Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

default encryption between ALB and target groups.

0

as per the AWS documentation all traffic with in AWS cloud is encrypted which suggests the traffic from load balancer and a ec2 target should be encrypted as well.

I understand there is an option to enable end-2-end encryption with self signed certs but i am trying understand if my above assumption is accurate.

if it is accurate assumption what will be the use case to enable encryption between ALB and EC2 except for compliance reasons or to avoid eavesdropping within aws cloud, etc ?

Argomenti
Networking e distribuzione di contenutiAWS Well-Architected Framework
Tag
Equilibratore di carico elasticoSicurezzaCrittografia
Lingua
English
AWS
AWS-User-6080155
posta un anno fa708 visualizzazioni
2 Risposte
1

If strict encryption of communication is required by PCI SSC requirements, etc., the communication between ALB and EC2 may also be HTTPS.

profile picture
ESPERTO
Riku_Kobayashi
con risposta un anno fa
1

The link you posted does say this, it is physical layer encryption (layer1) and not layer7 (TLS) therefore although there are native mechanisms for authentication etc (see the highlighted paragraph, note that it says authentication and not encryption) it is recommended to use self-signed certs to encrypt the traffic between ELB and targets if you are looking to achieve end-to-end encryption.

All network traffic between AWS data centers is transparently encrypted at the physical layer

Please see this link which has specific recommendations for the customers: Data protection in Elastic Load Balancing

Also, the below paragraph:

The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid (1).

Reference:

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version

profile pictureAWS
ESPERTO
Tushar_J
con risposta un anno fa
profile picture
ESPERTO
Antonio_Lagrotteria
verificato 5 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente