The aws:lb/listener:Listener resource, part of the Pulumi AWS provider, defines how a load balancer accepts and routes incoming connections: its protocol, port, TLS configuration, and default actions. This guide focuses on four capabilities: HTTPS and TLS termination, traffic distribution across target groups, authentication integration, and HTTP-to-HTTPS redirection.
Listeners attach to existing load balancers and route to target groups. HTTPS and TLS listeners require certificates from ACM or IAM. The examples are intentionally small. Combine them with your own load balancers, target groups, and certificates.
Route HTTPS traffic to a target group
Most deployments accept HTTPS traffic on port 443 and forward requests to backend instances in a target group.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const frontEnd = new aws.lb.LoadBalancer("front_end", {});
const frontEndTargetGroup = new aws.lb.TargetGroup("front_end", {});
const frontEndListener = new aws.lb.Listener("front_end", {
loadBalancerArn: frontEnd.arn,
port: 443,
protocol: "HTTPS",
sslPolicy: "ELBSecurityPolicy-2016-08",
certificateArn: "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4",
defaultActions: [{
type: "forward",
targetGroupArn: frontEndTargetGroup.arn,
}],
});
import pulumi
import pulumi_aws as aws
front_end = aws.lb.LoadBalancer("front_end")
front_end_target_group = aws.lb.TargetGroup("front_end")
front_end_listener = aws.lb.Listener("front_end",
load_balancer_arn=front_end.arn,
port=443,
protocol="HTTPS",
ssl_policy="ELBSecurityPolicy-2016-08",
certificate_arn="arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4",
default_actions=[{
"type": "forward",
"target_group_arn": front_end_target_group.arn,
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
frontEnd, err := lb.NewLoadBalancer(ctx, "front_end", nil)
if err != nil {
return err
}
frontEndTargetGroup, err := lb.NewTargetGroup(ctx, "front_end", nil)
if err != nil {
return err
}
_, err = lb.NewListener(ctx, "front_end", &lb.ListenerArgs{
LoadBalancerArn: frontEnd.Arn,
Port: pulumi.Int(443),
Protocol: pulumi.String("HTTPS"),
SslPolicy: pulumi.String("ELBSecurityPolicy-2016-08"),
CertificateArn: pulumi.String("arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"),
DefaultActions: lb.ListenerDefaultActionArray{
&lb.ListenerDefaultActionArgs{
Type: pulumi.String("forward"),
TargetGroupArn: frontEndTargetGroup.Arn,
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var frontEnd = new Aws.LB.LoadBalancer("front_end");
var frontEndTargetGroup = new Aws.LB.TargetGroup("front_end");
var frontEndListener = new Aws.LB.Listener("front_end", new()
{
LoadBalancerArn = frontEnd.Arn,
Port = 443,
Protocol = "HTTPS",
SslPolicy = "ELBSecurityPolicy-2016-08",
CertificateArn = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4",
DefaultActions = new[]
{
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
Type = "forward",
TargetGroupArn = frontEndTargetGroup.Arn,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lb.LoadBalancer;
import com.pulumi.aws.lb.TargetGroup;
import com.pulumi.aws.lb.Listener;
import com.pulumi.aws.lb.ListenerArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var frontEnd = new LoadBalancer("frontEnd");
var frontEndTargetGroup = new TargetGroup("frontEndTargetGroup");
var frontEndListener = new Listener("frontEndListener", ListenerArgs.builder()
.loadBalancerArn(frontEnd.arn())
.port(443)
.protocol("HTTPS")
.sslPolicy("ELBSecurityPolicy-2016-08")
.certificateArn("arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4")
.defaultActions(ListenerDefaultActionArgs.builder()
.type("forward")
.targetGroupArn(frontEndTargetGroup.arn())
.build())
.build());
}
}
resources:
frontEnd:
type: aws:lb:LoadBalancer
name: front_end
frontEndTargetGroup:
type: aws:lb:TargetGroup
name: front_end
frontEndListener:
type: aws:lb:Listener
name: front_end
properties:
loadBalancerArn: ${frontEnd.arn}
port: '443'
protocol: HTTPS
sslPolicy: ELBSecurityPolicy-2016-08
certificateArn: arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4
defaultActions:
- type: forward
targetGroupArn: ${frontEndTargetGroup.arn}
The listener terminates TLS using the specified certificate, then forwards decrypted requests to the target group. The protocol property sets HTTPS for client connections; sslPolicy controls which TLS versions and ciphers are allowed. The defaultActions array defines what happens to requests that don’t match any listener rules.
