Create an HTTPS listener for your Application Load Balancer
A listener is a process that checks for connection requests. You define a listener when you create your load balancer, and you can add listeners to your load balancer at any time.
To create an HTTPS listener, you must deploy at least one SSL server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets. You must also specify a security policy, which is used to negotiate secure connections between clients and the load balancer.
If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it.
Application Load Balancers do not support mutual TLS authentication (mTLS). For mTLS support, create a TCP listener using a Network Load Balancer or a Classic Load Balancer and implement mTLS on the target.
Application Load Balancers do not support ED25519 keys.
The information on this page helps you create an HTTPS listener for your load balancer. To add an HTTP listener to your load balancer, see Create an HTTP listener for your Application Load Balancer.
Contents
SSL certificates
The load balancer requires X.509 certificates (SSL/TLS server certificates). Certificates are a digital form of identification issued by a certificate authority (CA). A certificate contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer.
When you create a certificate for use with your load balancer, you must specify a domain name. The domain name on the certificate must match the custom domain name record so that we can verify the TLS connection. If they do not match, the traffic is not encrypted.
You must specify a fully qualified domain name (FQDN) for your certificate, such as
www.example.com
or an apex domain name such as example.com
.
You can also use an asterisk (*) as a wild card to protect several site names in the
same domain. When you request a wild-card certificate, the asterisk (*) must be in the
leftmost position of the domain name and can protect only one subdomain level. For
instance, *.example.com
protects corp.example.com
, and
images.example.com
, but it cannot protect test.login.example.com
.
Also note that *.example.com
protects only the subdomains of
example.com
, it does not protect the bare or apex domain (example.com
).
The wild-card name appears in the Subject field and in the
Subject Alternative Name extension of the certificate. For more
information about public certificates, see Requesting a public certificate in the AWS Certificate Manager User Guide.
We recommend that you create certificates for your load balancer using AWS Certificate Manager (ACM)
Alternatively, you can use SSL/TLS tools to create a certificate signing request (CSR), then get the CSR signed by a CA to produce a certificate, then import the certificate into ACM or upload the certificate to AWS Identity and Access Management (IAM). For more information about importing certificates into ACM, see Importing certificates in the AWS Certificate Manager User Guide. For more information about uploading certificates to IAM, see Working with server certificates in the IAM User Guide.
Default certificate
When you create an HTTPS listener, you must specify exactly one certificate. This certificate is known as the default certificate. You can replace the default certificate after you create the HTTPS listener. For more information, see Replace the default certificate.
If you specify additional certificates in a certificate list, the default certificate is used only if a client connects without using the Server Name Indication (SNI) protocol to specify a hostname or if there are no matching certificates in the certificate list.
If you do not specify additional certificates but need to host multiple secure applications through a single load balancer, you can use a wildcard certificate or add a Subject Alternative Name (SAN) for each additional domain to your certificate.
Certificate list
After you create an HTTPS listener, it has a default certificate and an empty certificate list. You can optionally add certificates to the certificate list for the listener. Using a certificate list enables the load balancer to support multiple domains on the same port and provide a different certificate for each domain. For more information, see Add certificates to the certificate list.
The load balancer uses a smart certificate selection algorithm with support for SNI. If the hostname provided by a client matches a single certificate in the certificate list, the load balancer selects this certificate. If a hostname provided by a client matches multiple certificates in the certificate list, the load balancer selects the best certificate that the client can support. Certificate selection is based on the following criteria in the following order:
-
Public key algorithm (prefer ECDSA over RSA)
-
Hashing algorithm (prefer SHA over MD5)
-
Key length (prefer the largest)
-
Validity period
The load balancer access log entries indicate the hostname specified by the client and the certificate presented to the client. For more information, see Access log entries.
Certificate renewal
Each certificate comes with a validity period. You must ensure that you renew or replace each certificate for your load balancer before its validity period ends. This includes the default certificate and certificates in a certificate list. Renewing or replacing a certificate does not affect in-flight requests that were received by the load balancer node and are pending routing to a healthy target. After a certificate is renewed, new requests use the renewed certificate. After a certificate is replaced, new requests use the new certificate.
