All Products
Search
Document Center

Container Service for Kubernetes:Use a QUIC listener to support HTTP/3 protocol to improve network communication

Last Updated:Aug 22, 2024

Using a Quick UDP Internet Connections (QUIC) listener to support the HTTP/3 protocol improves network communication. You can use this solution in unstable network environments, such as mobile networks. It can also handle high-latency and is an excellent choice for scenarios such as online gaming and streaming services.

How it works

The UDP-based QUIC protocol is the core of HTTP/3. QUIC provides benefits such as multiplexing, zero round trip-time (0-RTT) handshake, efficient congestion control algorithm, and seamless integration. HTTP/3 significantly reduces data retransmission and network latency, improving network communication compared to HTTP/2, which uses Transport Layer Security (TLS) and Transmission Control Protocol (TCP). For more information about QUIC, see official QUIC documentation.

You can use a QUIC listener separately or associate it with an HTTPS listener. The following list describes the differences:

  • Use only a QUIC listener: After you create a QUIC listener, the Application Load Balancer (ALB) instance can be accessed by clients using HTTP/3. However, earlier HTTP protocols such as HTTP/2 are not supported.

  • Use a QUIC listener together with an HTTPS listener: Using a QUIC listener with an HTTPS listener ensures compatibility with different HTTP protocols, such as HTTP/1.1 and HTTP/2. The following figure shows how this mode works. QUIC and HTTPS listeners listen on the same port and use the same forwarding rule. The ALB instance uses the QUIC listener to distribute client access requests to the backend server by default. If the client does not support HTTP/3, the HTTPS listener is used to forward the request.

    image

Configure a QUIC listener

Use a QUIC listener together with an HTTPS listener

Prerequisites

Step 1: Create a QUIC listener in AlbConfig

  1. Run the following command to modify the AlbConfig:

    kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
  2. Create a QUIC listener and add the quicConfig field in the HTTPS listener.

    apiVersion: alibabacloud.com/v1
    kind: AlbConfig
    metadata:
      name: #...
    spec:
      config:
        #...
      listeners:
        - port: 443
          protocol: HTTPS
          certificates:
          - CertificateId: 756****-cn-hangzhou # Certificate's CertIdentifier
            IsDefault: true
          quicConfig:
            quicListenerId: "" # Currently empty, will be filled in the next step
            quicUpgradeEnabled: false # Set to false
        - port: 443
          protocol: QUIC # QUIC Listener
          certificates:
          - CertificateId: 756****-cn-hangzhou # Same as HTTPS certificate
            IsDefault: true 
    Important

    The preceding example uses an AlbConfig to specify the certificate configuration method. You can also use automatic certificate discovery and certificates stored as Secrets in a QUIC listener. For more information, see Configure HTTPS certificates for encrypted communication.

Step 2: Add annotations to the Ingress

Add annotations to the Ingress to apply the Ingress configuration to multiple listeners.

  1. Run the following command to modify the Ingress:

    kubectl edit ingress <INGRESS_NAME> # Replace <INGRESS_NAME> with the name of the Ingress
  2. Add the following content to the annotations field of the Ingress:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: #...
      annotations:
        alb.ingress.kubernetes.io/listen-ports: '[{"QUIC": 443},{"HTTPS": 443}]' # Make Ingress suitable for both QUIC and HTTPS listeners
    spec:
      #...

Step 3: Associate the listener

  1. Log on to the ALB console.

  2. On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, find the listener with Listener Protocol/Port specified as QUIC:443 and obtain its ID.

  3. Fill in the QUIC listener ID in the AlbConfig.

    1. Run the following command to modify the AlbConfig:

      kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
    2. Fill in the QUIC listener ID in the quicListenerId field of the HTTPS listener and change the value of the quicUpgradeEnabled field to true.

      apiVersion: alibabacloud.com/v1
      kind: AlbConfig
      metadata:
        name: #...
      spec:
        config:
          #...
        listeners:
          - port: 443
            protocol: HTTPS
            certificates:
            - CertificateId: 756****-cn-hangzhou
              IsDefault: true 
            quicConfig: 
              quicListenerId: lsn-tnz740dr8p5h65**** # Specific QUIC listener ID.
              quicUpgradeEnabled: true # Change to true
          - port: 443
            protocol: QUIC # QUIC Listener
            certificates:
            - CertificateId: 756****-cn-hangzhou
              IsDefault: true 
  4. Check whether the HTTPS listener is associated with the QUIC listener.

