Application Load Balancer ELBv2 SSL pass through
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Application Load Balancers, part of the Elastic Load Balancing (ELB) service provided by AWS, are crucial in distributing incoming application traffic across multiple targets, such as EC2 instances, containers, and IP addresses. While the default configuration terminates SSL connections at the load balancer, sometimes it's necessary to use SSL pass-through to ensure that end-to-end encryption is maintained for specific use cases, such as when backend servers require direct access to the encrypted traffic.
Understanding SSL Pass-Through
SSL Termination vs. SSL Pass-Through
- SSL Termination occurs at the load balancer. The SSL/TLS handshake is completed by the load balancer, and traffic to the backend targets is in plain HTTP.
- SSL Pass-Through allows encrypted traffic to pass through the load balancer without decrypting it. The SSL handshake and termination happen at the backend servers.
Use Cases for SSL Pass-Through
- End-to-End Encryption: Ensures that the traffic remains encrypted until it reaches the backend servers, providing an additional security layer.
- Client Certificate Authentication: When backend servers need to authenticate the client certificates for access control.
- Regulatory Compliance: Certain compliance requirements may necessitate maintaining encryption across all network hops.
How It Works with ALB (ELBv2)
Application Load Balancers primarily operate in Layer 7 (the application layer of the OSI model), handling complex routing decisions based on HTTP/HTTPS traffic. However, for SSL pass-through, you'd typically consider using a Network Load Balancer (NLB) instead, as it operates at Layer 4 (transport layer) and is better suited for this purpose. Nevertheless, understanding the configuration in an ALB context is key.
Configuration Steps
Here’s a typical approach:
- Set Up Your ALB: Create an Application Load Balancer in your AWS account. In typical SSL termination, you'd upload your SSL certificates to the ALB. However, for SSL pass-through, this step is unnecessary.
- Backend Server Configuration: Ensure that your backend servers are configured to handle SSL termination. The servers must have the necessary SSL certificates installed and configured properly.
- Listener Configuration: Set up a listener for the ALB to forward the encrypted traffic. Point this listener to your backend targets that understand how to decrypt the traffic.
- Network ACLs and Security Groups: Adjust ACLs and security groups to allow SSL traffic from the load balancer to the backend servers.
Example Scenario
Imagine a web service that requires stringent end-to-end encryption for sensitive data. Using an ALB, configure a listener on port 443 (HTTPS) without SSL termination at the load balancer. The encrypted data passes to the backend EC2 instances, which have valid SSL certificates installed and configured to terminate the SSL traffic.
Key Considerations
- Performance Impact: Performing SSL decryption at the backend can increase CPU usage on target instances as opposed to offloading this work to the load balancer.
- Certificate Management: Certificates must be managed on the backend rather than the load balancer, leading to potentially increased operational overhead.
- Compatibility with AWS Services: ALB SSL pass-through might not directly support all AWS integrations (e.g., X-Forwarded-* headers commonly used for gathering client info may require termination at the load balancer).
Limitations and Challenges
- Complexity: SSL pass-through requires a deeper understanding of security implications and backend configurations.
- Logging and Monitoring: Since the SSL termination occurs at the servers, any logging or monitoring tools on the load balancer will not have access to decrypted information which may hinder some forms of application analysis.
Comparison Table
| Feature | SSL Termination at ALB | SSL Pass-Through |
| SSL Decryption Load | Offloaded to the ALB | Handled by backend servers |
| End-to-End Encryption | No | Yes |
| Client Certificate Support | Limited | Yes |
| Performance | Potentially more efficient | More resource-intensive on backend |
| Configuration Complexity | Relatively simple | More involved |
Conclusion
While the Application Load Balancer is a powerful tool within AWS's suite, SSL pass-through shifts some responsibilities to the backend servers. This method ensures that businesses meet their encryption and compliance needs, albeit with an increased need for monitoring and configuring backend resources effectively. As with all architectural decisions, understanding the trade-offs and aligning them with business needs and technical expertise is crucial.
By maintaining encryption across all layers, organizations achieve higher security levels for transmission-sensitive data, albeit at a potential cost to performance and configuration complexity.
Additional Resources
- AWS Documentation on Elastic Load Balancing
- Understanding Network Load Balancer for SSL Pass-Through
- Tutorials and technical deep dives on AWS re:Invent for Application Load Balancer usage in complex architectures.