You can manage certificate renewal and replacement as follows:
-
Certificates provided by AWS Certificate Manager and deployed on your load balancer can be renewed automatically. ACM attempts to renew certificates before they expire. For more information, see Managed renewal in the AWS Certificate Manager User Guide.
-
If you imported a certificate into ACM, you must monitor the expiration date of the certificate and renew it before it expires. For more information, see Importing certificates in the AWS Certificate Manager User Guide.
-
If you imported a certificate into IAM, you must create a new certificate, import the new certificate to ACM or IAM, add the new certificate to your load balancer, and remove the expired certificate from your load balancer.
Security policies
Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection.
Application Load Balancers support SSL renegotiation for target connections only.
When you create an HTTPS listener, you must select a security policy. You can update the security policy as needed. For more information, see Update the security policy.
You can choose the security policy that is used for front-end connections. For
backend connections, if your HTTPS listener is using a TLS 1.3 security policy, the
ELBSecurityPolicy-TLS13-1-0-2021-06
security policy is used.
Otherwise, the ELBSecurityPolicy-2016-08
security policy is used for
backend connections. Application Load Balancers do not support custom security policies.
Note
TLS 1.3 policies for Application Load Balancers are only supported in the new EC2 experience. When using the old EC2 experience, TLS 1.3 policies are not available for selection.
Elastic Load Balancing provides the following security policies for Application Load Balancers:
-
ELBSecurityPolicy-TLS13-1-2-2021-06
* -
ELBSecurityPolicy-TLS13-1-2-Res-2021-06
-
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06
-
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06
-
ELBSecurityPolicy-TLS13-1-1-2021-06
-
ELBSecurityPolicy-TLS13-1-0-2021-06
-
ELBSecurityPolicy-TLS13-1-3-2021-06
-
ELBSecurityPolicy-FS-1-2-Res-2020-10
-
ELBSecurityPolicy-FS-1-2-Res-2019-08
-
ELBSecurityPolicy-FS-1-2-2019-08
-
ELBSecurityPolicy-FS-1-1-2019-08
-
ELBSecurityPolicy-FS-2018-06
-
ELBSecurityPolicy-TLS-1-2-Ext-2018-06
-
ELBSecurityPolicy-TLS-1-2-2017-01
-
ELBSecurityPolicy-TLS-1-1-2017-01
-
ELBSecurityPolicy-2016-08
** -
ELBSecurityPolicy-TLS-1-0-2015-04
-
ELBSecurityPolicy-2015-05
(identical toELBSecurityPolicy-2016-08
)
*For HTTPS listeners, we recommend the ELBSecurityPolicy-TLS13-1-2-2021-06
security policy. This is the default policy for HTTPS listeners created using the AWS Management Console.
This security policy includes TLS 1.3, which is optimized for
security and performance, and backward compatible with TLS 1.2.
**The ELBSecurityPolicy-2016-08
policy is the default security policy
for listeners created using the AWS CLI.
If you require Forward Secrecy (FS) use one of the following polices:
-
Any
ELBSecurityPolicy-FS
policy -
ELBSecurityPolicy-TLS13-1-2-2021-06
-
ELBSecurityPolicy-TLS13-1-3-2021-06
-
ELBSecurityPolicy-TLS13-1-2-Res-2021-06
You can use one of the ELBSecurityPolicy-TLS
policies to meet compliance and security standards that require disabling certain
TLS protocol versions, or to support legacy clients that require deprecated ciphers.
Only a small percentage of internet clients require TLS version 1.0. To view the TLS
protocol version for requests to your load balancer, enable access logging for your
load balancer and examine the access logs. For more information, see Access Logs.
TLS 1.3 security policies
The following table describes the recommended policy
(ELBSecurityPolicy-TLS13-1-2-2021-06
) and the other TLS 1.3 policies.
