Configure an HTTPS listener for your
Classic Load Balancer
A listener is a process that checks for connection requests. It
is configured with a protocol and a port for front-end (client to load balancer)
connections and a protocol and a port for back-end (load balancer to instance)
connections. For information about the ports, protocols, and listener configurations
supported by Elastic Load Balancing, see Listeners for your Classic Load Balancer.
If you have a load balancer with a listener that accepts HTTP requests on port 80, you
can add a listener that accepts HTTPS requests on port 443. If you specify that the
HTTPS listener sends requests to the instances on port 80, the load balancer terminates
the SSL requests and communication from the load balancer to the instances is not
encrypted. If the HTTPS listener sends requests to the instances on port 443,
communication from the load balancer to the instances is encrypted.
If your load balancer uses an encrypted connection to communicate with instances, you
can optionally enable authentication of the instances. This ensures that the load
balancer communicates with an instance only if its public key matches the key that you
specified to the load balancer for this purpose.
For information about creating a new HTTPS listener, see Create a Classic Load Balancer with an HTTPS
listener.
Prerequisites
To enable HTTPS support for an HTTPS listener, you must deploy an SSL server
certificate on your load balancer. The load balancer uses the certificate to
terminate and then decrypt requests before sending them to the instances. If you do
not have an SSL certificate, you can create one. For more information, see SSL/TLS certificates for Classic Load Balancers.
Add an HTTPS listener using the
console
You can add an HTTPS listener to an existing load balancer.
- New EC2 experience
-
To add an HTTPS listener to your load balancer
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
On the navigation pane, under Load Balancing, choose
Load Balancers.
-
Choose the name of the load balancer to open its detail page.
-
On the Listeners tab, choose
Manage listeners.
-
On the Manage listeners page, in the Listeners section, choose
Add listener.
-
For Listener protocol, select HTTPS
.
By default, the Instance protocol is HTTP. If you want to set up
back-end instance authentication, change Instance protocol to HTTPS
.
-
For Security policy, the recommended default ELBSecurityPolicy-2016-08 will be selected. We recommend that you always
use the latest predefined security policy. If you need to use a different
predefined security policy or create a custom policy, see Update the SSL Negotiation
Configuration.
-
For Default SSL cert, choose
Edit, and then do one of the following:
-
If you created or imported a certificate using AWS Certificate Manager, choose
From ACM, select the certificate from
the list, and then choose
Save changes.
This option is available only in Regions that support
AWS Certificate Manager.
-
If you imported a certificate using IAM, choose From IAM,
select the certificate from from the list, and
then choose Save changes.
-
If you have an SSL certificate to import to ACM, select Import
and To ACM. In Certificate private key, copy and paste
the contents of the PEM-encoded private key file. In
Certificate body, copy and paste the
contents of the PEM-encoded public key certificate file. In
Certificate chain - optional, copy and paste the
contents of the PEM-encoded certificate chain file, unless you are
using a self-signed certificate and it's not important that browsers
implicitly accept the certificate.
-
If you have an SSL certificate to import but ACM is not
supported in this Region, select Import and To IAM.
In Certificate name type the name of
the certificate. In Certificate private key, copy and paste
the contents of the PEM-encoded private key file. In
Certificate body, copy and paste the
contents of the PEM-encoded public key certificate file. In
Certificate chain - optional, copy and paste the
contents of the PEM-encoded certificate chain file, unless you are
using a self-signed certificate and it's not important that browsers
implicitly accept the certificate.
-
Choose Save changes.
-
For Cookie stickiness, the default is Disabled. To change this
choose Edit. If choosing Generated by load balancer, an
Expiration period must be specified. If choosing Generated by
application, a Cookie name must be specified. After making your
selection choose Save changes.
-
(Optional) Choose Add listener to add additional
listeners.
-
Choose Save changes to add the listeners you just
configured.
-
(Optional) To set up back-end instance authentication for an existing load
balancer, you must use the AWS CLI or an API, as this task is not supported
using the console. For more information, see Configure Back-end Instance
Authentication.
- Old EC2 experience
-
To add an HTTPS listener to your load balancer
-
Open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
-
On the navigation pane, under Load Balancing, choose
Load Balancers.
