Using a Quick UDP Internet Connections (QUIC) listener to support the HTTP/3 protocol improves network communication. You can use this solution in unstable network environments, such as mobile networks. It can also handle high-latency and is an excellent choice for scenarios such as online gaming and streaming services.
How it works
The UDP-based QUIC protocol is the core of HTTP/3. QUIC provides benefits such as multiplexing, zero round trip-time (0-RTT) handshake, efficient congestion control algorithm, and seamless integration. HTTP/3 significantly reduces data retransmission and network latency, improving network communication compared to HTTP/2, which uses Transport Layer Security (TLS) and Transmission Control Protocol (TCP). For more information about QUIC, see official QUIC documentation.
You can use a QUIC listener separately or associate it with an HTTPS listener. The following list describes the differences:
Use only a QUIC listener: After you create a QUIC listener, the Application Load Balancer (ALB) instance can be accessed by clients using HTTP/3. However, earlier HTTP protocols such as HTTP/2 are not supported.
Use a QUIC listener together with an HTTPS listener: Using a QUIC listener with an HTTPS listener ensures compatibility with different HTTP protocols, such as HTTP/1.1 and HTTP/2. The following figure shows how this mode works. QUIC and HTTPS listeners listen on the same port and use the same forwarding rule. The ALB instance uses the QUIC listener to distribute client access requests to the backend server by default. If the client does not support HTTP/3, the HTTPS listener is used to forward the request.
Configure a QUIC listener
Use a QUIC listener together with an HTTPS listener
Prerequisites
An SSL certificate is configured. For more information, see Configure HTTPS certificates for encrypted communication.
A kubectl client is connected to your cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Step 1: Create a QUIC listener in AlbConfig
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Create a QUIC listener and add the
quicConfig
field in the HTTPS listener.apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: #... spec: config: #... listeners: - port: 443 protocol: HTTPS certificates: - CertificateId: 756****-cn-hangzhou # Certificate's CertIdentifier IsDefault: true quicConfig: quicListenerId: "" # Currently empty, will be filled in the next step quicUpgradeEnabled: false # Set to false - port: 443 protocol: QUIC # QUIC Listener certificates: - CertificateId: 756****-cn-hangzhou # Same as HTTPS certificate IsDefault: true
ImportantThe preceding example uses an AlbConfig to specify the certificate configuration method. You can also use automatic certificate discovery and certificates stored as Secrets in a QUIC listener. For more information, see Configure HTTPS certificates for encrypted communication.
Step 2: Add annotations to the Ingress
Add annotations to the Ingress to apply the Ingress configuration to multiple listeners.
Run the following command to modify the Ingress:
kubectl edit ingress <INGRESS_NAME> # Replace <INGRESS_NAME> with the name of the Ingress
Add the following content to the
annotations
field of the Ingress:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: #... annotations: alb.ingress.kubernetes.io/listen-ports: '[{"QUIC": 443},{"HTTPS": 443}]' # Make Ingress suitable for both QUIC and HTTPS listeners spec: #...
Step 3: Associate the listener
Log on to the ALB console.
On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, find the listener with Listener Protocol/Port specified as QUIC:443 and obtain its ID.
Fill in the QUIC listener ID in the AlbConfig.
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Fill in the QUIC listener ID in the
quicListenerId
field of the HTTPS listener and change the value of thequicUpgradeEnabled
field totrue
.apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: #... spec: config: #... listeners: - port: 443 protocol: HTTPS certificates: - CertificateId: 756****-cn-hangzhou IsDefault: true quicConfig: quicListenerId: lsn-tnz740dr8p5h65**** # Specific QUIC listener ID. quicUpgradeEnabled: true # Change to true - port: 443 protocol: QUIC # QUIC Listener certificates: - CertificateId: 756****-cn-hangzhou IsDefault: true
Check whether the HTTPS listener is associated with the QUIC listener.
Log on to the ALB console.
On the Instances page, click the ID of the ALB instance that you want to manage. On the instance details page, click the Listener tab. In the listener list, click the name of the HTTPS listener name to view the associated QUIC listener on the Listener Details tab.
Step 4: Verify the result
Use HTTP/3 to access the service through ALB Ingress to check whether the configuration takes effect.
