2

If I have an ALB in my infrastructure with ECS target groups downstream, will SSL/TLS always be terminated at the ALB?

If so, are my only options ELB/NLB to preserve the SSL/TLS context?

RustyShackleford
  • 133
  • 1
  • 5

1 Answers1

2

ALB always terminates https, but can create a new https session to your target servers if you set them up with certificates. Information here. Note that you can't use AWS Certificate Manager for servers, you need third party certificates.

If you want TLS terminated on the servers themselves your best option is to use an NLB. ELB are generally not used these days unless you have a very good reason, they're first gen.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • A new session would satisfy my requirements. How do I create a new https session to my target group? – RustyShackleford Feb 14 '22 at 18:17
  • Answer edited. You set up your servers with https certificates and make sure the target group is set to use https – Tim Feb 14 '22 at 21:10
  • Why can't you use AWS cert manager? – RustyShackleford Feb 14 '22 at 23:12
  • It seems that the cert is not validated in the ALB, so it wouldn't be as secure as end to end mTLS. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-routing-configuration – RustyShackleford Feb 14 '22 at 23:17
  • I can never remember if self signed certs are ok, looks like they are. You can't use AWS Certificate Manager because it's not possible to export a private key to put on your instance. – Tim Feb 14 '22 at 23:26
  • Couldn't the server just do `acm:exportcertificate` and that would return the exported file contains the certificate, the certificate chain, and the encrypted private key. @Tim – RustyShackleford Feb 15 '22 at 15:28
  • Seems like you can export cert/ca/private key from private CA, not public – RustyShackleford Feb 15 '22 at 16:09
  • Exactly, and a private CA costs about $600 per month from memory. For my personal servers I use Let's Encrypt certificates with certbot. Commercially I tend to use self signed certs unless there's a good reason to use Let's Encrypt / commercial / something else. – Tim Feb 15 '22 at 17:23