By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Off-loading and re-encrypting traffic on Application Load Balancer?

0

I have an Application Load Balancer (ALB), which TLS-offloads the HTTPS traffic (e.g. https://example.com), coming for the internet. After that, I need re-encrypt the traffic with our private-CA (e.g. https://example.org.local), before forwarding to the next hop, which is the VPC endpoints for the applications. Is it possible to do on an ALB? If not, what other option I have, using the AWS native services, to achieve this goal?

-S

1 Answer
0

Hello,

Short answer is yes, you can enable encryption between Load balancer and EC2 instances. Take a note of the statement I highlight from AWS documentation in the second paragraph, you don't need to worry about someone intercepting traffic between load balancer and EC2 instances.

Encryption in transit:

HTTPS and TLS traffic from clients terminates at the ELB, where the ELB performs the work of encrypting and decrypting the traffic instead of requiring each EC2 instance to handle TLS termination. For end-to-end encryption, you can use self-signed certificates generated on the EC2 instances to encrypt traffic between the ELB and EC2 instances. (1).

The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid (2).

Reference:

[1] https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html

[2] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version

Additional resources on this topic:

Self-signed certificates can also be used for backend HTTPS between a load balancer and EC2 instances.

Reference: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html

How can I use the same SSL certificate for my Amazon EC2 instance and load balancer?

profile pictureAWS
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions