- Más nuevo
- Más votos
- Más comentarios
If we need end-to-end encryption involving NLB, is it mandatory to have a certificate installed on NLB?
No, it is not mandatory TLS can be terminated on the backend directly
Is it possible to pass through the traffic as-is to ec2 and ec2 do the decryption?
Yes
If so, what would be the listener protocol. Is that TCP or TLS? I believe target group port should be TLS.
TCP-443 as mentioned here:
"Note that if you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. The load balancer passes the request to the target as is, without decrypting it."
However, https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-target-group.html, documentation states that target group protocol of TLS would be acceptable only if listener protocol is TLS.
You would configure Target group protocol as TLS if you are terminating the SSL on the load balancer (Also called as SSL offloading Or two way SSL, i.e. Client -> LB is SSL and then another SSL session from LB -> backend)
Contenido relevante
OFICIAL DE AWSActualizada hace 4 meses
I didnt understand the last para.
"You would configure Target group protocol as TLS if you are terminating the SSL on the load balancer" If I am already terminating the SSL at NLB, why would I need a TLS protocol on target group?
"two way SSL, i.e. Client -> LB is SSL and then another SSL session from LB -> backend" Why would anyone go for two-way ssl instead of a single point of end-to-end encryption at EC2? If one is opting to this two way ssl, do we need to add additional certificates on NLB to match SSL certificates on EC2?
Both the options are valid, end-to-end SSL as well as two way SSL. If you configure two way SSL you can use self signed certificates on the backend. See the answer from Toni_S here : https://repost.aws/questions/QUIo7PWvZ3T6aFYCByhZ5f0A/load-certificate-on-alb-and-ec2