Behind the scene of a https web request at server side in Cloud

Question

I have read few posts about behind the scene of processing a web request which is a popular interview question too for SREs/DevOps. There are a lot of good explanation pages about the general flow of that : DNS resolution -> tcp connection -> SSL Connection -> HTTPS request -> Load Balancer -> Firewall ->webserver and from there request goes back.

But I could not find answer for some doubts behind the scene at server side specially for cloud. Like, what happens when request reaches to global load balancer ? Does it terminate the SSL there or it goes to internal load balancer (if configured ) and terminates there ? From there the request to particular VM is un-secure, where there are other vendors also hosting there VMs and internal Load balancer. Is the request protected via some ACLs/firewall or some internal VPC mechanism ?

I understand that we can re-encrypt or forward the encrypted traffic to webserver for better security but high resource cost. But what happens when we are not doing that ? I feel there would still be some other security mechanism used to avoid easy access.

Thanks in advance.

Answer 1

To long for a comment:

Interview questions like that are not science exams in school, with only a single correct answer and you shouldn’t expect to “pass” by just parroting answers found on random internet platforms. And usually you don’t “fail” for missing something that you have neither interest nor familiarity with (unless it is specific job requirement).

My colleague makes his own keyboards and would have been thrilled if you started your chain of events with the electric signals that are generated by a key press on your keyboard. I couldn’t care less.

If you were interviewing with me your answer is good enough to not be disqualified immediately (but then I don’t know enough either about for example the DNSSEC spec to immediately challenge you at the very first link in the chain of events you describe) but I would be triggered by your remark: ”encrypted traffic for better security but high resource cost” as that is said frequently and I personally have my doubts on the veracity of that claim.

With regards to security design and security trade-offs, the measures you want to design are a response to actual and perceived threats determined in a risk analysis and their cost-benefit ratio.
Those risks are not a universal truth (although some are very common), they differ from company to company, and often risks change based on measures already implemented.
In real life you will see common design patterns implemented differently based on different circumstances. How to implement load balancing and where to terminate TLS, is one of those things too. As a parting thought: ”Do you still need HTTPS when you’re using IPSEC?”