Split traffic across target groups with weights
Blue-green deployments and canary releases route traffic to multiple target groups with configurable weight distribution.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const frontEnd = new aws.lb.LoadBalancer("front_end", {});
const frontEndBlue = new aws.lb.TargetGroup("front_end_blue", {});
const frontEndGreen = new aws.lb.TargetGroup("front_end_green", {});
const frontEndListener = new aws.lb.Listener("front_end", {
loadBalancerArn: frontEnd.arn,
port: 443,
protocol: "HTTPS",
sslPolicy: "ELBSecurityPolicy-2016-08",
certificateArn: "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4",
defaultActions: [{
type: "forward",
forward: {
targetGroups: [
{
arn: frontEndBlue.arn,
weight: 100,
},
{
arn: frontEndGreen.arn,
weight: 0,
},
],
},
}],
});
import pulumi
import pulumi_aws as aws
front_end = aws.lb.LoadBalancer("front_end")
front_end_blue = aws.lb.TargetGroup("front_end_blue")
front_end_green = aws.lb.TargetGroup("front_end_green")
front_end_listener = aws.lb.Listener("front_end",
load_balancer_arn=front_end.arn,
port=443,
protocol="HTTPS",
ssl_policy="ELBSecurityPolicy-2016-08",
certificate_arn="arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4",
default_actions=[{
"type": "forward",
"forward": {
"target_groups": [
{
"arn": front_end_blue.arn,
"weight": 100,
},
{
"arn": front_end_green.arn,
"weight": 0,
},
],
},
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
frontEnd, err := lb.NewLoadBalancer(ctx, "front_end", nil)
if err != nil {
return err
}
frontEndBlue, err := lb.NewTargetGroup(ctx, "front_end_blue", nil)
if err != nil {
return err
}
frontEndGreen, err := lb.NewTargetGroup(ctx, "front_end_green", nil)
if err != nil {
return err
}
_, err = lb.NewListener(ctx, "front_end", &lb.ListenerArgs{
LoadBalancerArn: frontEnd.Arn,
Port: pulumi.Int(443),
Protocol: pulumi.String("HTTPS"),
SslPolicy: pulumi.String("ELBSecurityPolicy-2016-08"),
CertificateArn: pulumi.String("arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"),
DefaultActions: lb.ListenerDefaultActionArray{
&lb.ListenerDefaultActionArgs{
Type: pulumi.String("forward"),
Forward: &lb.ListenerDefaultActionForwardArgs{
TargetGroups: lb.ListenerDefaultActionForwardTargetGroupArray{
&lb.ListenerDefaultActionForwardTargetGroupArgs{
Arn: frontEndBlue.Arn,
Weight: pulumi.Int(100),
},
&lb.ListenerDefaultActionForwardTargetGroupArgs{
Arn: frontEndGreen.Arn,
Weight: pulumi.Int(0),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var frontEnd = new Aws.LB.LoadBalancer("front_end");
var frontEndBlue = new Aws.LB.TargetGroup("front_end_blue");
var frontEndGreen = new Aws.LB.TargetGroup("front_end_green");
var frontEndListener = new Aws.LB.Listener("front_end", new()
{
LoadBalancerArn = frontEnd.Arn,
Port = 443,
Protocol = "HTTPS",
SslPolicy = "ELBSecurityPolicy-2016-08",
CertificateArn = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4",
DefaultActions = new[]
{
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
Type = "forward",
Forward = new Aws.LB.Inputs.ListenerDefaultActionForwardArgs
{
TargetGroups = new[]
{
new Aws.LB.Inputs.ListenerDefaultActionForwardTargetGroupArgs
{
Arn = frontEndBlue.Arn,
Weight = 100,
},
new Aws.LB.Inputs.ListenerDefaultActionForwardTargetGroupArgs
{
Arn = frontEndGreen.Arn,
Weight = 0,
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lb.LoadBalancer;
import com.pulumi.aws.lb.TargetGroup;
import com.pulumi.aws.lb.Listener;
import com.pulumi.aws.lb.ListenerArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionForwardArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var frontEnd = new LoadBalancer("frontEnd");
var frontEndBlue = new TargetGroup("frontEndBlue");
var frontEndGreen = new TargetGroup("frontEndGreen");
var frontEndListener = new Listener("frontEndListener", ListenerArgs.builder()
.loadBalancerArn(frontEnd.arn())
.port(443)
.protocol("HTTPS")
.sslPolicy("ELBSecurityPolicy-2016-08")
.certificateArn("arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4")
.defaultActions(ListenerDefaultActionArgs.builder()
.type("forward")
.forward(ListenerDefaultActionForwardArgs.builder()
.targetGroups(
ListenerDefaultActionForwardTargetGroupArgs.builder()
.arn(frontEndBlue.arn())
.weight(100)
.build(),
ListenerDefaultActionForwardTargetGroupArgs.builder()
.arn(frontEndGreen.arn())
.weight(0)
.build())
.build())
.build())
.build());
}
}
resources:
frontEnd:
type: aws:lb:LoadBalancer
name: front_end
frontEndBlue:
type: aws:lb:TargetGroup
name: front_end_blue
frontEndGreen:
type: aws:lb:TargetGroup
name: front_end_green
frontEndListener:
type: aws:lb:Listener
name: front_end
properties:
loadBalancerArn: ${frontEnd.arn}
port: '443'
protocol: HTTPS
sslPolicy: ELBSecurityPolicy-2016-08
certificateArn: arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4
defaultActions:
- type: forward
forward:
targetGroups:
- arn: ${frontEndBlue.arn}
weight: 100
- arn: ${frontEndGreen.arn}
weight: 0
The forward block replaces the simple targetGroupArn with a targetGroups array. Each target group gets a weight; here, 100% goes to blue and 0% to green. Adjust weights to gradually shift traffic during deployments.