    1. Log on to the ALB console.

    2. On the Instances page, click the ID of the ALB instance that you want to manage. On the instance details page, click the Listener tab. In the listener list, click the name of the HTTPS listener name to view the associated QUIC listener on the Listener Details tab.

Step 4: Verify the result

Use HTTP/3 to access the service through ALB Ingress to check whether the configuration takes effect.

  1. Run the following command to view Ingress information.

    kubectl get ingress

    Expected output:

    NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
    https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

    Copy the values under HOSTS and ADDRESS for later use.

  2. Run the following commands to use HTTP/3 and traditional HTTPS to access the service. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values obtained in the preceding step.

    Note

    Some versions of curl do not use HTTP/3 by default. Make sure that your curl uses HTTP/3.

    curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
    curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com

    If the following output is returned, the two listeners are associated and compatible with different HTTP protocols:

    old
    old

(Optional) Step 5: Disassociate the HTTPS listener from the QUIC listener

  1. Run the following command to modify the AlbConfig:

    kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
  2. Clear the quicListenerId field and change the value of the quicUpgradeEnabled field to false, then save and exit.

    # The above content is omitted.
        port: 443
        protocol: HTTPS
        quicConfig:
          quicListenerId: "" # Clear the QUIC listener ID.
          quicUpgradeEnabled: false # Change to false
        requestTimeout: 0
    # The following content is omitted.

Use only a QUIC listener

Prerequisites

Step 1: Create a QUIC listener in AlbConfig

  1. Run the following command to modify the AlbConfig:

    kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
  2. Create a QUIC listener.

    apiVersion: alibabacloud.com/v1
    kind: AlbConfig
    metadata:
      name: #...
    spec:
      config:
        #...
      listeners:
        - port: 443
          protocol: QUIC # QUIC Listener
          certificates:
          - CertificateId: 756****-cn-hangzhou # Certificate's CertIdentifier
            IsDefault: true 
    Important

    The preceding example uses an AlbConfig to specify the certificate configuration method. You can also use automatic certificate discovery and certificates stored as Secrets in a QUIC listener. For more information, see Configure HTTPS certificates for encrypted communication.

Step 2: Create required resources

  1. Create a file named https-quickstart.yaml, copy the following content to the file, and save it.

    apiVersion: networking.k8s.io/v1
    kind: IngressClass
    metadata:
      name: https-ingressclass
    spec:
      controller: ingress.k8s.alibabacloud/alb
      parameters:
        apiGroup: alibabacloud.com
        kind: AlbConfig
        name: alb # Change to the name of the AlbConfig resource
    ---
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: https-ingress
    spec:
      ingressClassName: https-ingressclass
      rules:
      - host: demo.alb.ingress.top # Replace demo.alb.ingress.top with the domain name associated with the certificate
        http:
          paths:
          - backend:
              service:
                name: https-svc
                port:
                  number: 443
            path: /
            pathType: Prefix
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: https-deploy
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: https-deploy
      template:
        metadata:
          labels:
            app: https-deploy
        spec:
          containers:
            - image: registry.cn-hangzhou.aliyuncs.com/acs-sample/old-nginx:latest
              imagePullPolicy: IfNotPresent
              name: https-deploy
              ports:
                - containerPort: 80
                  protocol: TCP
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: https-svc
    spec:
      ports:
        - name: port1
          port: 443
          protocol: TCP
          targetPort: 80
      selector:
        app: https-deploy
      sessionAffinity: None
      type: ClusterIP
  2. Run the following command to create resources:

    kubectl apply -f https-quickstart.yaml

Step 3: Add annotations to the Ingress

Add annotations to the Ingress to apply the Ingress configuration to multiple listeners.

  1. Run the following command to modify the Ingress:

    kubectl edit ingress https-ingress
  2. Add the following content to the annotations field of the Ingress:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: #...
      annotations:
        alb.ingress.kubernetes.io/listen-ports: '[{"QUIC": 443}]' # Make Ingress suitable for the QUIC listener
    spec:
      #...

Step 4: Verify the result

  1. Run the following command to view Ingress information.

    kubectl get ingress

    Expected output:

    NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
    https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

    Copy the values under HOSTS and ADDRESS for later use.

  2. Run the following commands to use HTTP/3 and traditional HTTPS to access the service. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values obtained in the preceding step.

    Note

    Some versions of curl do not use HTTP/3 by default. Make sure that your curl uses HTTP/3.

    curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com

    If the following output is returned, the QUIC listener is configured:

    old

References