Create an HTTPS listener for your Application Load Balancer

To add an HTTPS listener

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. On the navigation pane, choose Load Balancers.

3. Select the load balancer.

4. On the Listeners and rules tab, choose Add listener.

5. For Protocol, choose HTTPS. Keep the default port or enter a different port.

6. (Optional) To add an authentication rule, select Authenticate users chose an identity provider, and provide the required information. For more information, see Authenticate users using an Application Load Balancer.

7. For Routing action, select one of the following routing actions and provide the required information:

   • Forward to target groups – Choose a target group. To add another target group, choose Add target group, choose a target group, review the relative percentages, and update the weights as needed. You must enable group-level stickiness if you enabled stickiness on any of the target groups.

     If you don't have a target group that meets your needs, choose Create target group to create one now. For more information, see Create a target group.

   • Redirect to URL – Enter the URL by entering each part separately on the URI parts tab, or by entering the full address on the Full URL tab. For Status code, select either temporary (HTTP 302) or permanent (HTTP 301) based on your needs.

   • Return fixed response – Enter the Response code to return for dropped client requests. Optionally, you can specify the Content type and a Response body.

8. For Security policy, we select the recommended security policy. You can select a different security policy as needed.

9. For Default SSL/TLS certificate, choose the default certificate. We also add the default certificate to the SNI list. You can select a certificate using one of the following options:

   • From ACM – Choose a certificate from Certificate (from ACM), which displays the certificates available from Amazon Certificate Manager.

   • From IAM – Choose a certificate from Certificate (from IAM), which displays the certificates that you imported to Amazon Identity and Access Management.

   • Import certificate – Choose a destination for your certificate; either Import to ACM or Import to IAM. For Certificate private key, copy and paste the contents of the private key file (PEM-encoded). For Certificate body, copy and paste the contents of the public key certificate file (PEM-encoded). For Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.

10. (Optional) To enable mutual authentication, under Client certificate handling, enable Mutual authentication (mTLS).

    The default mode is passthrough. If you select Verify with trust store:

    • By default, connections with expired client certificates are rejected. To change this behavior expand Advanced mTLS settings, then under Client certificate expiration select Allow expired client certificates.

    • For Trust store, choose an existing trust store, or choose New trust store and provide the required information.

11. (Optional) To add tags, expand Listener tags. Choose Add new tag and enter the tag key and tag value.

12. Choose Add listener.