Off-loading and re-encrypting traffic on Application Load Balancer?

Hello,

Short answer is yes, you can enable encryption between Load balancer and EC2 instances. Take a note of the statement I highlight from AWS documentation in the second paragraph, you don't need to worry about someone intercepting traffic between load balancer and EC2 instances.

Encryption in transit:

HTTPS and TLS traffic from clients terminates at the ELB, where the ELB performs the work of encrypting and decrypting the traffic instead of requiring each EC2 instance to handle TLS termination. For end-to-end encryption, you can use self-signed certificates generated on the EC2 instances to encrypt traffic between the ELB and EC2 instances. (1).

The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid (2).

Reference:

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html

[2] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version

Additional resources on this topic:

Self-signed certificates can also be used for backend HTTPS between a load balancer and EC2 instances.

Reference: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html

How can I use the same SSL certificate for my Amazon EC2 instance and load balancer?