Traffic between ALB and backend EC2 Instance needs to be encrypted

Question

Hi,
Currently we have ALB fronting our backend Amazon Linux2 EC2 Instances. The traffic between client to ALB is encrypted using SSL Certificate which is applied on the ALB. ALB is configured to off-load SSL i.e. the ALB decrypts the data before it is forwarded to the backend instances (https-->http). We have a requirement to encrypt the traffic between ALB and backend EC2 instance. I understand generating self-signed certificates on EC2 can be a good starting point. But, the trivial issue is whenever the application stack is installed/updated, it would provision new EC2 instance with its different local dnsname/ip address. Hence, not sure if the self-signed certificates generated with CN say 'a' for the EC2 instance1 can work with new EC2 instance is provisioned with name 'b' whenever the stack is installed/updated. We feel Network LB may help us to address the requirement but we are using path based routing which is only supported by ALB. Hence, please help with steps to be followed to accomplish the requirement.

Accepted Answer

Load balancer establishes connection with the target using certificates that are installed on target. It doesn't validate those certificates.

Refer **Routing Configuration section** of this [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version).
    
            If a target group is configured with the HTTPS protocol or uses HTTPS health checks, the TLS connections to the targets use the security settings from the ELBSecurityPolicy-2016-08 policy. The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid.

As long as you have self signed certificate, you should be good.

To your other point, yes, network LB can help you to address the requirement but ALB has lot of benefits over NLB so you should keep using ALB with self signed certificates on EC2.

Answer

When mod_ssl is installed with the following command, a self-certificate is also set up with it.  
It is possible to use https with a certificate even if the IP address etc. is changed.  
```
sudo yum install mod_ssl
```

Traffic between ALB and backend EC2 Instance needs to be encrypted

관련 콘텐츠