By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Traffic between ALB and backend EC2 Instance needs to be encrypted

0

Hi, Currently we have ALB fronting our backend Amazon Linux2 EC2 Instances. The traffic between client to ALB is encrypted using SSL Certificate which is applied on the ALB. ALB is configured to off-load SSL i.e. the ALB decrypts the data before it is forwarded to the backend instances (https-->http). We have a requirement to encrypt the traffic between ALB and backend EC2 instance. I understand generating self-signed certificates on EC2 can be a good starting point. But, the trivial issue is whenever the application stack is installed/updated, it would provision new EC2 instance with its different local dnsname/ip address. Hence, not sure if the self-signed certificates generated with CN say 'a' for the EC2 instance1 can work with new EC2 instance is provisioned with name 'b' whenever the stack is installed/updated. We feel Network LB may help us to address the requirement but we are using path based routing which is only supported by ALB. Hence, please help with steps to be followed to accomplish the requirement.

Topics
ComputeNetworking & Content Delivery
Tags
Amazon EC2Elastic Load BalancingEncryption
Language
English
HemalM
asked 9 months ago700 views
2 Answers
5
Accepted Answer

Load balancer establishes connection with the target using certificates that are installed on target. It doesn't validate those certificates.

Refer Routing Configuration section of this AWS documentation.

        If a target group is configured with the HTTPS protocol or uses HTTPS health checks, the TLS connections to the targets use the security settings from the ELBSecurityPolicy-2016-08 policy. The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid.

As long as you have self signed certificate, you should be good.

To your other point, yes, network LB can help you to address the requirement but ALB has lot of benefits over NLB so you should keep using ALB with self signed certificates on EC2.

profile pictureAWS
EXPERT
secondabhi_aws
answered 9 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
profile pictureAWS
EXPERT
iBehr
reviewed 9 months ago
profile pictureAWS
EXPERT
Tushar_J
reviewed 9 months ago
1

When mod_ssl is installed with the following command, a self-certificate is also set up with it.
It is possible to use https with a certificate even if the IP address etc. is changed.

sudo yum install mod_ssl
profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content