34

I am trying to configure an AWS Application Load Balancer (vs. a Classic Load Balancer) to distribute traffic to my EC2 web servers. For compliance reasons I need end to end SSL/HTTPS encryption for my application.

It seems to me the simplest way to ensure that traffic is encrypted the entire way between clients and the web servers is to terminate the HTTPS connection on the web servers.

My first question: Is it possible to pass through HTTPS traffic through an AWS Application Load Balancer to the web servers behind the load balancer in this manner?

From what I've gathered from the AWS documenation, it is possible to pass traffic through in this manner with a Classic Load Balancer (via TCP pass through). However, the Application Load Balancer looks like it wants to terminate the HTTPS connection itself, and then do one of the following:

  • send traffic to the web servers unencrypted, which I can't do for compliance reasons
  • create a new HTTPS connection to the web servers, which seems like extra work load

My second question: is that understanding of the documentation correct?

John R
  • 503
  • 1
  • 5
  • 7
  • I haven't tried this with AWS, but I use HaProxy for my production server's to pass through SSL/HTTPS to Nginx. – Lance Badger Feb 03 '17 at 15:31
  • I am not sure if `send traffic to the web servers unencrypted`that is what is happening. I would start https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/ or http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html Hope this helps – Muqeet Khan Feb 03 '17 at 16:06
  • 1
    @MuqeetKhan that is exactly what is happening if you terminate SSL at the load balancer and don't have an SSL certificate installed on the web server. If there is no SSL certificate on the web server how could the traffic between the load balancer and the server possibly be encrypted? – Mark B Feb 03 '17 at 16:08
  • @John R can you please share that how you have achieved that – Arbab Nazar Feb 20 '18 at 19:48
  • @ArbabNazar to the best of my recollection (this was a year ago and I'm at a different job now) I did this using a Classic Load Balancer with a TCP pass through. Then you terminate the HTTPS connection on the web servers that lie behind the load balancer. I did not use an Application Load Balancer. – John R Feb 22 '18 at 02:40
  • See https://stackoverflow.com/questions/54997493/elb-to-backend-server-using-https-with-self-signed-certificate/55274301#55274301 – Charles L. Mar 21 '19 at 05:32
  • https://avinetworks.com/glossary/ssl-passthrough/ – Pedro Gabriel Lima Aug 06 '20 at 00:26

1 Answers1

55

Terminating the SSL connection at the web servers requires you to change the load balancer listener from HTTPS to TCP. ALB doesn't support this, only classic ELB. Further, if you were terminating the SSL at the web server the load balancer wouldn't be able to inspect the request since it wouldn't be able to decrypt it, so it wouldn't be able to do all the fancy new routing stuff that the ALB supports.

If you actually want to use an ALB for the new features it provides, and you need end-to-end encryption, you will have to terminate SSL at the ALB and also have an SSL certificate installed on the web servers. The web server certificate could be something like a self-signed cert since only the ALB is going to see that certificate, not the client.

I assume you need end-to-end encryption for compliance reasons (PCI, HIPAA, etc.). Otherwise there isn't a very compelling reason to go through the hassle of setting it up.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • 1
    Yes, I need end-to-end encryption for compliance reasons. – John R Feb 03 '17 at 15:59
  • 6
    AWS have since released the Network Load Balancer which is TCP through the loadbalancer up to the instance/group/ip so you can use nginx or whatever with SSL on the instance and should be a bit quicker too =) – pauricthelodger Feb 22 '18 at 16:28
  • 1
    This article also suggests NLBs for this purpose. https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-using-the-network-load-balancer-with-amazon-ecs/ – Elijah Lynn May 14 '19 at 00:18
  • 1
    NLBs are a poor substitute for ALBs though, no warmup, no sticky sessions, slower rolling deploy times, restrictive health check settings, excessive health checks issued... – Adrian Baker Jul 27 '19 at 02:56
  • 1
    @AdrianBaker I aggree and would add to your list no path based routing, and no SSL redirect support at the load balancer. I would only chose NLB over ALB for non-HTTP traffic. – Mark B Jul 27 '19 at 13:32
  • Is using a cloud computing service outside of AWS a compelling reason to go through the hassle of setting it up? ALB has some amazing features that other cloud providers' load balancers don't have, so I can vaguely imagine a use case of e.g. wanting to leverage those features to go from AWS ALB --> DigitalOcean k8s. – samstav Aug 23 '19 at 02:32
  • @samstav I believe ALB will only work with EC2, ECS and Lambda targets. NLB will work with IP address targets, so that would be a reason to use NLB, however running a load balancer in a different data center from your servers is going to introduce a lot of latency. I would try to stick with DigitalOcean load balancers if I was using DO servers. – Mark B Aug 23 '19 at 12:22
  • "you will have to terminate SSL at the ALB and also have an SSL certificate installed on the web servers".. Is there any documentation on how to achieve this? All my searches lead me to end to end encryption using classic load balancer but not ALB – Vishal Oct 17 '21 at 10:38
  • @Vishal there's no difference in the method of doing this for classic load balancer or other load balancers. Installing an SSL certificate on your server is the same regardless of the type of load balancer. – Mark B Oct 17 '21 at 13:43
  • Thanks @Mark B. Probably I wasn't clear in my question. I was referring to something like the backend authentication using self signed certificate using classic LB as shown here https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#config-backend-auth where the LB will communicate with server only if the cert matches. I wanted to know how to do similar stuff with ALB – Vishal Oct 17 '21 at 13:54
  • 1
    @Vishal that feature is only available on classic load balancers at this time. ALBs and NLBs do not support validation of backend certificates currently. – Mark B Oct 17 '21 at 13:57