2

Architecture: client <-- TLS --> AWS Network Load Balancer port:443 <-- TLS --> backend server port:443

In the above architecture, TLS is terminated at the network load balancer (NLB).

  1. Is TLS termination possible without decrypting packets?
  2. If TLS is terminated on NLB, is there a new handshake between AWS NLB and the backend server?

Note that Backend server have its own SSL certificate different from one on the NLB.

aaryan
  • 123
  • 4

1 Answers1

3

TL;DR

  1. No
  2. Yes

NLB indeed has to decrypt the packets first and then re-encrypt before they are sent to the backend. And yes it does a new handshake with the server. NLB is kind of cheating because it spoofs the IP to look like it's the client talking to the backend directly. NLB looks transparent to the backend server.

However since you seem to be using HTTPS (guessing from port 443) you should use Application Load Balancer (ALB), not Network Load Balancer (NLB). NLB is meant for non-HTTP/non-HTTPS traffic, e.g. for DNS, SMTP, etc.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • Actually I was trying this so that the packet doesn't get decrypted anywhere while the client and backend server communicates. I wanted to use NLB as a router only. This is for PCI compliance. Any idea how this can be done? – aaryan Mar 13 '20 at 14:39
  • @aaryan in that case don’t terminate TLS on the NLB and pass it through to the backend. It will have to have a valid SSL certificate of course (you can’t use ACM cert). – MLu Mar 13 '20 at 19:46
  • @aaryan on the other hand I believe that **ALB is PCI compliant** and you can use it to terminate TLS, provided that the path to the backend is also encrypted. Which it is in your case. We use ALB in PCI deployments and auditors have no problem with that. – MLu Mar 13 '20 at 19:50
  • ALB sounds good then. The slightly interesting problem here though. What if the backend server is owned by the 3rd party so I can't install their certificates on my ALB in that case even if traffic passes to client successfully certificate validation fails as domain name for which certificate was issued does not match with ALB's domain name. – aaryan Mar 13 '20 at 20:39
  • NLBs are not just meant for non-HTTP/non-HTTPS traffic. API Gateway private integrations only work with NLBs, which expose HTTP/HTTPS resources within an Amazon VPC for access by clients outside of the VPC. https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html – Krzysztof Czelusniak Sep 22 '21 at 00:40