En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

End to end SSL NLB

0

If we need end-to-end encryption involving NLB, is it mandatory to have a certificate installed on NLB? Is it possible to pass through the traffic as-is to ec2 and ec2 do the decryption? If so, what would be the listener protocol. Is that TCP or TLS? I believe target group port should be TLS.

Below are the lines from documentation: "Note that if you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. The load balancer passes the request to the target as is, without decrypting it."

However, https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-target-group.html, documentation states that target group protocol of TLS would be acceptable only if listener protocol is TLS.

Sujets
Réseaux et diffusion de contenu
Balises
Elastic Load Balancing
Langue
English
nishan
demandé il y a 10 mois1230 vues
1 réponse
1

If we need end-to-end encryption involving NLB, is it mandatory to have a certificate installed on NLB?

No, it is not mandatory TLS can be terminated on the backend directly

Is it possible to pass through the traffic as-is to ec2 and ec2 do the decryption?

Yes

If so, what would be the listener protocol. Is that TCP or TLS? I believe target group port should be TLS.

TCP-443 as mentioned here:

"Note that if you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. The load balancer passes the request to the target as is, without decrypting it."

However, https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-target-group.html, documentation states that target group protocol of TLS would be acceptable only if listener protocol is TLS.

You would configure Target group protocol as TLS if you are terminating the SSL on the load balancer (Also called as SSL offloading Or two way SSL, i.e. Client -> LB is SSL and then another SSL session from LB -> backend)

profile pictureAWS
EXPERT
Tushar_J
répondu il y a 10 mois
profile picture
EXPERT
Riku_Kobayashi
vérifié il y a 10 mois
profile picture
EXPERT
Gary Mclean
vérifié il y a 10 mois
  • nishan
    il y a 10 mois

    I didnt understand the last para.

    "You would configure Target group protocol as TLS if you are terminating the SSL on the load balancer" If I am already terminating the SSL at NLB, why would I need a TLS protocol on target group?

    "two way SSL, i.e. Client -> LB is SSL and then another SSL session from LB -> backend" Why would anyone go for two-way ssl instead of a single point of end-to-end encryption at EC2? If one is opting to this two way ssl, do we need to add additional certificates on NLB to match SSL certificates on EC2?

  • Tushar_J EXPERT
    il y a 10 mois

    Both the options are valid, end-to-end SSL as well as two way SSL. If you configure two way SSL you can use self signed certificates on the backend. See the answer from Toni_S here : https://repost.aws/questions/QUIo7PWvZ3T6aFYCByhZ5f0A/load-certificate-on-alb-and-ec2

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents