By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

default encryption between ALB and target groups.

0

as per the AWS documentation all traffic with in AWS cloud is encrypted which suggests the traffic from load balancer and a ec2 target should be encrypted as well.

I understand there is an option to enable end-2-end encryption with self signed certs but i am trying understand if my above assumption is accurate.

if it is accurate assumption what will be the use case to enable encryption between ALB and EC2 except for compliance reasons or to avoid eavesdropping within aws cloud, etc ?

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Elastic Load BalancingSecurityEncryption
Language
English
AWS
AWS-User-6080155
asked a year ago673 views
2 Answers
1

If strict encryption of communication is required by PCI SSC requirements, etc., the communication between ALB and EC2 may also be HTTPS.

profile picture
EXPERT
Riku_Kobayashi
answered a year ago
1

The link you posted does say this, it is physical layer encryption (layer1) and not layer7 (TLS) therefore although there are native mechanisms for authentication etc (see the highlighted paragraph, note that it says authentication and not encryption) it is recommended to use self-signed certs to encrypt the traffic between ELB and targets if you are looking to achieve end-to-end encryption.

All network traffic between AWS data centers is transparently encrypted at the physical layer

Please see this link which has specific recommendations for the customers: Data protection in Elastic Load Balancing

Also, the below paragraph:

The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid (1).

Reference:

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version

profile pictureAWS
EXPERT
Tushar_J
answered a year ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content