Run the following command to view Ingress information.
kubectl get ingress
Expected output:
NAME CLASS HOSTS ADDRESS PORTS AGE https-ingress https-ingressclass demo.alb.ingress.top alb-********.alb.aliyuncs.com 80, 443 83m
Copy the values under
HOSTS
andADDRESS
for later use.Run the following commands to use HTTP/3 and traditional HTTPS to access the service. Replace
demo.alb.ingress.top
andalb-********.alb.aliyuncs.com
with the values obtained in the preceding step.NoteSome versions of
curl
do not use HTTP/3 by default. Make sure that your curl uses HTTP/3.curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
If the following output is returned, the two listeners are associated and compatible with different HTTP protocols:
old old
(Optional) Step 5: Disassociate the HTTPS listener from the QUIC listener
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Clear the
quicListenerId
field and change the value of thequicUpgradeEnabled
field to false, then save and exit.# The above content is omitted. port: 443 protocol: HTTPS quicConfig: quicListenerId: "" # Clear the QUIC listener ID. quicUpgradeEnabled: false # Change to false requestTimeout: 0 # The following content is omitted.
Use only a QUIC listener
Prerequisites
An AlbConfig is created. For more information, see Create an ALB Ingress.
A kubectl client is connected to your cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Step 1: Create a QUIC listener in AlbConfig
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Create a QUIC listener.
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: #... spec: config: #... listeners: - port: 443 protocol: QUIC # QUIC Listener certificates: - CertificateId: 756****-cn-hangzhou # Certificate's CertIdentifier IsDefault: true
ImportantThe preceding example uses an AlbConfig to specify the certificate configuration method. You can also use automatic certificate discovery and certificates stored as Secrets in a QUIC listener. For more information, see Configure HTTPS certificates for encrypted communication.
Step 2: Create required resources
Create a file named https-quickstart.yaml, copy the following content to the file, and save it.
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: https-ingressclass spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb # Change to the name of the AlbConfig resource --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: https-ingress spec: ingressClassName: https-ingressclass rules: - host: demo.alb.ingress.top # Replace demo.alb.ingress.top with the domain name associated with the certificate http: paths: - backend: service: name: https-svc port: number: 443 path: / pathType: Prefix --- apiVersion: apps/v1 kind: Deployment metadata: name: https-deploy spec: replicas: 1 selector: matchLabels: app: https-deploy template: metadata: labels: app: https-deploy spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs-sample/old-nginx:latest imagePullPolicy: IfNotPresent name: https-deploy ports: - containerPort: 80 protocol: TCP --- apiVersion: v1 kind: Service metadata: name: https-svc spec: ports: - name: port1 port: 443 protocol: TCP targetPort: 80 selector: app: https-deploy sessionAffinity: None type: ClusterIP
Run the following command to create resources:
kubectl apply -f https-quickstart.yaml
Step 3: Add annotations to the Ingress
Add annotations to the Ingress to apply the Ingress configuration to multiple listeners.
Run the following command to modify the Ingress:
kubectl edit ingress https-ingress
Add the following content to the
annotations
field of the Ingress:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: #... annotations: alb.ingress.kubernetes.io/listen-ports: '[{"QUIC": 443}]' # Make Ingress suitable for the QUIC listener spec: #...
Step 4: Verify the result
Run the following command to view Ingress information.
kubectl get ingress
Expected output:
NAME CLASS HOSTS ADDRESS PORTS AGE https-ingress https-ingressclass demo.alb.ingress.top alb-********.alb.aliyuncs.com 80, 443 83m
Copy the values under
HOSTS
andADDRESS
for later use.Run the following commands to use HTTP/3 and traditional HTTPS to access the service. Replace
demo.alb.ingress.top
andalb-********.alb.aliyuncs.com
with the values obtained in the preceding step.NoteSome versions of
curl
do not use HTTP/3 by default. Make sure that your curl uses HTTP/3.curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
If the following output is returned, the QUIC listener is configured:
old
References
If your web service is vulnerable to intrusions or requires higher security, you can use WAF-enabled ALB instances. For more information, see Use WAF-enabled ALB instances to protect applications.
For more information about listener configurations, see Use AlbConfigs to configure ALB listeners.