By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Should i enable an SSL connection between my loadbalancer and my EC2 instance?

1

I've stumbled upon this AWS tutorial that explains how to create a https connection between your EC2 and your Loadbalancer. Without an SSL certificate all the communication between the EC2 and loadbalancer could potentially be intercepted by an amazon employee with admin priviledges . But i don't think the chance of that ever happening is very high.

So my question is; Should i enable an SSL connection between my loadbalancer and my EC2 instance?. I would like to hear some people's opinion on this. Do most large companies use encryption for the communication between the loadbalancer and EC2?

Thank you

Topics
ComputeNetworking & Content Delivery
Tags
Amazon EC2Elastic Load BalancingEncryption
Language
English
Viridios
asked 2 years ago6806 views
4 Answers
2
Accepted Answer

Hello,

Short answer is yes, you can enable encryption between Load balancer and EC2 instances. Take a note of the statement I highlight from AWS documentation in the second paragraph, you don't need to worry about someone intercepting traffic between load balancer and EC2 instances.

Encryption in transit:

HTTPS and TLS traffic from clients terminates at the ELB, where the ELB performs the work of encrypting and decrypting the traffic instead of requiring each EC2 instance to handle TLS termination. For end-to-end encryption, you can use self-signed certificates generated on the EC2 instances to encrypt traffic between the ELB and EC2 instances. (1).

The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid (2).

Reference:

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html

[2] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version

profile pictureAWS
EXPERT
Tushar_J
answered 2 years ago
  • Viridios
    2 years ago

    "Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level..." Ok but could the content of the packets that are passed between the loadbalancer and the EC2 instance still be read by an amazon employee if i don't encrypt the data with self-signed certificates? Do you think its necessary to encrypt the data between the loadbalancer and EC2 instance?

  • Tushar_J EXPERT
    2 years ago

    Hello, AWS does not access any of the data/content, read the Data privacy FAQ: https://aws.amazon.com/compliance/data-privacy-faq/. That being said, it is always advisable to do encryption where supported, so while it is not necessary for any specific functionality it is always better to do encryption in transit with TLS. Hope that clarifies all the doubts. Thank you.

1

Hi, the tutorial context is different, if your webserver is behind ALB and everyone is accessing publicly via alb then ACM at ALB level for ssl is required, however if some developers or any other 3 party associate who access your website privately with dns mapping to your server's private IP then you need to install ssl at server level. The tutorial you referred helps on how you can use any purchased SSL both at server level and alb level. You can use encrypted ebs volume for your server with customer managed kms key to keep data protected.

sourav
answered 2 years ago
  • Viridios
    2 years ago

    "however if some developers or any other 3 party associate who access your website privately with dns mapping to your server's private IP then you need to install ssl at server level." What do you mean with connecting to the website privately with dns mapping? I intend to place all EC2 instances behind a loadbalancer. In that case the only way to communicate with the EC2 instance is through the loadbalancer right?

1

Along with the other posts here, keep in mind many organizations have various privacy and data governance policies in place, along with other industry compliance and regulatory controls. Even if a risk assessment deems not having encrypted traffic from the LB->EC2 targets a high-risk, there may be other policy, compliance, and governance aspects at play that will require this end-to-end encryption of this data-in-transit anyways.

Also, having the TLS termination (LB->EC2) on the EC2 hosts can add a bit of processing overhead. It's typically very minor in my experience, but it's something to keep in mind depending on the workload and scale of things you're working with. You may need to horizontally scale out a few extra EC2 instances to account for the utilization bump, or even consider a different instance family (Ex. M class -> C class) for more CPU-biased capabilities. It all depends, you'd need to monitor and see how it affects your workload and traffic patterns and adapt if needed.

profile picture
Mike - Cloud Vikings
answered 2 years ago
0

Also you could offload your sll to CloudHSM (SSL Acceleration)

  • Supported by Nginx, Apache Web Servers and IIS for Windows Server
  • Extra security the SSL private key never leaves the HSM Device

Take a look at this documenation for more details! https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload-overview.html

Manuscript
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content