By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Encrypted traffic from network load-balancer to Application load-balancer via Newwork firewall

0

Hi there,

I'm trying to replace my ha-proxy functionality by the AWS native services and my plan is use :

NLB ---|Network Firewall (NFW)|--->ALB (with WAF)---> appVPC endpoint

I know NLB now can offload TLS but can it send it (the unencrypted traffic) to an ALB for the NFW to do the traffic inspection? The new alb-type target-group needs to be used for the NLB to forward the traffic to an ALB and looks like a TLS listener cannot be used for that? Otherwise I think I have to use two ALBs, like this:

NLB ---> ALB1(+WAF)---|Network Firewall (NFW)|--->ALB2---> appVPC endpoint

which I'm trying to avoid. Is it possible to achieve my goal with a single ALB?

-S

1 Answer
0

You are correct - TLS listeners on Network Load Balancers cannot forward to ALB-type target groups

Reference: https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/

Also you probably know this but adding here:

Q: Can AWS Network Firewall inspect encrypted traffic?

AWS Network Firewall does not currently support deep packet inspection for encrypted traffic. To work around this limitation, you can decrypt traffic using a Network Load Balancer (NLB) before sending it to an AWS Network Firewall endpoint. Also, for HTTPS traffic, AWS Network Firewall can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.

profile pictureAWS
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions