NLB sticky sessions and SSL encryption

When you are using TLS encryption ( that requires at least 1 certificate ) between the LB and the targets for SSL offloading, it is not possible to have stickiness. If it is mandatory to have all network traffic encrypted then TCP listener on port 443 would help. Due to architectural restrictions in AWS NLB, it's not possible to enable stickiness and TLS listener at the same time . You can move TLS encryption back in the chain, onto the app servers directly. The traffic can then be passed through the NLB as TCP traffic and not TLS traffic, and session stickiness is enabled on the NLB directly, this way you are not compromising the end-to-end encryption in the environment. So the summary solution would be:

• Enabling TCP listener on port 443 between NLB and the target groups
• Enabling sticky sessions on AWS NLB
• Enabling TLS encryption on the blackened servers ( App servers )