• Elastic Load Balancing

elb
  1. Help Center
  2. Elastic Load Balancing
  3. User Guide
  4. Management
  5. Certificate

Certificate

Scenarios

A certificate is required when the load balancer uses the HTTPS protocol. You can upload a certificate and bind it to the listener to provide HTTPS services.

Create a Certificate

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Under Network, click Elastic Load Balancing.
  4. In the navigation pane, choose Certificates.
  5. Click Create Certificate. In the Create Certificate dialog box, configure the following parameters.
    • Load Balancer Type: Select Enhanced or Classic.
    • Certificate Name
    • Certificate Type
      • Server certificate: A server certificate is used for SSL handshake negotiations when an HTTPS listener is added. Both the certificate content and private key are required.
      • CA certificate: This type of certificate is issued by a CA and used to verify the certificate issuer. If HTTPS mutual authentication is required, HTTPS connections can be established only when the client provides a certificate issued by a specific CA.
    • Description
    • Domain Name: If the certificate is an SNI certificate, a domain name must be specified.
    • Certificate Content: The content must be in PEM format.
    • Private Key
      This must be an unencrypted private key. The format is as follows:
      -----BEGIN PRIVATE KEY-----
      [key]
      -----END PRIVATE KEY-----
      NOTE:
      • A certificate can be bound only to one load balancer type. Ensure that you have selected the correct type.
      • If a certificate chain is used, you need to configure the content and private keys of all certificates in sequence, starting from the sub-certificate to the root certificate and ensure that the content is configured in the same sequence as private keys.

        For example, if you have three certificates: sub-certificate, intermediate certificate, and root certificate, the correct configuration sequence is sub-certificate > intermediate certificate > root certificate.

  1. Click OK.

Delete a Certificate

Only certificates that are not in use can be deleted.

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Under Network, click Elastic Load Balancing.
  4. In the navigation pane, choose Certificates.
  5. Locate the target certificate and click Delete in the Operation column.
  6. In the Delete Certificate dialog box, click Yes.

Modify a Certificate

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Under Network, click Elastic Load Balancing.
  4. On the displayed page, click Certificates.
  5. In the navigation pane, choose Certificates.
  6. Locate the target certificate and click Modify in the Operation column.
  7. In the Modify Certificate dialog box, modify the certificate information.
  8. Click OK.

Bind a Certificate

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Under Network, click Elastic Load Balancing.
  4. Locate the target load balancer and click its name.
  5. Under Listeners, click Add Listener.
  6. In the Add Listener dialog box, configure the parameters.
    • Table 1 describes the parameters for binding a certificate to a classic load balancer. When Frontend Protocol is set to HTTPS, a certificate must be bound to the listener.
    • Table 2, Table 3, and Table 4 describe the parameters for binding a certificate to an enhanced load balancer. After configuring all required parameters, click Finish. When Frontend Protocol is set to HTTPS (Termination), a server certificate must be bound to the listener.
      Table 1 Parameters for adding a listener to a classic load balancer

      Parameter

      Description

      Example Value

      Name

      Specifies the listener name.

      listener-ssgu

      Frontend Protocol/Port

      Specifies the protocol and port the load balancer uses to receive requests from the client and forward the requests to backend servers. The port numbers range from 1 to 65535.

      Public network load balancers support the following protocols:

      • HTTP: load balancing at Layer 7
      • TCP: load balancing at Layer 4
      • HTTPS: encrypted load balancing at Layer 7
      • UDP: load balancing at Layer 4
      • SSL: encrypted load balancing at Layer 4

      Private network load balancers support the following protocols:

      • HTTP: load balancing at Layer 7
      • TCP: load balancing at Layer 4
      • HTTPS: encrypted load balancing at Layer 7

      TCP/80

      UDP/80

      HTTP/80

      HTTPS/443

      SSL/443

      Backend Protocol/Port

      Specifies the protocol and port used by backend servers to receive requests. The port numbers range from 1 to 65535.

      • TCP: layer-4 load balancing. When Frontend Protocol is set to SSL, Backend Protocol is TCP by default.
      • UDP: layer-4 load balancing. When Frontend Protocol is set to UDP, Backend Protocol is UDP by default.

      TCP/22

      Load Balancing Algorithm

      Specifies the algorithm the load balancer uses to distribute traffic.

      • Round robin: New connection requests are distributed sequentially across all ECSs, so that request workload is evenly shared.
      • Least connections: New connection requests are forwarded to the ECS processing the least number of connections at that time.
      • Source IP hash: The source IP address of the request is input into a hash algorithm, and the resulting hash is used to identify an ECS in the static fragment table.
      NOTE:

      As access traffic changes, choose the most appropriate algorithm to improve load balancing.

      Round robin

      Default Certificate

      Specifies the certificate used by an HTTPS load balancer.

      You can select an existing certificate or create one. For how to create a certificate, see Certificate.

      This parameter is available only when HTTPS is used as the frontend protocol.

      N/A

      Enable SNI

      Specifies whether to enable the Server Name Indication (SNI) function when Frontend Protocol is set to HTTPS.

      SNI is an extension to Transport Layer Security (TLS) when a server uses multiple domain names and certificates. This function allows the client to submit the domain name information while sending an SSL handshake request. Once receiving the request, the load balancer queries the right certificate based on the domain name and returns it to the client. If no certificate is found, the load balancer will issue a default certificate.

      N/A

      SNI Certificate

      Specifies the certificate associated with the domain name when Frontend Protocol is set to HTTPS.

      You can select an existing certificate or create one.

      N/A

      SSL Protocol

      Specifies the encryption protocol used by an HTTPS load balancer. This parameter is used to enable a specified encryption protocol. The following protocols are supported:

      • TLSv1.2
      • TLSv1.2 TLSv1.1 TLSv1

      This parameter is available only when HTTPS is used as the frontend protocol.

      TLSv1.2

      SSL Cipher

      Specifies the cipher suite used by an HTTPS load balancer. The following options are available:

      • Default Cipher
      • Extended Cipher
      • Strict Cipher

      This parameter is available only when HTTPS is used as the frontend protocol. Extended Cipher is the only available choice when SSL Protocol is set to TLSv1.2 TLSv1.1 TLSv1.

      Default Cipher

      Sticky Session

      Specifies whether to enable the sticky session feature.

      After this feature is enabled, all requests from a client during one session are sent to the same backend server.

      NOTE:

      This feature is supported only when Load Balancing Algorithm is set to Round robin.

      N/A

      Stickiness Duration (min)

      Specifies the duration that sticky sessions are maintained in minutes. The value ranges from 1 to 1440.

      5

      Description

      Provides supplementary information about the listener.

      N/A

      Health Check Protocol/Port

      Specifies the protocol and port used for performing health checks on ECSs. The port numbers range from 1 to 65535.

      NOTE:

      When UDP is used for health checks, the security group rules of backend ECSs must allow access using Internet Control Message Protocol (ICMP).

      HTTP/80

      Interval (s)

      Specifies the maximum number of seconds between health checks.

      The value ranges from 1 to 5.

      5

      Timeout (s)

      Specifies the maximum number of seconds to wait for receiving the result of a health check.

      The value ranges from 1 to 50.

      10

      Healthy Threshold

      Specifies the number of consecutive successful health checks necessary for a backend ECS to be considered healthy. The value ranges from 1 to 10.

      3

      Unhealthy Threshold

      Specifies the number of consecutive failed health checks necessary for a backend ECS to be considered unhealthy. The value ranges from 1 to 10.

      3

      Check Path

      Specifies the health check URL. This parameter is available only when Health Check Protocol is set to HTTP. The value can contain 1 to 80 characters.

      NOTE:

      The following characters are allowed in the path: -/.%?#&=

      /test.html

      Table 2 Parameters for configuring the listener

      Parameter

      Description

      Example Value

      Name

      Specifies the listener name.

      listener-pnqy

      Frontend Protocol/Port

      Specifies the protocol and port the load balancer uses to receive requests from the client and forward the requests to backend servers.

      The port numbers range from 1 to 65535, and the following protocols are supported:

      • HTTP
      • TCP
      • HTTPS (Termination)
      • UDP

      HTTP/80

      Redirect

      Redirects requests to an HTTPS listener when HTTP is used as the frontend protocol. If you have both HTTPS and HTTP listeners, you can use this feature to redirect the requests from the HTTP listener to the HTTPS listener to ensure security.

      N/A

      Redirected To

      Specifies the HTTPS listener to which requests are redirected. Select an HTTPS listener.

      N/A

      Server Certificate

      Specifies the certificate the server uses to authenticate the client when Frontend Protocol is set to HTTPS (Termination).

      N/A

      Enable SNI

      Specifies whether to enable the Server Name Indication (SNI) function when Frontend Protocol is set to HTTPS (Termination).

      SNI is an extension to Transport Layer Security (TLS) when a server uses multiple domain names and certificates. This function allows the client to submit the domain name information while sending an SSL handshake request. Once receiving the request, the load balancer queries the right certificate based on the domain name and returns it to the client. If no certificate is found, the load balancer will issue a default certificate.

