- Newest
- Most votes
- Most comments
Hello,
Short answer is yes, you can enable encryption between Load balancer and EC2 instances. Take a note of the statement I highlight from AWS documentation in the second paragraph, you don't need to worry about someone intercepting traffic between load balancer and EC2 instances.
Encryption in transit:
HTTPS and TLS traffic from clients terminates at the ELB, where the ELB performs the work of encrypting and decrypting the traffic instead of requiring each EC2 instance to handle TLS termination. For end-to-end encryption, you can use self-signed certificates generated on the EC2 instances to encrypt traffic between the ELB and EC2 instances. (1).
The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid (2).
Reference:
[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
Hi, the tutorial context is different, if your webserver is behind ALB and everyone is accessing publicly via alb then ACM at ALB level for ssl is required, however if some developers or any other 3 party associate who access your website privately with dns mapping to your server's private IP then you need to install ssl at server level. The tutorial you referred helps on how you can use any purchased SSL both at server level and alb level. You can use encrypted ebs volume for your server with customer managed kms key to keep data protected.
"however if some developers or any other 3 party associate who access your website privately with dns mapping to your server's private IP then you need to install ssl at server level." What do you mean with connecting to the website privately with dns mapping? I intend to place all EC2 instances behind a loadbalancer. In that case the only way to communicate with the EC2 instance is through the loadbalancer right?
Along with the other posts here, keep in mind many organizations have various privacy and data governance policies in place, along with other industry compliance and regulatory controls. Even if a risk assessment deems not having encrypted traffic from the LB->EC2 targets a high-risk, there may be other policy, compliance, and governance aspects at play that will require this end-to-end encryption of this data-in-transit anyways.
Also, having the TLS termination (LB->EC2) on the EC2 hosts can add a bit of processing overhead. It's typically very minor in my experience, but it's something to keep in mind depending on the workload and scale of things you're working with. You may need to horizontally scale out a few extra EC2 instances to account for the utilization bump, or even consider a different instance family (Ex. M class -> C class) for more CPU-biased capabilities. It all depends, you'd need to monitor and see how it affects your workload and traffic patterns and adapt if needed.
Also you could offload your sll to CloudHSM (SSL Acceleration)
- Supported by Nginx, Apache Web Servers and IIS for Windows Server
- Extra security the SSL private key never leaves the HSM Device
Take a look at this documenation for more details! https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload-overview.html
Relevant content
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
"Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level..." Ok but could the content of the packets that are passed between the loadbalancer and the EC2 instance still be read by an amazon employee if i don't encrypt the data with self-signed certificates? Do you think its necessary to encrypt the data between the loadbalancer and EC2 instance?
Hello, AWS does not access any of the data/content, read the Data privacy FAQ: https://aws.amazon.com/compliance/data-privacy-faq/. That being said, it is always advisable to do encryption where supported, so while it is not necessary for any specific functionality it is always better to do encryption in transit with TLS. Hope that clarifies all the doubts. Thank you.