Configure TLS termination for Network Load Balancers
Network Load Balancers handle TCP and TLS traffic with different protocol requirements than Application Load Balancers.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const frontEnd = new aws.lb.Listener("front_end", {
loadBalancerArn: frontEndAwsLb.arn,
port: 443,
protocol: "TLS",
sslPolicy: "ELBSecurityPolicy-2016-08",
certificateArn: "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4",
alpnPolicy: "HTTP2Preferred",
defaultActions: [{
type: "forward",
targetGroupArn: frontEndAwsLbTargetGroup.arn,
}],
});
import pulumi
import pulumi_aws as aws
front_end = aws.lb.Listener("front_end",
load_balancer_arn=front_end_aws_lb["arn"],
port=443,
protocol="TLS",
ssl_policy="ELBSecurityPolicy-2016-08",
certificate_arn="arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4",
alpn_policy="HTTP2Preferred",
default_actions=[{
"type": "forward",
"target_group_arn": front_end_aws_lb_target_group["arn"],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lb.NewListener(ctx, "front_end", &lb.ListenerArgs{
LoadBalancerArn: pulumi.Any(frontEndAwsLb.Arn),
Port: pulumi.Int(443),
Protocol: pulumi.String("TLS"),
SslPolicy: pulumi.String("ELBSecurityPolicy-2016-08"),
CertificateArn: pulumi.String("arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"),
AlpnPolicy: pulumi.String("HTTP2Preferred"),
DefaultActions: lb.ListenerDefaultActionArray{
&lb.ListenerDefaultActionArgs{
Type: pulumi.String("forward"),
TargetGroupArn: pulumi.Any(frontEndAwsLbTargetGroup.Arn),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var frontEnd = new Aws.LB.Listener("front_end", new()
{
LoadBalancerArn = frontEndAwsLb.Arn,
Port = 443,
Protocol = "TLS",
SslPolicy = "ELBSecurityPolicy-2016-08",
CertificateArn = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4",
AlpnPolicy = "HTTP2Preferred",
DefaultActions = new[]
{
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
Type = "forward",
TargetGroupArn = frontEndAwsLbTargetGroup.Arn,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lb.Listener;
import com.pulumi.aws.lb.ListenerArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var frontEnd = new Listener("frontEnd", ListenerArgs.builder()
.loadBalancerArn(frontEndAwsLb.arn())
.port(443)
.protocol("TLS")
.sslPolicy("ELBSecurityPolicy-2016-08")
.certificateArn("arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4")
.alpnPolicy("HTTP2Preferred")
.defaultActions(ListenerDefaultActionArgs.builder()
.type("forward")
.targetGroupArn(frontEndAwsLbTargetGroup.arn())
.build())
.build());
}
}
resources:
frontEnd:
type: aws:lb:Listener
name: front_end
properties:
loadBalancerArn: ${frontEndAwsLb.arn}
port: '443'
protocol: TLS
sslPolicy: ELBSecurityPolicy-2016-08
certificateArn: arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4
alpnPolicy: HTTP2Preferred
defaultActions:
- type: forward
targetGroupArn: ${frontEndAwsLbTargetGroup.arn}
For NLB listeners, set protocol to TLS instead of HTTPS. The alpnPolicy property controls Application-Layer Protocol Negotiation, allowing clients and servers to negotiate HTTP/2 or HTTP/1.1 over the TLS connection.