      N/A

      SNI Certificate

      Specifies the certificate associated with the domain name when Frontend Protocol is set to HTTPS (Termination) and SNI is enabled.

      You can select an existing certificate or create one.

      N/A

      Advanced Settings

      Provides some advanced features. Two options are available, Default and Custom.

      Default

      Mutual Authentication

      Specifies whether to enable mutual authentication between the server and client. To enable mutual authentication, both server certificate and CA certificate are required. This feature can be enabled when HTTPS (Termination) is selected for Frontend Protocol.

      N/A

      CA Certificate

      Specifies the certificate the server uses to authenticate the client. This parameter is mandatory when Frontend Protocol is set to HTTPS (Termination) and mutual authentication is enabled.

      N/A

      Description

      Provides supplementary information about the listener.

      N/A

      Tag

      Adds tags to the listener. Each tag is a key-value pair, and the tag key is unique.

      11/11

      Table 3 Parameters for adding a backend server group

      Parameter

      Description

      Example Value

      Backend Server Group

      Specifies a group of servers with the same features.

      • Select Create new if you want to create a backend server group.
      • Select Use existing if you want to use an existing backend server group.

      Create new

      Name

      Specifies the backend server group name.

      server_group-sq4v

      Backend Protocol

      Specifies the protocol used by backend servers to receive requests.

      HTTP

      Load Balancing Algorithm

      Specifies the algorithm the load balancer uses to distribute traffic.

      • Weighted round robin: Connection requests are forwarded to different servers based on their weights, which indicate server processing performance. Backend servers with higher weights receive proportionately more requests, whereas equal-weighted servers receive the same number.
      • Weighted least connections: In addition to the weight assigned to each server, the number of connections processed by each backend server is also considered. Connection requests are forwarded to the server with the lowest connections-to-weight ratio.
      • Source IP hash: The source IP address of the request is input into a hash algorithm, and the resulting hash is used to identify an ECS in the static fragment table.
      NOTE:

      As access traffic changes, choose the most appropriate algorithm to improve load balancing.

      Weighted round robin

      Sticky Session

      Specifies whether to enable sticky sessions. After this feature is enabled, all requests from a client during one session are sent to the same backend server.

      NOTE:

      For HTTP and HTTPS listeners, enabling or disabling sticky sessions may cause few seconds of service interruption.

      N/A

      Sticky Session Type

      Specifies the sticky session type. The following options are available:

      • Source IP address: The hash of the source IP address of the request is used to identify a server in the static fragment table.
      • HTTP cookie: The load balancer generates a cookie after receiving a request from a client. All the subsequent requests with the cookie will be distributed to the same backend server for processing.
      • App cookie: This method relies on backend applications. All requests with the cookie generated by backend applications are distributed to the same backend server.
      NOTE:

      Source IP address is the only choice available when TCP is used as the frontend protocol. If HTTP or HTTPS (Termination) is selected as the frontend protocol, the sticky session type can be HTTP cookie or App cookie. Choose an appropriate sticky session type to better distribute access traffic and improve load balancing.

      Source IP address

      Cookie Name

      Specifies the cookie name. When App cookie is selected, you need to enter a cookie name.

      cookieName-qsps

      Description

      Provides supplementary information about the backend server group.

      N/A

      Table 4 Parameters for configuring a health check

      Parameter

      Description

      Example Value

      Enable Health Check

      Specifies whether to enable health checks.

      N/A

      Protocol

      Specifies the health check protocol. You can use either TCP or HTTP. Once you have selected a specific protocol, you cannot change it. If the frontend protocol is UDP, the health check protocol is UDP by default.

      HTTP

      Domain Name

      Specified the domain name in the health check request. The domain name can consist of digits, letters, hyphens (-), and periods (.), and must start with a digit or letter. The field is left blank by default and is available only when the health check protocol is HTTP.

      www.elb.com

      Port

      Specifies the health check port. The port numbers range from 1 to 65535.

      NOTE:

      If no health check port is specified, the port of each backend server is used. If a port is specified, it will be used for health checks.

      80

      Advanced Settings

      Provides some advanced features. Two options are available, Default and Custom.

      Default

      Interval (s)

      Specifies the maximum number of seconds between health checks.

      The value ranges from 1 to 50.

      5

      Timeout (s)

      Specifies the maximum number of seconds to wait for receiving the result of a health check. The value ranges from 1 to 50.

      10

      Check Path

      Specifies the health check URL. This parameter is valid when Protocol is set to HTTP. The value can contain 1 to 80 characters.

      /index.html

      Maximum Retries

      Specifies the maximum number of retries for the health check. The value ranges from 1 to 10.

      3

  7. Click OK.