Encrypted traffic from network load-balancer to Application load-balancer via Newwork firewall

Question

Hi there,

I'm trying to replace my ha-proxy functionality by the AWS native services and my plan is use : 
```
NLB ---|Network Firewall (NFW)|--->ALB (with WAF)---> appVPC endpoint
```  
I know NLB now can offload TLS but can it send it (the unencrypted traffic) to an ALB for the NFW to do the traffic inspection? The new `alb-type` target-group needs to be used for the NLB to forward the traffic to an ALB and looks like a `TLS` listener cannot be used for that? Otherwise I think I have to use two ALBs, like this:
```
NLB ---> ALB1(+WAF)---|Network Firewall (NFW)|--->ALB2---> appVPC endpoint
```
which I'm trying to avoid. Is it possible to achieve my goal with a single ALB?

-S

Answer

You are correct - TLS listeners on Network Load Balancers cannot forward to ALB-type target groups

Reference: https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/

Also you probably know this but adding here:

Q: Can AWS Network Firewall inspect encrypted traffic?

AWS Network Firewall does not currently support deep packet inspection for encrypted traffic. To work around this limitation, you can decrypt traffic using a Network Load Balancer (NLB) before sending it to an AWS Network Firewall endpoint. Also, for HTTPS traffic, AWS Network Firewall can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.

Encrypted traffic from network load-balancer to Application load-balancer via Newwork firewall

Conteúdo relevante