1 Answer
- Newest
- Most votes
- Most comments
0
You are correct - TLS listeners on Network Load Balancers cannot forward to ALB-type target groups
Also you probably know this but adding here:
Q: Can AWS Network Firewall inspect encrypted traffic?
AWS Network Firewall does not currently support deep packet inspection for encrypted traffic. To work around this limitation, you can decrypt traffic using a Network Load Balancer (NLB) before sending it to an AWS Network Firewall endpoint. Also, for HTTPS traffic, AWS Network Firewall can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.
Relevant content
- asked a year ago
- asked 3 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
thanks @Tushar_J for getting back to me. That's exactly the reason I'm off-loading TLS either on NLB (ref. 1st connection-flow) or on the ALB1 (ref. 2nd connection-flow). So, you are saying I have no other way to avoid using 2x ALBs in my scenario - 1st one for TLS off-loading and 2nd for route the traffic to the appropriate VPC endpoints, if I also want NFW to do DPI?
I would suggest going through this blog to see which design pattern suites your needs: https://aws.amazon.com/blogs/networking-and-content-delivery/design-your-firewall-deployment-for-internet-ingress-traffic-flows/