Load Balancing
SSL Pass Through
Amazon ELB
AWS
Application Load Balancer

Application Load Balancer ELBv2 SSL pass through

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

Application Load Balancers, part of the Elastic Load Balancing (ELB) service provided by AWS, are crucial in distributing incoming application traffic across multiple targets, such as EC2 instances, containers, and IP addresses. While the default configuration terminates SSL connections at the load balancer, sometimes it's necessary to use SSL pass-through to ensure that end-to-end encryption is maintained for specific use cases, such as when backend servers require direct access to the encrypted traffic.

Understanding SSL Pass-Through

SSL Termination vs. SSL Pass-Through

  • SSL Termination occurs at the load balancer. The SSL/TLS handshake is completed by the load balancer, and traffic to the backend targets is in plain HTTP.
  • SSL Pass-Through allows encrypted traffic to pass through the load balancer without decrypting it. The SSL handshake and termination happen at the backend servers.

Use Cases for SSL Pass-Through

  • End-to-End Encryption: Ensures that the traffic remains encrypted until it reaches the backend servers, providing an additional security layer.
  • Client Certificate Authentication: When backend servers need to authenticate the client certificates for access control.
  • Regulatory Compliance: Certain compliance requirements may necessitate maintaining encryption across all network hops.

How It Works with ALB (ELBv2)

Application Load Balancers primarily operate in Layer 7 (the application layer of the OSI model), handling complex routing decisions based on HTTP/HTTPS traffic. However, for SSL pass-through, you'd typically consider using a Network Load Balancer (NLB) instead, as it operates at Layer 4 (transport layer) and is better suited for this purpose. Nevertheless, understanding the configuration in an ALB context is key.

Configuration Steps

Here’s a typical approach:

  1. Set Up Your ALB: Create an Application Load Balancer in your AWS account. In typical SSL termination, you'd upload your SSL certificates to the ALB. However, for SSL pass-through, this step is unnecessary.
  2. Backend Server Configuration: Ensure that your backend servers are configured to handle SSL termination. The servers must have the necessary SSL certificates installed and configured properly.
  3. Listener Configuration: Set up a listener for the ALB to forward the encrypted traffic. Point this listener to your backend targets that understand how to decrypt the traffic.
  4. Network ACLs and Security Groups: Adjust ACLs and security groups to allow SSL traffic from the load balancer to the backend servers.

Example Scenario

Imagine a web service that requires stringent end-to-end encryption for sensitive data. Using an ALB, configure a listener on port 443 (HTTPS) without SSL termination at the load balancer. The encrypted data passes to the backend EC2 instances, which have valid SSL certificates installed and configured to terminate the SSL traffic.

Key Considerations

  • Performance Impact: Performing SSL decryption at the backend can increase CPU usage on target instances as opposed to offloading this work to the load balancer.
  • Certificate Management: Certificates must be managed on the backend rather than the load balancer, leading to potentially increased operational overhead.
  • Compatibility with AWS Services: ALB SSL pass-through might not directly support all AWS integrations (e.g., X-Forwarded-* headers commonly used for gathering client info may require termination at the load balancer).

Limitations and Challenges

  • Complexity: SSL pass-through requires a deeper understanding of security implications and backend configurations.
  • Logging and Monitoring: Since the SSL termination occurs at the servers, any logging or monitoring tools on the load balancer will not have access to decrypted information which may hinder some forms of application analysis.

Comparison Table

FeatureSSL Termination at ALBSSL Pass-Through
SSL Decryption LoadOffloaded to the ALBHandled by backend servers
End-to-End EncryptionNoYes
Client Certificate SupportLimitedYes
PerformancePotentially more efficientMore resource-intensive on backend
Configuration ComplexityRelatively simpleMore involved

Conclusion

While the Application Load Balancer is a powerful tool within AWS's suite, SSL pass-through shifts some responsibilities to the backend servers. This method ensures that businesses meet their encryption and compliance needs, albeit with an increased need for monitoring and configuring backend resources effectively. As with all architectural decisions, understanding the trade-offs and aligning them with business needs and technical expertise is crucial.

By maintaining encryption across all layers, organizations achieve higher security levels for transmission-sensitive data, albeit at a potential cost to performance and configuration complexity.

Additional Resources


Course illustration
Course illustration

All Rights Reserved.