Create a listener for your Network Load Balancer

A listener is a process that checks for connection requests. You define a listener when you create your load balancer, and you can add listeners to your load balancer at any time.

Prerequisites

You must specify a target group for the listener rule. For more information, see Create a target group for your Network Load Balancer.
You must specify an SSL certificate for a TLS listener. The load balancer uses the certificate to terminate the connection and decrypt requests from clients before routing them to targets. For more information, see Server certificates for your Network Load Balancer.
You can't use an IPv4 target group with a UDP listener for a dualstack load balancer.

Add a listener

You configure a listener with a protocol and a port for connections from clients to the load balancer, and a target group for the default listener rule. For more information, see Listener configuration.

Console

To add a listener

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Load Balancers.
Select the name of the load balancer to open its details page.
On the Listeners tab, choose Add listener.
For Protocol, choose TCP, UDP, TCP_UDP, or TLS. Keep the default port or type a different port.
For Default action, choose an available target group. If you don't have a target group that meets your needs, choose Create target group to create one now. For more information, see Create a target group.
[TLS listeners] For Security policy, we recommend that you keep the default security policy.
[TLS listeners] For Default SSL/TLS server certificate, choose the default certificate. You can select the certificate from one of the following sources:
- If you created or imported a certificate using AWS Certificate Manager, choose From ACM, then choose the certificate from Certificate (from ACM).
- If you imported a certificate using IAM, choose From IAM, and then choose the certificate from Certificate (from IAM).
- If you have a certificate, choose Import certificate. Choose either Import to ACM or Import to IAM. For Certificate private key, copy and paste the contents of the private key file (PEM-encoded). For Certificate body, copy and paste the contents of the public key certificate file (PEM-encoded). For Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.
[TLS listeners] For ALPN policy, choose a policy to enable ALPN or choose None to disable ALPN. For more information, see ALPN policies.
Choose Add.
[TLS listeners] To add certificates to the optional certificate list, see Add certificates to the certificate list.

AWS CLI

To create a target group

If you don't have a target group that you can use for the default action, use the create-target-group command to create one now. For examples, see Create a target group.

To add a TCP listener

Use the create-listener command, specifying the TCP protocol.


aws elbv2 create-listener \
    --load-balancer-arn load-balancer-arn \
    --protocol TCP \
    --port 80 \
    --default-actions Type=forward,TargetGroupArn=target-group-arn

To add a TLS listener

Use the create-listener command specifying the TLS protocol.


aws elbv2 create-listener \
    --load-balancer-arn load-balancer-arn \
    --protocol TLS \
    --port 443 \
    --certificates CertificateArn=certificate-arn \
    --ssl-policy ELBSecurityPolicy-TLS13-1-2-Res-2021-06 \
    --default-actions Type=forward,TargetGroupArn=target-group-arn

To add a UDP listener

Use the create-listener command specifying the UDP protocol.


aws elbv2 create-listener \
    --load-balancer-arn load-balancer-arn \
    --protocol UDP \
    --port 53 \
    --default-actions Type=forward,TargetGroupArn=target-group-arn

CloudFormation

To add a TCP listener

Define a resource of type AWS::ElasticLoadBalancingV2::Listener using the TCP protocol.


Resources:
  myTCPListener:
    Type: 'AWS::ElasticLoadBalancingV2::Listener'
    Properties:
      LoadBalancerArn: !Ref myLoadBalancer
      Protocol: TCP
      Port: 80
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref myTargetGroup

To add a TLS listener

Define a resource of type AWS::ElasticLoadBalancingV2::Listener using the TLS protocol.


Resources:
  myTLSListener:
    Type: 'AWS::ElasticLoadBalancingV2::Listener'
    Properties:
      LoadBalancerArn: !Ref myLoadBalancer
      Protocol: TLS
      Port: 443
      SslPolicy: "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
      Certificates:
        - CertificateArn: "certificate-arn"
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref myTargetGroup

To add a UDP listener

Define a resource of type AWS::ElasticLoadBalancingV2::Listener using the UDP protocol.


Resources:
  myUDPListener:
    Type: 'AWS::ElasticLoadBalancingV2::Listener'
    Properties:
      LoadBalancerArn: !Ref myLoadBalancer
      Protocol: UDP
      Port: 53
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref myTargetGroup

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Listeners

Server certificates