AWS Network Load Balancer – Does It Decrypt Packets in TLS Termination Mode?

amazon-web-servicesnlb

Architecture:
client <– TLS –> AWS Network Load Balancer port:443 <– TLS –> backend server port:443

In the above architecture, TLS is terminated at the network load balancer (NLB).

Is TLS termination possible without decrypting packets?
If TLS is terminated on NLB, is there a new handshake between AWS NLB and the backend server?

Note that Backend server have its own SSL certificate different from one on the NLB.

Best Answer

TL;DR

NLB indeed has to decrypt the packets first and then re-encrypt before they are sent to the backend. And yes it does a new handshake with the server. NLB is kind of cheating because it spoofs the IP to look like it's the client talking to the backend directly. NLB looks transparent to the backend server.

However since you seem to be using HTTPS (guessing from port 443) you should use Application Load Balancer (ALB), not Network Load Balancer (NLB). NLB is meant for non-HTTP/non-HTTPS traffic, e.g. for DNS, SMTP, etc.

Hope that helps :)

Related Solutions

Nginx – Full end to end encryption with AWS Elastic Load Balancer, Nginx and SSL

Does having and unencrypted connection between the load balancer and nginx pose a security risk?

If talking about credit card data and stuff like this: Yes.

If the answer to 1 is yes, how would I setup nginx to allow the secure connections from the load balancer? Would this involve setting up an ssl certificate on each nginx server?

The nginx config is / would be fairly standard, nothing fancy.
Yes, you would need a ssl certificate on each machine running nginx. You could use one cert for this, you don't need necessarily multiple. Besides: Using Lets Encrypt it's now fairly easy and automated possible to get certs, free of charge.
If you send sensitive data between the ELB and your machines, make sure this / these link(s) is encrypted as well. How to do this is explained in the docs.

What would the nginx config look like if it needs to be different than a standard ssl setup where nginx is not behind a load balancer?

There isn't a major difference, as far as I know. If you need the client IP for whatever reason, put these lines into your nginx config:
```
real_ip_header X-Forwarded-For;
set_real_ip_from ${ip-of-your-elb}/${netmask-of-your-elb};
```

Bonus: Set up your "own ELB", using the great HAProxy for example. Going this way, you could take care of the encryption between the ELB and the backend machines yourself, using whatever seems / is appropriate: https, ssh tunnels, a VPN, ...

How to configure AWS load balancer to forward to external IP address

AWS Application Load Balancer’s Target Group can have either EC2 instance or IP address targets. In your case you need to use the IP address targets.

Here are the instructions: Application Load Balancing to IP Address

These addresses can be in the same VPC as the ALB, a peer VPC in the same region, on an EC2 instance connected to a VPC by way of ClassicLink, or on on-premises resources at the other end of a VPN connection or AWS Direct Connect connection.

Best Answer

Related Solutions

Nginx – Full end to end encryption with AWS Elastic Load Balancer, Nginx and SSL

How to configure AWS load balancer to forward to external IP address

Related Topic