default encryption between ALB and target groups.
as per the AWS documentation all traffic with in AWS cloud is encrypted which suggests the traffic from load balancer and a ec2 target should be encrypted as well.
I understand there is an option to enable end-2-end encryption with self signed certs but i am trying understand if my above assumption is accurate.
if it is accurate assumption what will be the use case to enable encryption between ALB and EC2 except for compliance reasons or to avoid eavesdropping within aws cloud, etc ?
- 최신
- 최다 투표
- 가장 많은 댓글
If strict encryption of communication is required by PCI SSC requirements, etc., the communication between ALB and EC2 may also be HTTPS.
The link you posted does say this, it is physical layer encryption (layer1) and not layer7 (TLS) therefore although there are native mechanisms for authentication etc (see the highlighted paragraph, note that it says authentication and not encryption) it is recommended to use self-signed certs to encrypt the traffic between ELB and targets if you are looking to achieve end-to-end encryption.
All network traffic between AWS data centers is transparently encrypted at the physical layer
Please see this link which has specific recommendations for the customers: Data protection in Elastic Load Balancing
Also, the below paragraph:
The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid (1).
Reference:
관련 콘텐츠
AWS 공식업데이트됨 2년 전- AWS 공식업데이트됨 일 년 전
