Use a QUIC listener to support HTTP/3 protocol to improve network communication - Container Service for Kubernetes

Using a Quick UDP Internet Connections (QUIC) listener to support the HTTP/3 protocol improves network communication. You can use this solution in unstable network environments, such as mobile networks. It can also handle high-latency and is an excellent choice for scenarios such as online gaming and streaming services.

How it works

The UDP-based QUIC protocol is the core of HTTP/3. QUIC provides benefits such as multiplexing, zero round trip-time (0-RTT) handshake, efficient congestion control algorithm, and seamless integration. HTTP/3 significantly reduces data retransmission and network latency, improving network communication compared to HTTP/2, which uses Transport Layer Security (TLS) and Transmission Control Protocol (TCP). For more information about QUIC, see official QUIC documentation.

You can use a QUIC listener separately or associate it with an HTTPS listener. The following list describes the differences:

Use only a QUIC listener: After you create a QUIC listener, the Application Load Balancer (ALB) instance can be accessed by clients using HTTP/3. However, earlier HTTP protocols such as HTTP/2 are not supported.
Use a QUIC listener together with an HTTPS listener: Using a QUIC listener with an HTTPS listener ensures compatibility with different HTTP protocols, such as HTTP/1.1 and HTTP/2. The following figure shows how this mode works. QUIC and HTTPS listeners listen on the same port and use the same forwarding rule. The ALB instance uses the QUIC listener to distribute client access requests to the backend server by default. If the client does not support HTTP/3, the HTTPS listener is used to forward the request.

Configure a QUIC listener

Use a QUIC listener together with an HTTPS listener

Prerequisites

An SSL certificate is configured. For more information, see Configure HTTPS certificates for encrypted communication.
A kubectl client is connected to your cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Step 1: Create a QUIC listener in AlbConfig

Run the following command to modify the AlbConfig:

kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.

Create a QUIC listener and add the quicConfig field in the HTTPS listener.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: #...
spec:
  config:
    #...
  listeners:
    - port: 443
      protocol: HTTPS
      certificates:
      - CertificateId: 756****-cn-hangzhou # Certificate's CertIdentifier
        IsDefault: true
      quicConfig:
        quicListenerId: "" # Currently empty, will be filled in the next step
        quicUpgradeEnabled: false # Set to false
    - port: 443
      protocol: QUIC # QUIC Listener
      certificates:
      - CertificateId: 756****-cn-hangzhou # Same as HTTPS certificate
        IsDefault: true

Important

The preceding example uses an AlbConfig to specify the certificate configuration method. You can also use automatic certificate discovery and certificates stored as Secrets in a QUIC listener. For more information, see Configure HTTPS certificates for encrypted communication.

Step 2: Add annotations to the Ingress

Add annotations to the Ingress to apply the Ingress configuration to multiple listeners.

Run the following command to modify the Ingress:

kubectl edit ingress <INGRESS_NAME> # Replace <INGRESS_NAME> with the name of the Ingress

Add the following content to the annotations field of the Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: #...
  annotations:
    alb.ingress.kubernetes.io/listen-ports: '[{"QUIC": 443},{"HTTPS": 443}]' # Make Ingress suitable for both QUIC and HTTPS listeners
spec:
  #...

Step 3: Associate the listener

Log on to the ALB console.
On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, find the listener with Listener Protocol/Port specified as QUIC:443 and obtain its ID.

Fill in the QUIC listener ID in the AlbConfig.

Run the following command to modify the AlbConfig:

kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.

Fill in the QUIC listener ID in the quicListenerId field of the HTTPS listener and change the value of the quicUpgradeEnabled field to true.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: #...
spec:
  config:
    #...
  listeners:
    - port: 443
      protocol: HTTPS
      certificates:
      - CertificateId: 756****-cn-hangzhou
        IsDefault: true 
      quicConfig: 
        quicListenerId: lsn-tnz740dr8p5h65**** # Specific QUIC listener ID.
        quicUpgradeEnabled: true # Change to true
    - port: 443
      protocol: QUIC # QUIC Listener
      certificates:
      - CertificateId: 756****-cn-hangzhou
        IsDefault: true

Check whether the HTTPS listener is associated with the QUIC listener.
1. Log on to the ALB console.
2. On the Instances page, click the ID of the ALB instance that you want to manage. On the instance details page, click the Listener tab. In the listener list, click the name of the HTTPS listener name to view the associated QUIC listener on the Listener Details tab.

