Step 1: Configure a target group
Configuring a target group allows you to register targets such as EC2 instances. The target group that you configure in this step is used as the target group in the listener rule when you configure your load balancer. For more information, see Target groups for your Network Load Balancers (p. 37).
To configure your target group
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under Load Balancing, choose Target Groups.
3. Choose Create target group.
4. In the Basic configuration section, set the following parameters:
a. For Choose a target type, select Instance to register targets by instance ID, IP addresses to register targets by IP address, or Application Load Balancer to register an Application Load Balancer as a target.
b. For Target group name, enter a name for the target group.
c. For Protocol, choose a protocol as follows:
Step 2: Register targets
• If the listener protocol is TCP, choose TCP or TCP_UDP.
• If the listener protocol is TLS, choose TCP or TLS.
• If the listener protocol is UDP, choose UDP or TCP_UDP.
• If the listener protocol is TCP_UDP, choose TCP_UDP.
d. (Optional) For Port, modify the default value as needed.
e. For VPC, select a virtual private cloud (VPC) with the targets that you want to include in your target group.
f. For Protocol version, select HTTP1 when the request protocol is HTTP/1.1 or HTTP/2; select HTTP2, when the request protocol is HTTP/2 or gRPC; and select gRPC, when the request protocol is gRPC.
5. In the Health checks section, modify the default settings as needed. For Advanced health check settings, choose the health check port, count, timeout, interval, and specify success codes. If health checks consecutively exceed the Unhealthy threshold count, the load balancer takes the target out of service. If health checks consecutively exceed the Healthy threshold count, the load balancer puts the target back in service. For more information, see Health checks for your target groups (p. 48).
6. (Optional) Add one or more tags as follows:
a. Expand the Tags section.
b. Choose Add tag.
c. Enter the tag Key and tag Value. Allowed characters are letters, spaces, numbers (in UTF-8), and the following special characters: + - = . _ : / @. Do not use leading or trailing spaces. Tag values are case-sensitive.
7. Choose Next.
Step 2: Register targets
You can register EC2 instances, IP addresses, or an Application Load Balancer with your target group. This is an optional step to create a load balancer. However, you must register your targets to ensure that your load balancer can route traffic to them.
1. In the Register targets page, add one or more targets as follows:
• If the target type is Instances, select one or more instances, enter one or more ports, and then choose Include as pending below.
• If the target type is IP addresses, select the network, enter the IP address and ports, and then choose Include as pending below.
• If the target type is Application Load Balancer, select an Application Load Balancer.
2. Choose Create target group.
Step 3: Configure a load balancer and a listener
To create a Network Load Balancer, you must first provide basic configuration information for your load balancer, such as a name, scheme, and IP address type. Then provide information about your network, and one or more listeners. A listener is a process that checks for connection requests. It is configured with a protocol and a port for connections from clients to the load balancer. For more information about supported protocols and ports, see Listener configuration (p. 21).
To configure your load balancer and listener
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under Load Balancing, choose Load Balancers.
Step 4: Test the load balancer
3. Choose Create Load Balancer.
4. Under Network Load Balancer, choose Create.
5. Basic configuration
a. For Load balancer name, enter a name for your load balancer. For example, my-nlb. The name of your Network Load Balancer must be unique within your set of Application Load Balancers and Network Load Balancers for the Region. It can have a maximum of 32 characters, and contain only alphanumeric characters and hyphens. It must not begin or end with a hyphen, or with internal-.
b. For Scheme, choose Internet-facing or Internal. An internet-facing load balancer routes requests from clients to targets over the internet. An internal load balancer routes requests to targets using private IP addresses.
c. For IP address type, choose IPv4 or Dualstack. Use IPv4 if your clients use IPv4 addresses to communicate with the load balancer. Use Dualstack if your clients use both IPv4 and IPv6 addresses to communicate with the load balancer.
6. Network and security
a. For VPC, select the VPC that you used for your EC2 instances. If you selected Internet-facing for Scheme, only VPCs with an internet gateway are available for selection.
b. For Mappings, select one or more Availability Zones and corresponding subnets. Enabling multiple Availability Zones increases the fault tolerance of your applications. For internet-facing load balancers, you can select an Elastic IP address for each Availability Zone. This provides your load balancer with static IP addresses. Alternatively, for an internal load balancer, you can assign a private IP address from the IPv4 range of each subnet instead of letting AWS assign one for you.
7. Listeners and routing
a. For Listeners, the default is a listener that accepts TCP traffic on port 80. You can keep the default listener settings, modify the protocol, or modify the port.
b. For Default action, select a target group to forward traffic. If you don't have a default target group, go back to Step 2 to configure a target group. Choose Add listener to add another listener.
c. For Secure listener settings (available only for secure listeners), choose a Security policy that meets your requirements.
d. For ALPN policy, choose a policy to enable ALPN or choose None to disable ALPN.
e. For Default SSL certificate, choose From ACM (recommended) and select a certificate. If you don't have a certificate that is available to choose, you can import a certificate into ACM, or use ACM to provision one for you. For more information, see Issuing and Managing Certificates in the ACM User Guide.
