Scope of encryption when running ECS on Nitro instances

Question

If I have an ECS cluster running a single service with an ALB in front of that service, am I right in thinking that if the whole cluster is running on Nitro instances, the section of network between the ALB and an instance within a target group would NOT be encrypted?

The Nitro encryption only works between instances in the cluster and not between the ALB to an instance? Multiple services in a cluster would need to be using e.g. Service discovery and going point to point between themselves rather than via an ALB in order to benefit from the network level Nitro encryption?

Answer

Answering my own question here....From the following doc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html

See "Encryption between instances" section..

"The instances are in the same VPC or peered VPCs, **and the traffic does not pass through a virtual network device or service, such as a load balancer or a transit gateway**."

Answer

Hello,

See below from the [documentation](https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-network.html)

****************
**Using Nitro instances:**

By default, traffic is automatically encrypted between the following Nitro instance types: C5n, G4, I3en, M5dn, M5n, P3dn, R5dn, and R5n. **Traffic isn't encrypted when it's routed through** a transit gateway, **load balancer**, or similar intermediary.

*************

The same link talks about what are some of the ways to achieve encryption in transit for various scenarios.

Scope of encryption when running ECS on Nitro instances

Relevanter Inhalt