Step 4: Verify the result

Use HTTP/3 to access the service through ALB Ingress to check whether the configuration takes effect.

Run the following command to view Ingress information.

kubectl get ingress

Expected output:

NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

Copy the values under HOSTS and ADDRESS for later use.

Run the following commands to use HTTP/3 and traditional HTTPS to access the service. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values obtained in the preceding step.
Note
Some versions of curl do not use HTTP/3 by default. Make sure that your curl uses HTTP/3.
```
curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
```
If the following output is returned, the two listeners are associated and compatible with different HTTP protocols:
```
old
old
```

(Optional) Step 5: Disassociate the HTTPS listener from the QUIC listener

Run the following command to modify the AlbConfig:

kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.

Clear the quicListenerId field and change the value of the quicUpgradeEnabled field to false, then save and exit.

# The above content is omitted.
    port: 443
    protocol: HTTPS
    quicConfig:
      quicListenerId: "" # Clear the QUIC listener ID.
      quicUpgradeEnabled: false # Change to false
    requestTimeout: 0
# The following content is omitted.

Use only a QUIC listener

Prerequisites

An AlbConfig is created. For more information, see Create an ALB Ingress.
A kubectl client is connected to your cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Step 1: Create a QUIC listener in AlbConfig

Run the following command to modify the AlbConfig:

kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.

Create a QUIC listener.
```
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: #...
spec:
  config:
    #...
  listeners:
    - port: 443
      protocol: QUIC # QUIC Listener
      certificates:
      - CertificateId: 756****-cn-hangzhou # Certificate's CertIdentifier
        IsDefault: true 
```
Important
The preceding example uses an AlbConfig to specify the certificate configuration method. You can also use automatic certificate discovery and certificates stored as Secrets in a QUIC listener. For more information, see Configure HTTPS certificates for encrypted communication.

Step 2: Create required resources

Create a file named https-quickstart.yaml, copy the following content to the file, and save it.

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: https-ingressclass
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: alb # Change to the name of the AlbConfig resource
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: https-ingress
spec:
  ingressClassName: https-ingressclass
  rules:
  - host: demo.alb.ingress.top # Replace demo.alb.ingress.top with the domain name associated with the certificate
    http:
      paths:
      - backend:
          service:
            name: https-svc
            port:
              number: 443
        path: /
        pathType: Prefix
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: https-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: https-deploy
  template:
    metadata:
      labels:
        app: https-deploy
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/acs-sample/old-nginx:latest
          imagePullPolicy: IfNotPresent
          name: https-deploy
          ports:
            - containerPort: 80
              protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: https-svc
spec:
  ports:
    - name: port1
      port: 443
      protocol: TCP
      targetPort: 80
  selector:
    app: https-deploy
  sessionAffinity: None
  type: ClusterIP

Run the following command to create resources:
```
kubectl apply -f https-quickstart.yaml
```

Step 3: Add annotations to the Ingress

Add annotations to the Ingress to apply the Ingress configuration to multiple listeners.

Run the following command to modify the Ingress:
```
kubectl edit ingress https-ingress
```

Add the following content to the annotations field of the Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: #...
  annotations:
    alb.ingress.kubernetes.io/listen-ports: '[{"QUIC": 443}]' # Make Ingress suitable for the QUIC listener
spec:
  #...

Step 4: Verify the result

Run the following command to view Ingress information.

kubectl get ingress

Expected output:

NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

Copy the values under HOSTS and ADDRESS for later use.

Run the following commands to use HTTP/3 and traditional HTTPS to access the service. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values obtained in the preceding step.
Note
Some versions of curl do not use HTTP/3 by default. Make sure that your curl uses HTTP/3.
```
curl --http3 -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com
```
If the following output is returned, the QUIC listener is configured:
```
old
```

References

If your web service is vulnerable to intrusions or requires higher security, you can use WAF-enabled ALB instances. For more information, see Use WAF-enabled ALB instances to protect applications.
For more information about listener configurations, see Use AlbConfigs to configure ALB listeners.