-
Select your load balancer.
-
On the Listeners tab, choose
Edit.
-
On the Edit listeners page, choose
Add.
-
For Load Balancer Protocol, select HTTPS
(Secure HTTP). This updates Load Balancer
Port, Instance Protocol, and
Instance Port.
By default, the instance protocol is HTTP. If you want to set up
back-end instance authentication, change the instance protocol to HTTPS
(Secure HTTP). This also updates the instance port.
-
For Cipher, choose Change.
Verify that Predefined Security Policy is selected and
set to ELBSecurityPolicy-2016-08. We recommend that you always
use the latest predefined security policy. If you need to use a different
predefined security policy or create a custom policy, see Update the SSL Negotiation
Configuration.
-
If you already have a certificate deployed on your load balancer and want
to continue using it, you can skip this step.
For SSL Certificate, choose
Change, and then do one of the following:
-
If you create or imported a certificate using AWS Certificate Manager, select
Choose an existing certificate from AWS Certificate Manager
(ACM), select the certificate from
Certificate, and then choose
Save.
This option is available only in Regions that support
AWS Certificate Manager.
-
If you imported a certificate using IAM, select Choose
an existing certificate from AWS Identity and Access Management (IAM),
select the certificate from Certificate, and
then choose Save.
-
If you have an SSL certificate to import but ACM is not
supported in this Region, select Upload a new SSL
Certificate to AWS Identity and Access Management (IAM). Type the name of
the certificate. In Private Key, copy and paste
the contents of the private key file (PEM-encoded). In
Public Key Certificate, copy and paste the
contents of the public key certificate file (PEM-encoded). In
Certificate Chain, copy and paste the
contents of the certificate chain file (PEM-encoded), unless you are
using a self-signed certificate and it's not important that browsers
implicitly accept the certificate.
-
(Optional) Choose Add to add additional
listeners.
-
Choose Save to add the listeners you just
configured.
-
(Optional) To set up back-end instance authentication for an existing load
balancer, you must use the AWS CLI or an API, as this task is not supported
using the console. For more information, see Configure Back-end Instance
Authentication.
Add an HTTPS listener using the AWS CLI
You can add an HTTPS listener to an existing load balancer.
To add an HTTPS listener to your load balancer using the AWS CLI
-
Get the Amazon Resource Name (ARN) of the SSL certificate. For
example:
ACM
arn:aws:acm:region
:123456789012
:certificate/12345678-1234-1234-1234-123456789012
IAM
arn:aws:iam::123456789012
:server-certificate/my-server-certificate
-
Use the following create-load-balancer-listeners command to add a listener to
your load balancer that accepts HTTPS requests on port 443 and sends the
requests to the instances on port 80 using HTTP:
aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer
--listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=ARN
If you want to set up back-end instance authentication, use the following
command to add a listener that accepts HTTPS requests on port 443 and sends
the requests to the instances on port 443 using HTTPS:
aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer
--listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTPS,InstancePort=443,SSLCertificateId=ARN
-
(Optional) You can use the following describe-load-balancers command to view the updated details of
your load balancer:
aws elb describe-load-balancers --load-balancer-name my-load-balancer
The following is an example response:
{
"LoadBalancerDescriptions": [
{
...
"ListenerDescriptions": [
{
"Listener": {
"InstancePort": 80,
"SSLCertificateId": "ARN
",
"LoadBalancerPort": 443,
"Protocol": "HTTPS",
"InstanceProtocol": "HTTP"
},
"PolicyNames": [
"ELBSecurityPolicy-2016-08"
]
},
{
"Listener": {
"InstancePort": 80,
"LoadBalancerPort": 80,
"Protocol": "HTTP",
"InstanceProtocol": "HTTP"
},
"PolicyNames": []
}
],
...
}
]
}
-
(Optional) Your HTTPS listener was created using the default security
policy. If you want to specify a different predefined security policy or a
custom security policy, use the create-load-balancer-policy and set-load-balancer-policies-of-listener commands. For more
information, see Update the SSL negotiation configuration
using the AWS CLI.
-
(Optional) To set up back-end instance authentication, use the set-load-balancer-policies-for-backend-server command. For more
information, see Configure
Back-end Instance Authentication.