Redirect HTTP requests to HTTPS
Security policies often require redirecting all HTTP traffic to HTTPS to enforce encrypted connections.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const frontEnd = new aws.lb.LoadBalancer("front_end", {});
const frontEndListener = new aws.lb.Listener("front_end", {
loadBalancerArn: frontEnd.arn,
port: 80,
protocol: "HTTP",
defaultActions: [{
type: "redirect",
redirect: {
port: "443",
protocol: "HTTPS",
statusCode: "HTTP_301",
},
}],
});
import pulumi
import pulumi_aws as aws
front_end = aws.lb.LoadBalancer("front_end")
front_end_listener = aws.lb.Listener("front_end",
load_balancer_arn=front_end.arn,
port=80,
protocol="HTTP",
default_actions=[{
"type": "redirect",
"redirect": {
"port": "443",
"protocol": "HTTPS",
"status_code": "HTTP_301",
},
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
frontEnd, err := lb.NewLoadBalancer(ctx, "front_end", nil)
if err != nil {
return err
}
_, err = lb.NewListener(ctx, "front_end", &lb.ListenerArgs{
LoadBalancerArn: frontEnd.Arn,
Port: pulumi.Int(80),
Protocol: pulumi.String("HTTP"),
DefaultActions: lb.ListenerDefaultActionArray{
&lb.ListenerDefaultActionArgs{
Type: pulumi.String("redirect"),
Redirect: &lb.ListenerDefaultActionRedirectArgs{
Port: pulumi.String("443"),
Protocol: pulumi.String("HTTPS"),
StatusCode: pulumi.String("HTTP_301"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var frontEnd = new Aws.LB.LoadBalancer("front_end");
var frontEndListener = new Aws.LB.Listener("front_end", new()
{
LoadBalancerArn = frontEnd.Arn,
Port = 80,
Protocol = "HTTP",
DefaultActions = new[]
{
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
Type = "redirect",
Redirect = new Aws.LB.Inputs.ListenerDefaultActionRedirectArgs
{
Port = "443",
Protocol = "HTTPS",
StatusCode = "HTTP_301",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lb.LoadBalancer;
import com.pulumi.aws.lb.Listener;
import com.pulumi.aws.lb.ListenerArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionRedirectArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var frontEnd = new LoadBalancer("frontEnd");
var frontEndListener = new Listener("frontEndListener", ListenerArgs.builder()
.loadBalancerArn(frontEnd.arn())
.port(80)
.protocol("HTTP")
.defaultActions(ListenerDefaultActionArgs.builder()
.type("redirect")
.redirect(ListenerDefaultActionRedirectArgs.builder()
.port("443")
.protocol("HTTPS")
.statusCode("HTTP_301")
.build())
.build())
.build());
}
}
resources:
frontEnd:
type: aws:lb:LoadBalancer
name: front_end
frontEndListener:
type: aws:lb:Listener
name: front_end
properties:
loadBalancerArn: ${frontEnd.arn}
port: '80'
protocol: HTTP
defaultActions:
- type: redirect
redirect:
port: '443'
protocol: HTTPS
statusCode: HTTP_301
The redirect action sends clients to a different URL. Here, it changes the protocol to HTTPS and port to 443, using a 301 permanent redirect. The listener accepts HTTP on port 80 but doesn’t forward to any target group.
Authenticate users with Cognito before forwarding
Applications that need user authentication can delegate to Cognito User Pools, allowing the load balancer to verify identity before routing requests.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const frontEnd = new aws.lb.LoadBalancer("front_end", {});
const frontEndTargetGroup = new aws.lb.TargetGroup("front_end", {});
const pool = new aws.cognito.UserPool("pool", {});
const client = new aws.cognito.UserPoolClient("client", {});
const domain = new aws.cognito.UserPoolDomain("domain", {});
const frontEndListener = new aws.lb.Listener("front_end", {
loadBalancerArn: frontEnd.arn,
port: 80,
protocol: "HTTP",
defaultActions: [
{
type: "authenticate-cognito",
authenticateCognito: {
userPoolArn: pool.arn,
userPoolClientId: client.id,
userPoolDomain: domain.domain,
},
},
{
type: "forward",
targetGroupArn: frontEndTargetGroup.arn,
},
],
});
import pulumi
import pulumi_aws as aws
front_end = aws.lb.LoadBalancer("front_end")
front_end_target_group = aws.lb.TargetGroup("front_end")
pool = aws.cognito.UserPool("pool")
client = aws.cognito.UserPoolClient("client")
domain = aws.cognito.UserPoolDomain("domain")
front_end_listener = aws.lb.Listener("front_end",
load_balancer_arn=front_end.arn,
port=80,
protocol="HTTP",
