2

I have a secure web API in the AWS cloud and I'm trying to figure out the best way to put it behind a load balancer without compromising security.

Right now, all communications are conventionally encrypted end-to-end. The API server has a Let's Encrypt certificate, which is used to treat all messages exchanged with clients. Unless the encryption is broken, nobody besides the server and its clients can view the raw contents of messages.

If I start using a load balancer and allow multiple instances of my server to run concurrently, I'll have to give up on LE and use centralized certificate management (e.g. ACM). AWS conveniently supports linking ACM-generated certificates to load balancer HTTPS listeners. This is especially useful for automatic renewal. However, the load balancer would then remove the encryption layer, and all communications with the instances of my server would be decrypted from that point on.

I'm not too comfortable having my raw data traveling in a public cloud. Still, I'd welcome a second opinion on this.

My question therefore is: Is it considered secure to have load balancer strip HTTPS encryption layer and forward all traffic as HTTP to internal server instances?

Since I can guess the answer, I would appreciate any suggestions on how to deploy load balancing securely.

Petr Mánek
  • 1,046
  • 1
  • 9
  • 24
  • The answer comes down to whether the AWS networking infrastructure creates an actual _private_ network, and strangers on the Internet can't answer this for you. Amazon certainly says yes, but that may just mean that a vulnerability hasn't been found yet. – kdgregory Aug 12 '18 at 11:47
  • 2
    The phrase "public cloud" isn't an entirely fair description of the VPC network environment. What is the nature of the threat you are concerned about? If the answer to that question seems entirely too obvious, then you might be operating under some incorrect assumptions about the underlying network. – Michael - sqlbot Aug 12 '18 at 15:03
  • My question follows from the basic assumption that any network infrastructure should be considered insecure unless specific steps are taken to secure it. In this scenario, the most likely threat I can imagine is having a third party intercept or exploit (by e.g. MITM attack) unprotected communication between the load balancer and server instances in the target group. – Petr Mánek Aug 12 '18 at 15:19
  • Are you planning on using an application or classic ELB? – kenlukas Aug 13 '18 at 01:34
  • If you are concerned about end-to-end encryption, use Layer 4 listeners on your load balancer. – John Hanley Aug 13 '18 at 05:10
  • @kenlukas Application Load Balancer – Petr Mánek Aug 13 '18 at 09:20
  • 1
    @PetrMánek In my case, I had ALB and Docker containers registered under a TargetGroup of ALB(With ECS). ALB was kind of sending traffic to containers over HTTP. We had to change containers to listen over HTTPS later. It was kind of hard to bring containers with hard coded certs and later I had changed docker entrypoint to download certs in run-time from ACM and initialize. – Imran Aug 13 '18 at 17:48

1 Answers1

4

I consider it secure because each AWS VPC is isolated from another.

The traffic of one VPC cannot be captured in another VPC. Of course whether AWS VPC technology is secure remains to be seen as others have said.

Also check out the documentation from EBS about secure end-to-end encryption. It says that:

Terminating secure connections at the load balancer and using HTTP on the backend may be sufficient for your application. Network traffic between AWS resources cannot be listened to by instances that are not part of the connection, even if they are running under the same account.

sihaya
  • 1,357
  • 9
  • 12
  • Wow, that article is exactly what I needed. It even gives advice as to when one would want to use full E2E encryption; regulatory requirements. – carlin.scott Nov 30 '21 at 20:09