Encrypted traffic from network load-balancer to Application load-balancer via Newwork firewall
Hi there,
I'm trying to replace my ha-proxy functionality by the AWS native services and my plan is use :
NLB ---|Network Firewall (NFW)|--->ALB (with WAF)---> appVPC endpoint
I know NLB now can offload TLS but can it send it (the unencrypted traffic) to an ALB for the NFW to do the traffic inspection? The new alb-type target-group needs to be used for the NLB to forward the traffic to an ALB and looks like a TLS listener cannot be used for that? Otherwise I think I have to use two ALBs, like this:
NLB ---> ALB1(+WAF)---|Network Firewall (NFW)|--->ALB2---> appVPC endpoint
which I'm trying to avoid. Is it possible to achieve my goal with a single ALB?
-S
- 最新
- 投票最多
- 评论最多
You are correct - TLS listeners on Network Load Balancers cannot forward to ALB-type target groups
Also you probably know this but adding here:
Q: Can AWS Network Firewall inspect encrypted traffic?
AWS Network Firewall does not currently support deep packet inspection for encrypted traffic. To work around this limitation, you can decrypt traffic using a Network Load Balancer (NLB) before sending it to an AWS Network Firewall endpoint. Also, for HTTPS traffic, AWS Network Firewall can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.
相关内容
AWS 官方已更新 1 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
thanks @Tushar_J for getting back to me. That's exactly the reason I'm off-loading TLS either on NLB (ref. 1st connection-flow) or on the ALB1 (ref. 2nd connection-flow). So, you are saying I have no other way to avoid using 2x ALBs in my scenario - 1st one for TLS off-loading and 2nd for route the traffic to the appropriate VPC endpoints, if I also want NFW to do DPI?
I would suggest going through this blog to see which design pattern suites your needs: https://aws.amazon.com/blogs/networking-and-content-delivery/design-your-firewall-deployment-for-internet-ingress-traffic-flows/