default_actions=[
{
"type": "authenticate-cognito",
"authenticate_cognito": {
"user_pool_arn": pool.arn,
"user_pool_client_id": client.id,
"user_pool_domain": domain.domain,
},
},
{
"type": "forward",
"target_group_arn": front_end_target_group.arn,
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cognito"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
frontEnd, err := lb.NewLoadBalancer(ctx, "front_end", nil)
if err != nil {
return err
}
frontEndTargetGroup, err := lb.NewTargetGroup(ctx, "front_end", nil)
if err != nil {
return err
}
pool, err := cognito.NewUserPool(ctx, "pool", nil)
if err != nil {
return err
}
client, err := cognito.NewUserPoolClient(ctx, "client", nil)
if err != nil {
return err
}
domain, err := cognito.NewUserPoolDomain(ctx, "domain", nil)
if err != nil {
return err
}
_, err = lb.NewListener(ctx, "front_end", &lb.ListenerArgs{
LoadBalancerArn: frontEnd.Arn,
Port: pulumi.Int(80),
Protocol: pulumi.String("HTTP"),
DefaultActions: lb.ListenerDefaultActionArray{
&lb.ListenerDefaultActionArgs{
Type: pulumi.String("authenticate-cognito"),
AuthenticateCognito: &lb.ListenerDefaultActionAuthenticateCognitoArgs{
UserPoolArn: pool.Arn,
UserPoolClientId: client.ID(),
UserPoolDomain: domain.Domain,
},
},
&lb.ListenerDefaultActionArgs{
Type: pulumi.String("forward"),
TargetGroupArn: frontEndTargetGroup.Arn,
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var frontEnd = new Aws.LB.LoadBalancer("front_end");
var frontEndTargetGroup = new Aws.LB.TargetGroup("front_end");
var pool = new Aws.Cognito.UserPool("pool");
var client = new Aws.Cognito.UserPoolClient("client");
var domain = new Aws.Cognito.UserPoolDomain("domain");
var frontEndListener = new Aws.LB.Listener("front_end", new()
{
LoadBalancerArn = frontEnd.Arn,
Port = 80,
Protocol = "HTTP",
DefaultActions = new[]
{
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
Type = "authenticate-cognito",
AuthenticateCognito = new Aws.LB.Inputs.ListenerDefaultActionAuthenticateCognitoArgs
{
UserPoolArn = pool.Arn,
UserPoolClientId = client.Id,
UserPoolDomain = domain.Domain,
},
},
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
Type = "forward",
TargetGroupArn = frontEndTargetGroup.Arn,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lb.LoadBalancer;
import com.pulumi.aws.lb.TargetGroup;
import com.pulumi.aws.cognito.UserPool;
import com.pulumi.aws.cognito.UserPoolClient;
import com.pulumi.aws.cognito.UserPoolDomain;
import com.pulumi.aws.lb.Listener;
import com.pulumi.aws.lb.ListenerArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionAuthenticateCognitoArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var frontEnd = new LoadBalancer("frontEnd");
var frontEndTargetGroup = new TargetGroup("frontEndTargetGroup");
var pool = new UserPool("pool");
var client = new UserPoolClient("client");
var domain = new UserPoolDomain("domain");
var frontEndListener = new Listener("frontEndListener", ListenerArgs.builder()
.loadBalancerArn(frontEnd.arn())
.port(80)
.protocol("HTTP")
.defaultActions(
ListenerDefaultActionArgs.builder()
.type("authenticate-cognito")
.authenticateCognito(ListenerDefaultActionAuthenticateCognitoArgs.builder()
.userPoolArn(pool.arn())
.userPoolClientId(client.id())
.userPoolDomain(domain.domain())
.build())
.build(),
ListenerDefaultActionArgs.builder()
.type("forward")
.targetGroupArn(frontEndTargetGroup.arn())
.build())
.build());
}
}
resources:
frontEnd:
type: aws:lb:LoadBalancer
name: front_end
frontEndTargetGroup:
type: aws:lb:TargetGroup
name: front_end
pool:
type: aws:cognito:UserPool
client:
type: aws:cognito:UserPoolClient
domain:
type: aws:cognito:UserPoolDomain
frontEndListener:
type: aws:lb:Listener
name: front_end
properties:
loadBalancerArn: ${frontEnd.arn}
port: '80'
protocol: HTTP
defaultActions:
- type: authenticate-cognito
authenticateCognito:
userPoolArn: ${pool.arn}
userPoolClientId: ${client.id}
userPoolDomain: ${domain.domain}
- type: forward
targetGroupArn: ${frontEndTargetGroup.arn}
The authenticateCognito action runs before the forward action. The load balancer redirects unauthenticated users to Cognito’s hosted UI, validates the returned tokens, and only then forwards requests to the target group. The application receives user claims in HTTP headers.