The ELBSecurityPolicy-
prefix has been removed from policy names in
the heading row so that they fit.
Security policies |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
---|---|---|---|---|---|---|---|
TLS Protocols | |||||||
Protocol-TLSv1 |
✓ | ||||||
Protocol-TLSv1.1 |
✓ | ✓ | |||||
Protocol-TLSv1.2 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Protocol-TLSv1.3 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
TLS Ciphers | |||||||
TLS-AES-128-GCM-SHA256 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
TLS-AES-256-GCM-SHA384 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
TLS-CHACHA20-POLY1305-SHA256 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES128-GCM-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
ECDHE-RSA-AES128-GCM-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
ECDHE-ECDSA-AES128-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ | ||
ECDHE-RSA-AES128-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ | ||
ECDHE-ECDSA-AES128-SHA |
✓ | ✓ | ✓ | ||||
ECDHE-RSA-AES128-SHA |
✓ | ✓ | ✓ | ||||
ECDHE-ECDSA-AES256-GCM-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
ECDHE-RSA-AES256-GCM-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
ECDHE-ECDSA-AES256-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ | ||
ECDHE-RSA-AES256-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ | ||
ECDHE-RSA-AES256-SHA |
✓ | ✓ | ✓ | ||||
ECDHE-ECDSA-AES256-SHA |
✓ | ✓ | ✓ | ||||
AES128-GCM-SHA256 |
✓ | ✓ | ✓ | ✓ | |||
AES128-SHA256 |
✓ | ✓ | ✓ | ✓ | |||
AES128-SHA |
✓ | ✓ | ✓ | ||||
AES256-GCM-SHA384 |
✓ | ✓ | ✓ | ✓ | |||
AES256-SHA256 |
✓ | ✓ | ✓ | ✓ | |||
AES256-SHA |
✓ | ✓ | ✓ |
To view the configuration of a security policy for your load balancer using
the AWS CLI, use the describe-ssl-policies command. The default policy in the AWS CLI is
ELBSecurityPolicy-2016-08
. To upgrade to a TLS 1.3 security
policy using the AWS CLI, use the ssl-policy
parameter with the
create-listener
and modify-listener
commands.
FS supported policies
The following table describes the default policy,
ELBSecurityPolicy-2016-08
(default in the AWS CLI) and the
ELBSecurityPolicy-FS
policies. The
ELBSecurityPolicy-
has been removed from policy names in the
heading row so that they fit.
Security policies |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
---|---|---|---|---|---|---|
TLS Protocols | ||||||
Protocol-TLSv1 |
✓ | ✓ | ||||
Protocol-TLSv1.1 |
✓ | ✓ | ✓ | |||
Protocol-TLSv1.2 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
TLS Ciphers | ||||||
ECDHE-ECDSA-AES128-GCM-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-RSA-AES128-GCM-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES128-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ | |
ECDHE-RSA-AES128-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ | |
ECDHE-ECDSA-AES128-SHA |
✓ | ✓ | ✓ | ✓ | ||
ECDHE-RSA-AES128-SHA |
✓ | ✓ | ✓ | ✓ | ||
ECDHE-ECDSA-AES256-GCM-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-RSA-AES256-GCM-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES256-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ | |
ECDHE-RSA-AES256-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ | |
ECDHE-RSA-AES256-SHA |
✓ | ✓ | ✓ | ✓ | ||
ECDHE-ECDSA-AES256-SHA |
✓ | ✓ | ✓ | ✓ | ||
AES128-GCM-SHA256 |
✓ | |||||
AES128-SHA256 |
✓ | |||||
AES128-SHA |
✓ | |||||
AES256-GCM-SHA384 |
✓ | |||||
AES256-SHA256 |
✓ | |||||
AES256-SHA |
✓ |
TLS security policies
The following table describes the default policy,
ELBSecurityPolicy-2016-08
(default in the AWS CLI) and the
ELBSecurityPolicy-TLS
policies. The
ELBSecurityPolicy-
has been removed from policy names in the
heading row so that they fit.