8. Tag and create
a. (Optional) Add a tag to categorize your load balancer. Tag keys must be unique for each load balancer. Allowed characters are letters, spaces, numbers (in UTF-8), and the following special characters: + - = . _ : / @. Do not use leading or trailing spaces. Tag values are case-sensitive.
b. Review your configuration, and choose Create load balancer. A few default attributes are applied to your load balancer during creation. You can view and edit them after creating the load balancer. For more information, see Load balancer attributes (p. 10).
Step 4: Test the load balancer
After creating your load balancer, you can verify that your EC2 instances have passed the initial health check and then test that the load balancer is sending traffic to your EC2 instances. To delete the load balancer, see Delete a Network Load Balancer (p. 19).
Update the address type
To test the load balancer
1. After the load balancer is created, choose Close.
2. In the left navigation pane, under Load Balancing, choose Target Groups.
3. Select the newly created target group.
4. Choose Targets and verify that your instances are ready. If the status of an instance is initial, it's probably because the instance is still in the process of being registered, or it has not passed the minimum number of health checks to be considered healthy. After the status of at least one instance is healthy, you can test your load balancer. For more information, see Target health status (p. 50).
5. In the navigation pane, under Load Balancing, choose Load Balancers.
6. Select the newly created load balancer.
7. Choose Description and copy the DNS name of the load balancer (for example,
my-load-balancer-1234567890abcdef.elb.us-east-2.amazonaws.com). Paste the DNS name into the address field of an internet-connected web browser. If everything is working, the browser displays the default page of your server.
IP address types for your Network Load Balancer
You can configure your Network Load Balancer so that clients can communicate with the load balancer using IPv4 addresses only, or using both IPv4 and IPv6 addresses (dualstack). The load balancer
communicates with targets based on the IP address type of the target group. For more information, see IP address type (p. 11).
Dualstack requirements
• You can set the IP address type when you create the load balancer and update it at any time. Note that an existing internal Network Load Balancer can't be updated to dualstack mode. You must recreate the Network Load Balancer and configure it as dualstack.
• The virtual private cloud (VPC) and subnets that you specify for the load balancer must have
associated IPv6 CIDR blocks. For more information, see IPv6 addresses in the Amazon EC2 User Guide.
• The load balancer must have only TCP and TLS listeners.
• The route tables for the load balancer subnets must route IPv6 traffic.
• The network ACLs for the load balancer subnets must allow IPv6 traffic.
To set the IP address type at creation
Configure settings as described in Create a load balancer (p. 15).
To update the IP address type using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under Load Balancing, choose Load Balancers.
3. Select the load balancer.
4. Choose Actions, Edit IP address type.
5. For IP address type, choose ipv4 to support IPv4 addresses only or dualstack to support both IPv4 and IPv6 addresses.
6. Choose Save.
To update the IP address type using the AWS CLI Use the set-ip-address-type command.
Update tags
Tags for your Network Load Balancer
Tags help you to categorize your load balancers in different ways, for example, by purpose, owner, or environment.
You can add multiple tags to each load balancer. If you add a tag with a key that is already associated with the load balancer, it updates the value of that tag.
When you are finished with a tag, you can remove it from your load balancer.
Restrictions
• Maximum number of tags per resource—50
• Maximum key length—127 Unicode characters
• Maximum value length—255 Unicode characters
• Tag keys and values are case-sensitive. Allowed characters are letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @. Do not use leading or trailing spaces.
• Do not use the aws: prefix in your tag names or values because it is reserved for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
To update the tags for a load balancer using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Select the load balancer.
4. Choose Tags, Add/Edit Tags, and then do one or more of the following:
a. To update a tag, edit the values of Key and Value.
b. To add a new tag, choose Create Tag. For Key and Value, enter values. Allowed characters are letters, spaces, numbers (in UTF-8), and the following special characters: + - = . _ : / @. Do not use leading or trailing spaces. Tag values are case-sensitive.
c. To delete a tag, choose the delete icon (X) next to the tag.
5. When you have finished updating tags, choose Save.
To update the tags for a load balancer using the AWS CLI Use the add-tags and remove-tags commands.
Delete a Network Load Balancer
As soon as your load balancer becomes available, you are billed for each hour or partial hour that you keep it running. When you no longer need the load balancer, you can delete it. As soon as the load balancer is deleted, you stop incurring charges for it.
You can't delete a load balancer if deletion protection is enabled. For more information, see Deletion protection (p. 13).
You can't delete a load balancer if it is in use by another service. For example, if the load balancer is associated with a VPC endpoint service, you must delete the endpoint service configuration before you can delete the associated load balancer.
Delete a load balancer
Deleting a load balancer also deletes its listeners. Deleting a load balancer does not affect its registered targets. For example, your EC2 instances continue to run and are still registered to their target groups. To delete your target groups, see Delete a target group (p. 62).
To delete a load balancer using the console
1. If you have a CNAME record for your domain that points to your load balancer, point it to a new location and wait for the DNS change to take effect before deleting your load balancer.
2. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
3. In the navigation pane, under LOAD BALANCING, choose Load Balancers.
4. Select the load balancer.
5. Choose Actions, Delete.
6. When prompted for confirmation, choose Yes, Delete.
To delete a load balancer using the AWS CLI Use the delete-load-balancer command.
Listener configuration
Listeners for your Network Load Balancers
Before you start using your Network Load Balancer, you must add one or more listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure. The rules that you define for a listener determine how the load balancer routes requests to the targets in one or more target groups.
For more information, see Request routing in the Elastic Load Balancing User Guide.
Contents
• Listener configuration (p. 21)
• Listener rules (p. 21)
• Create a listener for your Network Load Balancer (p. 22)
• TLS listeners for your Network Load Balancer (p. 22)
• Update a listener for your Network Load Balancer (p. 33)
• Update a TLS listener for your Network Load Balancer (p. 33)
• Delete a listener for your Network Load Balancer (p. 36)
Listener configuration
Listeners support the following protocols and ports:
• Protocols: TCP, TLS, UDP, TCP_UDP
• Ports: 1-65535
You can use a TLS listener to offload the work of encryption and decryption to your load balancer so that your applications can focus on their business logic. If the listener protocol is TLS, you must deploy exactly one SSL server certificate on the listener. For more information, see TLS listeners for your Network Load Balancer (p. 22).
To support both TCP and UDP on the same port, create a TCP_UDP listener. The target groups for a TCP_UDP listener must use the TCP_UDP protocol.
For dualstack Network Load Balancers, only TCP and TLS protocols are supported.
You can use WebSockets with your listeners.
All network traffic sent to a configured listener is classified as intended traffic. Network traffic that does not match a configured listener is classified as unintended traffic. ICMP requests other than Type 3 are also considered unintended traffic. Network Load Balancers drop unintended traffic without forwarding it to any targets. TCP data packets sent to the listener port for a configured listeners that are not new connections or part of an active TCP connection are rejected with a TCP reset (RST).
Listener rules
When you create a listener, you specify a rule for routing requests. This rule forwards requests to the specified target group. To update this rule, see Update a listener for your Network Load Balancer (p. 33).
Create a listener
Create a listener for your Network Load Balancer
A listener is a process that checks for connection requests. You define a listener when you create your load balancer, and you can add listeners to your load balancer at any time.
Prerequisites
• You must specify a target group for the listener rule. For more information, see Create a target group for your Network Load Balancer (p. 46).
• You must specify an SSL certificate for a TLS listener. The load balancer uses the certificate to terminate the connection and decrypt requests from clients before routing them to targets. For more information, see Server certificates (p. 23).
Add a listener
You configure a listener with a protocol and a port for connections from clients to the load balancer, and a target group for the default listener rule. For more information, see Listener configuration (p. 21).
To add a listener using the console
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Select the load balancer and choose Listeners.
4. Choose Add listener.
5. For Protocol : port, choose TCP, UDP, TCP_UDP, or TLS. Keep the default port or type a different port. For dualstack Network Load Balancers, only TCP and TLS protocols are supported.
6. [TLS listeners] For ALPN policy, choose a policy to enable ALPN or choose None to disable ALPN.
For more information, see ALPN policies (p. 32).
7. For Default actions, choose Add action, Forward to and then choose an available target group.
8. [TLS listeners] For Security policy, we recommend that you keep the default security policy.
9. [TLS listeners] For Default SSL certificate, do one of the following:
• If you created or imported a certificate using AWS Certificate Manager, choose From ACM and choose the certificate.
• If you uploaded a certificate using IAM, choose From IAM and choose the certificate.
10. Choose Save.
11. [TLS listeners] To add an optional certificate list for use with the SNI protocol, see Add certificates to the certificate list (p. 34).
To add a listener using the AWS CLI
Use the create-listener command to create the listener.
TLS listeners for your Network Load Balancer
To use a TLS listener, you must deploy at least one server certificate on your load balancer. The load balancer uses a server certificate to terminate the front-end connection and then to decrypt requests from clients before sending them to the targets.
Server certificates
Elastic Load Balancing uses a TLS negotiation configuration, known as a security policy, to negotiate TLS connections between a client and the load balancer. A security policy is a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server and ensures that all data passed between the client and your load balancer is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data over the internet. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. The first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection.
Network Load Balancers do not support TLS renegotiation.
To create a TLS listener, see Add a listener (p. 22). For related demos, see TLS Support on Network Load Balancer and SNI Support on Network Load Balancer.
Server certificates
The load balancer requires X.509 certificates (server certificate). Certificates are a digital form of identification issued by a certificate authority (CA). A certificate contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer.
When you create a certificate for use with your load balancer, you must specify a domain name.
We recommend that you create certificates for your load balancers using AWS Certificate Manager (ACM).
ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer.
For more information, see the AWS Certificate Manager User Guide.
Alternatively, you can use TLS tools to create a certificate signing request (CSR), then get the CSR signed by a CA to produce a certificate, then import the certificate into ACM or upload the certificate to AWS
Alternatively, you can use TLS tools to create a certificate signing request (CSR), then get the CSR signed by a CA to produce a certificate, then import the certificate into ACM or upload the certificate to AWS