Authenticate with external OIDC providers
Organizations using identity providers like Okta or Auth0 can integrate authentication at the load balancer layer using OpenID Connect.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const frontEnd = new aws.lb.LoadBalancer("front_end", {});
const frontEndTargetGroup = new aws.lb.TargetGroup("front_end", {});
const frontEndListener = new aws.lb.Listener("front_end", {
loadBalancerArn: frontEnd.arn,
port: 80,
protocol: "HTTP",
defaultActions: [
{
type: "authenticate-oidc",
authenticateOidc: {
authorizationEndpoint: "https://example.com/authorization_endpoint",
clientId: "client_id",
clientSecret: "client_secret",
issuer: "https://example.com",
tokenEndpoint: "https://example.com/token_endpoint",
userInfoEndpoint: "https://example.com/user_info_endpoint",
},
},
{
type: "forward",
targetGroupArn: frontEndTargetGroup.arn,
},
],
});
import pulumi
import pulumi_aws as aws
front_end = aws.lb.LoadBalancer("front_end")
front_end_target_group = aws.lb.TargetGroup("front_end")
front_end_listener = aws.lb.Listener("front_end",
load_balancer_arn=front_end.arn,
port=80,
protocol="HTTP",
default_actions=[
{
"type": "authenticate-oidc",
"authenticate_oidc": {
"authorization_endpoint": "https://example.com/authorization_endpoint",
"client_id": "client_id",
"client_secret": "client_secret",
"issuer": "https://example.com",
"token_endpoint": "https://example.com/token_endpoint",
"user_info_endpoint": "https://example.com/user_info_endpoint",
},
},
{
"type": "forward",
"target_group_arn": front_end_target_group.arn,
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
frontEnd, err := lb.NewLoadBalancer(ctx, "front_end", nil)
if err != nil {
return err
}
frontEndTargetGroup, err := lb.NewTargetGroup(ctx, "front_end", nil)
if err != nil {
return err
}
_, err = lb.NewListener(ctx, "front_end", &lb.ListenerArgs{
LoadBalancerArn: frontEnd.Arn,
Port: pulumi.Int(80),
Protocol: pulumi.String("HTTP"),
DefaultActions: lb.ListenerDefaultActionArray{
&lb.ListenerDefaultActionArgs{
Type: pulumi.String("authenticate-oidc"),
AuthenticateOidc: &lb.ListenerDefaultActionAuthenticateOidcArgs{
AuthorizationEndpoint: pulumi.String("https://example.com/authorization_endpoint"),
ClientId: pulumi.String("client_id"),
ClientSecret: pulumi.String("client_secret"),
Issuer: pulumi.String("https://example.com"),
TokenEndpoint: pulumi.String("https://example.com/token_endpoint"),
UserInfoEndpoint: pulumi.String("https://example.com/user_info_endpoint"),
},
},
&lb.ListenerDefaultActionArgs{
Type: pulumi.String("forward"),
TargetGroupArn: frontEndTargetGroup.Arn,
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var frontEnd = new Aws.LB.LoadBalancer("front_end");
var frontEndTargetGroup = new Aws.LB.TargetGroup("front_end");
var frontEndListener = new Aws.LB.Listener("front_end", new()
{
LoadBalancerArn = frontEnd.Arn,
Port = 80,
Protocol = "HTTP",
DefaultActions = new[]
{
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
Type = "authenticate-oidc",
AuthenticateOidc = new Aws.LB.Inputs.ListenerDefaultActionAuthenticateOidcArgs
{
AuthorizationEndpoint = "https://example.com/authorization_endpoint",
ClientId = "client_id",
ClientSecret = "client_secret",
Issuer = "https://example.com",
TokenEndpoint = "https://example.com/token_endpoint",
UserInfoEndpoint = "https://example.com/user_info_endpoint",
},
},
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
Type = "forward",
TargetGroupArn = frontEndTargetGroup.Arn,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lb.LoadBalancer;
import com.pulumi.aws.lb.TargetGroup;
import com.pulumi.aws.lb.Listener;
import com.pulumi.aws.lb.ListenerArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionAuthenticateOidcArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var frontEnd = new LoadBalancer("frontEnd");
var frontEndTargetGroup = new TargetGroup("frontEndTargetGroup");
var frontEndListener = new Listener("frontEndListener", ListenerArgs.builder()
.loadBalancerArn(frontEnd.arn())
.port(80)
.protocol("HTTP")
.defaultActions(
ListenerDefaultActionArgs.builder()
.type("authenticate-oidc")
.authenticateOidc(ListenerDefaultActionAuthenticateOidcArgs.builder()
.authorizationEndpoint("https://example.com/authorization_endpoint")
.clientId("client_id")
.clientSecret("client_secret")
.issuer("https://example.com")
.tokenEndpoint("https://example.com/token_endpoint")
.userInfoEndpoint("https://example.com/user_info_endpoint")
.build())
.build(),
ListenerDefaultActionArgs.builder()
.type("forward")
.targetGroupArn(frontEndTargetGroup.arn())
.build())
.build());
}
}
resources:
frontEnd:
type: aws:lb:LoadBalancer
name: front_end
frontEndTargetGroup:
type: aws:lb:TargetGroup
name: front_end
frontEndListener:
type: aws:lb:Listener
name: front_end
properties:
loadBalancerArn: ${frontEnd.arn}
port: '80'
protocol: HTTP
defaultActions:
- type: authenticate-oidc
authenticateOidc:
authorizationEndpoint: https://example.com/authorization_endpoint
clientId: client_id
clientSecret: client_secret
issuer: https://example.com
tokenEndpoint: https://example.com/token_endpoint
userInfoEndpoint: https://example.com/user_info_endpoint
- type: forward
targetGroupArn: ${frontEndTargetGroup.arn}
The authenticateOidc action works like Cognito authentication but connects to any OIDC-compliant provider. You specify the authorization, token, and user info endpoints along with client credentials. The load balancer handles the OAuth flow and passes identity claims to your application.
