2

Architecture: client <-- TLS --> AWS Network Load Balancer port:443 <-- TLS --> backend server port:443

In the above architecture, TLS is terminated at the network load balancer (NLB).

  1. Is TLS termination possible without decrypting packets?
  2. If TLS is terminated on NLB, is there a new handshake between AWS NLB and the backend server?

Note that Backend server have its own SSL certificate different from one on the NLB.

Improve this question

1 Answer 1

Reset to default
3

TL;DR

  1. No
  2. Yes

NLB indeed has to decrypt the packets first and then re-encrypt before they are sent to the backend. And yes it does a new handshake with the server. NLB is kind of cheating because it spoofs the IP to look like it's the client talking to the backend directly. NLB looks transparent to the backend server.

However since you seem to be using HTTPS (guessing from port 443) you should use Application Load Balancer (ALB), not Network Load Balancer (NLB). NLB is meant for non-HTTP/non-HTTPS traffic, e.g. for DNS, SMTP, etc.

Hope that helps :)

Improve this answer
5
  • Actually I was trying this so that the packet doesn't get decrypted anywhere while the client and backend server communicates. I wanted to use NLB as a router only. This is for PCI compliance. Any idea how this can be done? Commented Mar 13, 2020 at 14:39
  • @aaryan in that case don’t terminate TLS on the NLB and pass it through to the backend. It will have to have a valid SSL certificate of course (you can’t use ACM cert). Commented Mar 13, 2020 at 19:46
  • @aaryan on the other hand I believe that ALB is PCI compliant and you can use it to terminate TLS, provided that the path to the backend is also encrypted. Which it is in your case. We use ALB in PCI deployments and auditors have no problem with that. Commented Mar 13, 2020 at 19:50
  • ALB sounds good then. The slightly interesting problem here though. What if the backend server is owned by the 3rd party so I can't install their certificates on my ALB in that case even if traffic passes to client successfully certificate validation fails as domain name for which certificate was issued does not match with ALB's domain name. Commented Mar 13, 2020 at 20:39
  • NLBs are not just meant for non-HTTP/non-HTTPS traffic. API Gateway private integrations only work with NLBs, which expose HTTP/HTTPS resources within an Amazon VPC for access by clients outside of the VPC. docs.aws.amazon.com/apigateway/latest/developerguide/… Commented Sep 22, 2021 at 0:40

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.