Scope of encryption when running ECS on Nitro instances


If I have an ECS cluster running a single service with an ALB in front of that service, am I right in thinking that if the whole cluster is running on Nitro instances, the section of network between the ALB and an instance within a target group would NOT be encrypted?

The Nitro encryption only works between instances in the cluster and not between the ALB to an instance? Multiple services in a cluster would need to be using e.g. Service discovery and going point to point between themselves rather than via an ALB in order to benefit from the network level Nitro encryption?

2 Answers

Answering my own question here....From the following doc:

See "Encryption between instances" section..

"The instances are in the same VPC or peered VPCs, and the traffic does not pass through a virtual network device or service, such as a load balancer or a transit gateway."

answered 2 years ago


See below from the documentation

Using Nitro instances:

By default, traffic is automatically encrypted between the following Nitro instance types: C5n, G4, I3en, M5dn, M5n, P3dn, R5dn, and R5n. Traffic isn't encrypted when it's routed through a transit gateway, load balancer, or similar intermediary.

The same link talks about what are some of the ways to achieve encryption in transit for various scenarios.

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions