4

AWS NLB supports TLS termination https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/

NLB being a Layer 4 load balancer I would expect it to work in a passthrough mode by directing the incoming packets to one of the backends without much of state maintenance (except for the flow tracking)

Are there any details available on how AWS implements the TLS termination in NLB ?

Is it possible to do it with open source tooling (like IPVS or haproxy) or AWS has some secret sauce here ?

coderanger
  • 52,400
  • 4
  • 52
  • 75
Manohar
  • 3,865
  • 11
  • 41
  • 56

2 Answers2

1

The TLS termination itself is just what it says it is. TLS is a generic streaming protocol just like TCP one level up so you can unwrap it at the LB in a generic way. The magic is that they keep the IPs intact probably with very fancy routing magic, but it seems unlikely AWS will tell you how they did it.

coderanger
  • 52,400
  • 4
  • 52
  • 75
  • If I had to guess, something to do with IP_TRANSPARENT and SO_ORIGINAL_DST. Like here: https://blog.cloudflare.com/how-we-built-spectrum/ – CppNoob Jul 17 '22 at 08:36
1

In my SO question here, I have an example of how to terminate a TCP session in HAProxy and pass the unencrypted traffic to a backend.

In short, you need to use ssl in the frontend bind section and both frontend and backend configurations require use of tcp mode. Here is an example of terminating on port 443 and forwarding to port 4567.

frontend tcp-proxy
  bind :443 ssl crt combined-cert-key.pem
  mode tcp
  default_backend bk_default

backend bk_default
  mode tcp
  server server1 1.2.3.4:4567
John
  • 10,837
  • 17
  • 78
  • 141