Require client certificates with mutual TLS
High-security applications can require clients to present valid certificates, establishing two-way TLS authentication.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lb.LoadBalancer("example", {loadBalancerType: "application"});
const exampleTargetGroup = new aws.lb.TargetGroup("example", {});
const exampleListener = new aws.lb.Listener("example", {
loadBalancerArn: example.id,
defaultActions: [{
targetGroupArn: exampleTargetGroup.id,
type: "forward",
}],
mutualAuthentication: {
mode: "verify",
trustStoreArn: "...",
},
});
import pulumi
import pulumi_aws as aws
example = aws.lb.LoadBalancer("example", load_balancer_type="application")
example_target_group = aws.lb.TargetGroup("example")
example_listener = aws.lb.Listener("example",
load_balancer_arn=example.id,
default_actions=[{
"target_group_arn": example_target_group.id,
"type": "forward",
}],
mutual_authentication={
"mode": "verify",
"trust_store_arn": "...",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lb"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := lb.NewLoadBalancer(ctx, "example", &lb.LoadBalancerArgs{
LoadBalancerType: pulumi.String("application"),
})
if err != nil {
return err
}
exampleTargetGroup, err := lb.NewTargetGroup(ctx, "example", nil)
if err != nil {
return err
}
_, err = lb.NewListener(ctx, "example", &lb.ListenerArgs{
LoadBalancerArn: example.ID(),
DefaultActions: lb.ListenerDefaultActionArray{
&lb.ListenerDefaultActionArgs{
TargetGroupArn: exampleTargetGroup.ID(),
Type: pulumi.String("forward"),
},
},
MutualAuthentication: &lb.ListenerMutualAuthenticationArgs{
Mode: pulumi.String("verify"),
TrustStoreArn: pulumi.String("..."),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.LB.LoadBalancer("example", new()
{
LoadBalancerType = "application",
});
var exampleTargetGroup = new Aws.LB.TargetGroup("example");
var exampleListener = new Aws.LB.Listener("example", new()
{
LoadBalancerArn = example.Id,
DefaultActions = new[]
{
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
TargetGroupArn = exampleTargetGroup.Id,
Type = "forward",
},
},
MutualAuthentication = new Aws.LB.Inputs.ListenerMutualAuthenticationArgs
{
Mode = "verify",
TrustStoreArn = "...",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lb.LoadBalancer;
import com.pulumi.aws.lb.LoadBalancerArgs;
import com.pulumi.aws.lb.TargetGroup;
import com.pulumi.aws.lb.Listener;
import com.pulumi.aws.lb.ListenerArgs;
import com.pulumi.aws.lb.inputs.ListenerDefaultActionArgs;
import com.pulumi.aws.lb.inputs.ListenerMutualAuthenticationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new LoadBalancer("example", LoadBalancerArgs.builder()
.loadBalancerType("application")
.build());
var exampleTargetGroup = new TargetGroup("exampleTargetGroup");
var exampleListener = new Listener("exampleListener", ListenerArgs.builder()
.loadBalancerArn(example.id())
.defaultActions(ListenerDefaultActionArgs.builder()
.targetGroupArn(exampleTargetGroup.id())
.type("forward")
.build())
.mutualAuthentication(ListenerMutualAuthenticationArgs.builder()
.mode("verify")
.trustStoreArn("...")
.build())
.build());
}
}
resources:
example:
type: aws:lb:LoadBalancer
properties:
loadBalancerType: application
exampleTargetGroup:
type: aws:lb:TargetGroup
name: example
exampleListener:
type: aws:lb:Listener
name: example
properties:
loadBalancerArn: ${example.id}
defaultActions:
- targetGroupArn: ${exampleTargetGroup.id}
type: forward
mutualAuthentication:
mode: verify
trustStoreArn: '...'
