Skip to main content

Overview

A listener defines a protocol and port combination on which a load balancer accepts inbound connections. A single load balancer supports multiple listeners simultaneously — e.g., an HTTP listener on port 80 and an HTTPS listener on port 443 can share the same load balancer VIP. Each listener routes traffic to its own default pool.
Prerequisites
  • An active Xloud account with appropriate permissions
  • Access to the Xloud Dashboard (https://connect.<your-domain>) or CLI configured with credentials
  • API credentials sourced (source admin-openrc.sh)

Supported Protocols

ProtocolPortUse Case
HTTPTypically 80Unencrypted web application traffic
TERMINATED_HTTPSTypically 443TLS offloaded at the load balancer; backend receives plain HTTP
HTTPSTypically 443TLS passthrough; load balancer does not decrypt traffic
TCPAnyAny TCP service — databases, custom protocols
UDPAnyUDP-based services — DNS, game servers
SCTPAnySCTP-based telecommunications traffic

Add a Listener

Open listener creation

Navigate to Project → Network → Load Balancers, select your load balancer, and click the Listeners tab. Click Create Listener.

Configure the listener

FieldDescription
NameDisplay name (e.g., listener-https)
ProtocolSelect from supported protocols above
Protocol PortPort on which the listener accepts connections
Connection LimitMaximum concurrent connections (-1 for unlimited)
Default TLS ContainerFor TERMINATED_HTTPS — select the certificate from Xloud Key Manager

Associate a pool

After creating the listener, associate it with a backend pool. Select an existing pool or create a new one from the Pools tab.
Listener is ACTIVE and routing to the associated pool.

TLS Termination (TERMINATED_HTTPS)

TLS termination offloads certificate processing at the load balancer and forwards plain HTTP to backend members — reducing CPU overhead on application servers.

Store certificate in Key Manager

Store your TLS certificate and private key in Xloud Key Management:
Create secret container with certificate and key
openstack secret store \
  --name tls-cert \
  --payload-content-type "application/pkix-cert" \
  --payload "$(cat cert.pem | base64)"

openstack secret store \
  --name tls-key \
  --payload-content-type "application/octet-stream" \
  --payload "$(cat key.pem | base64)"

openstack secret container create \
  --name prod-tls-container \
  --type certificate \
  --secret "certificate=$(openstack secret list --name tls-cert -c 'Secret href' -f value)" \
  --secret "private_key=$(openstack secret list --name tls-key -c 'Secret href' -f value)"

Create listener with certificate container

Create TERMINATED_HTTPS listener
CONTAINER_REF=$(openstack secret container show prod-tls-container -c container_ref -f value)

openstack loadbalancer listener create \
  --name listener-https \
  --protocol TERMINATED_HTTPS \
  --protocol-port 443 \
  --default-tls-container-ref $CONTAINER_REF \
  prod-web-lb
Listener is ACTIVE and accepting encrypted connections on port 443.

Manage Listeners

openstack loadbalancer listener list \
  --loadbalancer prod-web-lb

Next Steps

Pools

Configure backend pools and member management for each listener.

Health Monitors

Set up health checks for pools backing your listeners.

Floating IP Assignment

Expose the load balancer VIP publicly after configuring listeners.

Troubleshooting

Resolve TLS handshake failures and protocol-specific issues.