Ref: https://learn.cantrill.io/courses/1820301/lectures/41301447

• Summary:
• Contents:

AWS ELB - Paradigms for Handling SSL

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1500-HA_and_SCALING/00_LEARNINGAIDS/ELBListners.png

• ELBs can handle SSL-secure connections in 3 different ways (each has pros & cons):
  1. SSL Bridging (Default for ALBs)
  2. SSL Pass-through (NLBs)
  3. SSL Offload (ALBs)

ALB - SSL Bridging

• 🔧 Different SSL connections for client↔ALB and ALB↔backend
  • Connections decrypted/interrupted at ALB before proceeding to target
  • HTTPS listener → ALB paradigm (Default paradigm for ALBs)
• ALB requires SSL cert, performs crypto operations
  • 👍 L7 awareness → ALB can understand HTTP(S) & take actions
  • 👎 AWS has some level of access to the SSL cert → not a good fit for tight security environments where SSL certs should not be stored in the ELB
• Backend instances require SSL certs of their own, perform crypto operations
  • 👍 Whole communication uses HTTPS, increased security due to encryption
  • 👎 Instances spend compute in crypto ops
    • Significant & noticeable latency & costs overhead in high volume communications
  • 👎 Providing SSL certs to each instance is extra admin overhead
    • Noticeable when there's lots of instances

NLB - SSL Pass-through

• 🔧 One single & uninterrupted SSL connection between client↔backend
  • NLB passes client connection directly to target
  • TCP listener → NLB paradigm
• NLB does NOT need SSL cert, no decryption/encryption done
  • 👎 No L7 awareness → can't take actions based on HTTP(S)
  • 👍 AWS never sees the cert that you use → good fit for tight security environments
    • Can even use AWS CloudHSM appliance to store SSL cert more securely
• Backend instances require SSL certs of their own, perform crypto operations
  • 👍 Whole communication uses HTTPS, increased security due to encryption
  • 👎 Instances spend compute in crypto ops
    • Significant & noticeable latency & costs overhead in high volume communications
  • 👎 Providing SSL certs to each instance is extra admin overhead
    • Noticeable when there's lots of instances

ALB - SSL Offload

• 🔧 Encrypted client↔ALB connection + UNENCRYPTED ALB↔backend connection
  • Data travels encrypted over public internet, but in plaintext over AWS network
  • HTTPS listener → ALB paradigm (NOT default)
• ALB requires SSL cert, performs crypto operations
  • 👍 L7 awareness → ALB can understand HTTP(S) & take actions
  • 👎 AWS has some level of access to the SSL cert → not a good fit for tight security environments where SSL certs should not be stored in the ELB
• Backend instances do NOT need SSL certs, no decryption/encryption done
  • 👎 Least secure paradigm, as connection travels in plaintext over AWS NW
  • 👍 Instances don't perform crypto ops, can be smaller and/or more efficient
    • Lower latency and costs in high volume communications
  • 👍 Much less per-instance admin overhead than SSL Bridging (no SSL cert required)

ELB Paradigm for SSL - Summary Table