The mutualAuthentication block enables mTLS by setting mode to “verify” and referencing a trust store containing allowed client certificate authorities. The load balancer rejects connections from clients without valid certificates.
Beyond these examples
These snippets focus on specific listener-level features: traffic routing and weighted distribution, authentication (Cognito, OIDC, mutual TLS), and protocol handling (HTTP, HTTPS, TLS). They’re intentionally minimal rather than full load balancing configurations.
The examples reference pre-existing infrastructure such as load balancers (Application, Network, Gateway), target groups with registered targets, TLS certificates and trust stores, and Cognito User Pools or OIDC providers. They focus on configuring the listener rather than provisioning everything around it.
To keep things focused, common listener patterns are omitted, including:
- Listener rules for path-based or host-based routing
- Fixed-response and JWT validation actions
- HTTP header manipulation (routing* properties)
- CORS configuration (Access-Control-* headers)
- TCP idle timeout tuning (tcpIdleTimeoutSeconds)
These omissions are intentional: the goal is to illustrate how each listener feature is wired, not provide drop-in load balancing modules. See the Load Balancer Listener resource reference for all available configuration options.
Let's configure AWS Load Balancer Listeners
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Protocol & SSL/TLS Configuration
What protocols can I use for my listener?
For Application Load Balancers, use
HTTP or HTTPS (default: HTTP). For Network Load Balancers, use TCP, TLS, UDP, TCP_UDP, QUIC, or TCP_QUIC. Gateway Load Balancers don’t specify a protocol on the listener. Note that UDP and TCP_UDP aren’t valid if dual-stack mode is enabled, and QUIC and TCP_QUIC aren’t valid if security groups are configured or dual-stack mode is enabled.How do I configure SSL/TLS for my listener?
Set
protocol to HTTPS or TLS, provide a certificateArn (required for HTTPS), and optionally specify an sslPolicy (defaults to ELBSecurityPolicy-2016-08). For additional certificates, use the aws.lb.ListenerCertificate resource.What's the difference between aws.alb.Listener and aws.lb.Listener?
They’re identical resources with different names.
aws.alb.Listener is an alias for aws.lb.Listener.Can I configure ALPN for TLS listeners?
Yes, set
alpnPolicy when protocol is TLS. Valid values are HTTP1Only, HTTP2Only, HTTP2Optional, HTTP2Preferred, and None.Actions & Routing
What action types can I configure for my listener?
You can use
forward (to target groups), redirect (HTTP to HTTPS), fixed-response (static content), authenticate-cognito, authenticate-oidc, and jwt-validation actions in the defaultActions array.How do I redirect HTTP traffic to HTTPS?
Use a
redirect action with port: "443", protocol: "HTTPS", and statusCode: "HTTP_301" in your defaultActions.Can I forward traffic to multiple target groups with different weights?
Yes, use a
forward action with a forward block containing a targetGroups array. Each target group specifies an arn and weight (e.g., 100 for blue, 0 for green during deployment).How do I add authentication before forwarding requests?
Chain multiple actions in
defaultActions: first an authenticate-cognito or authenticate-oidc action, then a forward action. The listener executes actions in order.Can I return a static response without a backend?
Yes, use a
fixed-response action with contentType, messageBody, and statusCode properties.Load Balancer Type Differences
Can I customize HTTP headers on my listener?
Yes, but only for
HTTP or HTTPS protocols on Application Load Balancers. Use the routingHttpRequest* properties to modify request headers (like X-Amzn-Mtls-Clientcert) and routingHttpResponse* properties for response headers (like CORS headers, security headers). Not supported for Network Load Balancers or Gateway Load Balancers.How do I configure a Gateway Load Balancer listener?
Gateway Load Balancer listeners don’t specify a
port or protocol property. Configure only the loadBalancerArn and defaultActions (typically forwarding to a target group using GENEVE protocol).What properties can't I change after creating a listener?
The
loadBalancerArn is immutable and cannot be changed after creation.Advanced Features
How do I enable mutual TLS authentication?
Configure the
mutualAuthentication block with mode: "verify" and a trustStoreArn pointing to your trust store.Can I adjust the TCP idle timeout?
Yes, but only for
TCP protocol on Network Load Balancers or Gateway Load Balancers (not Application Load Balancers). Set tcpIdleTimeoutSeconds between 60 and 6000 seconds (default: 350).Why does my listener show 'Default' in the AWS Console instead of my tag name?
When you specify a
Name key in the tags map, the AWS Console displays that value in the Name Tag column of the Listener Rules table. Without a Name key, it shows Default.Using a different cloud?
Explore networking guides for other cloud providers: