Configure an NLB listener that uses SSL over TCP - Server Load Balancer

If you use a Layer 4 load balancer and want to use SSL encryption to enhance security, you can configure an SSL certificate on each backend server. However, this method is inefficient. In this case, you can use the SSL offloading feature of Network Load Balancer (NLB). You can deploy an NLB instance as an ingress for traffic and configure an SSL certificate. This way, the NLB instance decrypts encrypted traffic into plaintext traffic and distributes plaintext traffic to backend servers. This improves the efficiency of backend services, simplifies the configuration of backend servers, and ensures security.

Prerequisites

An NLB instance is created. For more information, see Create and manage an NLB instance.
An NLB backend server group is created. For more information, see Create and manage a server group.
Important
- The backend protocol of the server group must be TCP.
- You cannot associate listeners that use SSL over TCP with server groups for which client IP preservation is enabled. Make sure that the feature is disabled for the server group.
ECS01 and ECS02 are added to the backend server group, and services are deployed on ECS01 and ECS02.

Step 1: Prepare a server certificate

You can purchase a server certificate from Alibaba Cloud, or purchase a server certificate from another service provider and upload the certificate.

In this example, the server certificate is purchased from Alibaba Cloud.

For more information about how to purchase a server certificate, see Purchase an SSL certificate.
For more information about how to upload a certificate, see Upload an SSL certificate.

Note

Make sure that the domain name that you want to associate with an SSL certificate is registered and has an Internet Content Provider (ICP) number. For more information, see Register a domain name on Alibaba Cloud and ICP filing application overview.

Step 2: Configure a listener that uses SSL over TCP

Log on to the NLB console.
In the left-side navigation pane, choose NLB > Instances.
In the top navigation bar, select the region where the NLB instance is deployed.
On the Instances page, find the NLB instance, and click Create Listener in the Actions column.
In the Configure Listener step, configure the following parameters. You can use the default values or custom values for other parameters. Click Next.
Parameter
Description
Listener Protocol
Select TCPSSL.
Listener Port
In this example, 443 is used.

In the Configure SSL Certificate step, configure the following parameters. You can use the default values or custom values for other parameters. Click Next.

Parameter	Description
Server Certificate	Select the server certificate obtained in Step 1.
TLS Security Policy	Select a security policy based on your business requirements. If you select a later version, make sure that the security policy is compatible with your client.

In the Select Server Group step, configure the following parameters. You can use the default values or custom values for other parameters. Click Next.
Parameter
Description
Server Group
Select the server group that you created.
In the Configuration Review step, check whether the parameters are correctly set and click Submit.

Step 3: Create a CNAME record

Log on to the NLB console.
In the top navigation bar, select the region where the NLB instance is deployed.
Select the NLB instance for which you want to create a DNS record and copy the domain name of the NLB instance.

To create a CNAME record, perform the following steps:

Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, click Add Domain Name.
In the Add Domain Name dialog box, enter the domain name of your host and click OK.
Important
Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
Find the domain name that you want to manage and click DNS Settings in the Actions column.
On the DNS Settings page, click Add DNS Record.

In the Add DNS Record panel, configure the following parameters and click OK.

Parameter	Description
Record Type	Select CNAME from the drop-down list.
Hostname	Enter the prefix of your domain name.
DNS Request Source	Select Default.
Record Value	Enter the CNAME, which is the domain name of the NLB instance that you copied.
TTL	Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.

Step 4: Test network connectivity

Enter the domain name associated with your NLB instance in the browser and refresh the page multiple times. The requests are forwarded to the backend service over HTTPS and are distributed between the ECS instances.

Important

In case of browser cache issues, we recommend that you use a browser in private browsing mode to access a domain name when you test the capabilities of a Layer 4 Server Load Balancer (SLB) instance.

ECS01 ECS02

References

If you need to use a third-party server certificate, see Upload and share an SSL certificate.
For more information about how to add a listener that uses SSL over TCP, see Add a listener that uses SSL over TCP.
If you want to implement mutual authentication to meet higher security requirements, refer to Use NLB to enable SSL offloading over TCP (mutual authentication).

Parameter	Description
Listener Protocol	Select TCPSSL.
Listener Port	In this example, 443 is used.

Parameter	Description
Server Group	Select the server group that you created.