By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

End to end SSL NLB

0

If we need end-to-end encryption involving NLB, is it mandatory to have a certificate installed on NLB? Is it possible to pass through the traffic as-is to ec2 and ec2 do the decryption? If so, what would be the listener protocol. Is that TCP or TLS? I believe target group port should be TLS.

Below are the lines from documentation: "Note that if you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. The load balancer passes the request to the target as is, without decrypting it."

However, https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-target-group.html, documentation states that target group protocol of TLS would be acceptable only if listener protocol is TLS.

Topics
Networking & Content Delivery
Tags
Elastic Load Balancing
Language
English
nishan
asked 10 months ago1133 views
1 Answer
1

If we need end-to-end encryption involving NLB, is it mandatory to have a certificate installed on NLB?

No, it is not mandatory TLS can be terminated on the backend directly

Is it possible to pass through the traffic as-is to ec2 and ec2 do the decryption?

Yes

If so, what would be the listener protocol. Is that TCP or TLS? I believe target group port should be TLS.

TCP-443 as mentioned here:

"Note that if you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. The load balancer passes the request to the target as is, without decrypting it."

However, https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-target-group.html, documentation states that target group protocol of TLS would be acceptable only if listener protocol is TLS.

You would configure Target group protocol as TLS if you are terminating the SSL on the load balancer (Also called as SSL offloading Or two way SSL, i.e. Client -> LB is SSL and then another SSL session from LB -> backend)

profile pictureAWS
EXPERT
Tushar_J
answered 10 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 10 months ago
profile picture
EXPERT
Gary Mclean
reviewed 10 months ago
  • nishan
    10 months ago

    I didnt understand the last para.

    "You would configure Target group protocol as TLS if you are terminating the SSL on the load balancer" If I am already terminating the SSL at NLB, why would I need a TLS protocol on target group?

    "two way SSL, i.e. Client -> LB is SSL and then another SSL session from LB -> backend" Why would anyone go for two-way ssl instead of a single point of end-to-end encryption at EC2? If one is opting to this two way ssl, do we need to add additional certificates on NLB to match SSL certificates on EC2?

  • Tushar_J EXPERT
    10 months ago

    Both the options are valid, end-to-end SSL as well as two way SSL. If you configure two way SSL you can use self signed certificates on the backend. See the answer from Toni_S here : https://repost.aws/questions/QUIo7PWvZ3T6aFYCByhZ5f0A/load-certificate-on-alb-and-ec2

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content