancer

    The operation returns a list of updated configurations of your load balancer.