Application Load Balancer — redirect HTTP to HTTPS
What you’ll learn
After you attach an ACM certificate to an HTTPS listener on your Application Load Balancer, you still receive plain HTTP on port 80 unless you close or redirect it. This guide edits the HTTP listener default rule so browsers receive a redirect to HTTPS instead of serving duplicate content on two schemes.
Complete the ACM walkthrough first if you have not yet validated DNS and enabled port 443.
Prerequisites
- An AWS account with access to EC2 (load balancers) and Route 53.
- An internet-facing Application Load Balancer already associated with your hosted zone (or ready to receive DNS).
- A public ACM certificate on an HTTPS listener on port 443 that forwards to your target group (see ACM on ALB).
- An HTTP listener on port 80 you can edit (this becomes the redirect entry point).
Configure the HTTP listener redirect
In the EC2 console, open Load Balancers, select your ALB, then the Listeners and rules tab.
Select the HTTP:80 listener.
Elastic Load Balancing Under Rules, open the default rule (or the catch-all you use for plain HTTP). Choose Actions → Edit rule (wording may read Edit depending on console version).
Elastic Load Balancing Change the default action from Forward to target group to Redirect to URL. Set Protocol to HTTPS, Port to 443, and choose an appropriate HTTP status (commonly 301 permanent once you are sure). Use placeholders for host, path, and query so the redirect mirrors the incoming request.
Elastic Load Balancing In the redirect URL fields, prefer
#{host}for the host,#{path}for the path, and#{query}for the query string (per current ALB documentation) instead of typing a single marketing domain.
Elastic Load Balancing Save changes. Wait for the listener state to return to active before testing.
Security groups for the load balancer
Clients must reach the ALB on both TCP 80 (for the redirect response) and TCP 443 (for the TLS site). In the EC2 console, open the security groups attached to the load balancer (shown on the ALB Description tab) and confirm inbound rules allow the required CIDR ranges—often 0.0.0.0/0 for public sites, tightened later with WAF or IP allow lists.
- Open EC2 → Load Balancers, select your ALB, and copy the security group IDs from the Description tab.
- Open EC2 → Security Groups, select each ALB security group, and under Inbound rules ensure HTTP (80) and HTTPS (443) are permitted from the sources you intend.
Test the redirect
- Open a browser or use
curl -I http://your-domain.example. - Confirm you receive a 301 or 302 with a
Location:header pointing athttps://on the same host and path. Load the HTTPS URL and verify the certificate is valid for your hostname.
Browser
Key takeaways
Move the HTTP:80 default action to a redirect toward HTTPS:443 once TLS is healthy.
Use ALB placeholders for host, path, and query so every hostname upgrades correctly.
Keep ALB security groups aligned with 80 and 443 while you rely on redirects and TLS.
Frequently asked questions
http:// will fail instead of being upgraded. Keeping port 80 with a redirect is the usual pattern for public sites.Next: Route 53 DNS
Publish alias or CNAME records so clients reach your load balancer on both apex and www hostnames.
Prefer preserving the incoming host with placeholders such as #{host} in redirect rules instead of hardcoding a bare domain, so apex and subdomains continue to work as you add more hostnames behind the same load balancer.
About the author
8 people found this page helpful