By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Scope of encryption when running ECS on Nitro instances

1

If I have an ECS cluster running a single service with an ALB in front of that service, am I right in thinking that if the whole cluster is running on Nitro instances, the section of network between the ALB and an instance within a target group would NOT be encrypted?

The Nitro encryption only works between instances in the cluster and not between the ALB to an instance? Multiple services in a cluster would need to be using e.g. Service discovery and going point to point between themselves rather than via an ALB in order to benefit from the network level Nitro encryption?

Topics
ComputeContainersNetworking & Content Delivery
Tags
Amazon EC2Amazon Elastic Container ServiceElastic Load BalancingEncryption
Language
English
AWS-User-3540559
asked 2 years ago629 views
2 Answers
0

Answering my own question here....From the following doc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html

See "Encryption between instances" section..

"The instances are in the same VPC or peered VPCs, and the traffic does not pass through a virtual network device or service, such as a load balancer or a transit gateway."

AWS-User-3540559
answered 2 years ago
0

Hello,

See below from the documentation

Using Nitro instances:

By default, traffic is automatically encrypted between the following Nitro instance types: C5n, G4, I3en, M5dn, M5n, P3dn, R5dn, and R5n. Traffic isn't encrypted when it's routed through a transit gateway, load balancer, or similar intermediary.

The same link talks about what are some of the ways to achieve encryption in transit for various scenarios.

profile pictureAWS
EXPERT
Tushar_J
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content