Security policies |
![]() |
![]() |
![]() |
![]() |
![]() |
---|---|---|---|---|---|
TLS Protocols | |||||
Protocol-TLSv1 |
✓ | ✓ | |||
Protocol-TLSv1.1 |
✓ | ✓ | ✓ | ||
Protocol-TLSv1.2 |
✓ | ✓ | ✓ | ✓ | ✓ |
TLS Ciphers | |||||
ECDHE-ECDSA-AES128-GCM-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-RSA-AES128-GCM-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES128-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-RSA-AES128-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES128-SHA |
✓ | ✓ | ✓ | ✓ | |
ECDHE-RSA-AES128-SHA |
✓ | ✓ | ✓ | ✓ | |
ECDHE-ECDSA-AES256-GCM-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-RSA-AES256-GCM-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES256-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-RSA-AES256-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ |
ECDHE-RSA-AES256-SHA |
✓ | ✓ | ✓ | ✓ | |
ECDHE-ECDSA-AES256-SHA |
✓ | ✓ | ✓ | ✓ | |
AES128-GCM-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ |
AES128-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ |
AES128-SHA |
✓ | ✓ | ✓ | ✓ | |
AES256-GCM-SHA384 |
✓ | ✓ | ✓ | ✓ | ✓ |
AES256-SHA256 |
✓ | ✓ | ✓ | ✓ | ✓ |
AES256-SHA |
✓ | ✓ | ✓ | ✓ | |
DES-CBC3-SHA |
✓ |
* Do not use this policy unless you must support a legacy client that requires the DES-CBC3-SHA cipher, which is a weak cipher.
To view the configuration of a security policy for Application Load Balancers using the AWS CLI, use the describe-ssl-policies command.
Add an HTTPS listener
You configure a listener with a protocol and a port for connections from clients to the load balancer, and a target group for the default listener rule. For more information, see Listener configuration.
Prerequisites
-
To create an HTTPS listener, you must specify a certificate and a security policy. The load balancer uses the certificate to terminate the connection and decrypt requests from clients before routing them to targets. The load balancer uses the security policy when negotiating SSL connections with the clients.
-
To add a forward action to the default listener rule, you must specify an available target group. For more information, see Create a target group.
-
You can specify the same target group in multiple listeners, but these listeners must belong to the same load balancer. To use a target group with a load balancer, you must verify that it is not used by a listener for any other load balancer.
To add an HTTPS listener using the console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
On the navigation pane, choose Load Balancers.
-
Select the load balancer.
-
On the Listeners tab, choose Add listener.
-
For Protocol : Port, choose HTTPS and keep the default port or enter a different port.
-
(Optional) To authenticate users, for Default actions, choose Add action, Authenticate and provide the requested information. For more information, see Authenticate users using an Application Load Balancer.
-
For Default actions, do one of the following:
-
Choose Forward and choose a target group.
-
Choose Redirect and provide the URL and status code. For more information, see Redirect actions.
-
Choose Return fixed response and provide a response code, optional identity provider, and optional response body. For more information, see Fixed-response actions.
-
-
For Security policy, we recommend that you keep the console recommended security policy.
-
For Default SSL/TLS certificate, do one of the following:
-
If you created or imported a certificate using AWS Certificate Manager, choose From ACM and choose the certificate.
-
If you uploaded a certificate using IAM, choose From IAM and choose the certificate.
-
-
Choose Add.
-
(Optional) To define additional listener rules that forward requests based on a path pattern or a hostname, see Add a rule.
-
(Optional) To add a certificate list for use with the SNI protocol, see Add certificates to the certificate list.
To add an HTTPS listener using the AWS CLI
Use the create-listener command to create the listener and default rule, and the create-rule command to define additional listener rules.
Update an HTTPS listener
After you create an HTTPS listener, you can replace the default certificate, update the certificate list, or replace the security policy. For more information, see Update an HTTPS listener for your Application Load Balancer.