Create an HTTPS listener for your Application Load Balancer

A listener checks for connection requests. You define a listener when you create your load balancer, and you can add listeners to your load balancer at any time.

To create an HTTPS listener, you must deploy at least one SSL server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then decrypt requests from clients before sending them to the targets. You must also specify a security policy, which is used to negotiate secure connections between clients and the load balancer.

If you need to pass encrypted traffic to targets without the load balancer decrypting it, you can create a Network Load Balancer or Classic Load Balancer with a TCP listener on port 443. With a TCP listener, the load balancer passes encrypted traffic through to the targets without decrypting it.

The information on this page helps you create an HTTPS listener for your load balancer. To add an HTTP listener to your load balancer, see Create an HTTP listener for your Application Load Balancer.

Prerequisites

To create an HTTPS listener, you must specify a certificate and a security policy. The load balancer uses the certificate to terminate the connection and decrypt requests from clients before routing them to targets. The load balancer uses the security policy when negotiating SSL connections with the clients.

Application Load Balancers do not support ED25519 keys.
To add a forward action to the default listener rule, you must specify an available target group. For more information, see Create a target group for your Application Load Balancer.
You can specify the same target group in multiple listeners, but these listeners must belong to the same load balancer. To use a target group with a load balancer, you must verify that it is not used by a listener for any other load balancer.

Add an HTTPS listener

You configure a listener with a protocol and a port for connections from clients to the load balancer, and a target group for the default listener rule. For more information, see Listener configuration.

To add an HTTPS listener using the console

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, choose Load Balancers.
Select the load balancer.
On the Listeners and rules tab, choose Add listener.
For Protocol : Port, choose HTTPS and keep the default port or enter a different port.
(Optional) To enable authentication, under Authentication select Use OpenID or Amazon Cognito, and provide the requested information. For more information, see Authenticate users using an Application Load Balancer.
For Default actions, do one of the following:
- Forward to target groups – Choose one or more target groups to forward traffic to. To add target groups choose Add target group. If using more than one target group, select a weight for each target group and review the associated percentage. You must enable group-level stickiness on a rule, if you’ve enabled stickiness on one or more of the target groups.
- Redirect to URL – Specify the URL that client requests will be redirected to. This can be done by entering each part separately on the URI parts tab, or by entering the full address on the Full URL tab. For Status code you can configure redirects as either temporary (HTTP 302) or permanent (HTTP 301) based on your needs.
- Return fixed response – Specify the Response code that will be returned to dropped client requests. Additionally, you can specify the Content type and Response body, but they're not required.
For Security policy, we recommend that you always use the latest predefined security policy.
For Default SSL/TLS certificate, the following options are available:
- If you created or imported a certificate using AWS Certificate Manager, select From ACM, then select the certificate from Select a certificate.
- If you imported a certificate using IAM, select From IAM, and then select your certificate from Select a certificate.
- If you have a certificate to import but ACM is not available in your Region, select Import, then select To IAM. Type the name of the certificate in the Certificate name field. In Certificate private key, copy and paste the contents of the private key file (PEM-encoded). In Certificate body, copy and paste the contents of the public key certificate file (PEM-encoded). In Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.
(Optional) To enable mutual authentication, under Client certificate handling enable Mutual authentication (mTLS).

When enabled, the default mutual TLS mode is passthrough.

If you select Verify with Trust Store:
- By default, connections with expired client certificates are rejected. To change this behavior expand Advanced mTLS settings, then under Client certificate expiration select Allow expired client certificates.
- Under Trust Store choose an existing trust store, or choose New trust store.
  - If you chose New trust store, provide a Trust store name, the S3 URI Certificate Authority location, and optionally an S3 URI Certificate revocation list location.
- (Optional) Choose if you want to enable Advertise TrustStore CA subject names.
Choose Save.

To add an HTTPS listener using the AWS CLI

Use the create-listener command to create the listener and default rule, and the create-rule command to define additional listener rules.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security policies

Update listener rules