0
votes

I have an ec2 instance behind Application ELB in AWS. I want to apply SSL to both ec2 instance as well as loadbalancer. For ec2 instance i have purchased ssl and installed it and it is working fine. For load balancer i will be using the free AWS ACM certificate and installing it on load balancer. Will this have any issues? i.e. installing SSL on both places ec2 and elb.

2

2 Answers

2
votes

It will not have any issues but it does come with a caveat. The traffic in to the Application Load Balancer (ALB) will be encrypted and the ACM cert will be validated by the client. The traffic to the host from the ALB will also be encrypted but the certificate on the host will not be validated.

It looks like ALB Backend Authentication is on AWS's roadmap per the reference below. The reason given for it not being a priority is summarized in this quote from the AWS Engineer who wrote the first reference:

The role that server certificates play in TLS is to authenticate the server, so that it can’t be impersonated or MITM. ALBs run exclusively on our Amazon VPC network, a Software Defined Network where we encapsulate and authenticate traffic at the packet level.

The upside of this is you can use self-signed certs on your hosts to save money when using an ALB or ELB in front of them.

If you need to ensure the certificate on the host is valid you can use a Classic Elastic Load Balancer (ELB). See the reference for more details.

References

AWS ALB Validation TLS Reply

AWS ELB Configure Backend Authentication

0
votes

If you use SSl/TSL at ELB, it will handle the encryption/decryption of the HTTPS connections (freeing your EC2 instance's CPU to do other work).

If you use an HTTPS/SSL connection for your back end, you can enable authentication on the back-end instance. This authentication can be used to ensure that back-end instances accept only encrypted communication, and to ensure that the back-end instance has the correct certificates.

Using SSL/TLS on both ELB and Backend can create problems since ELB HTTPS listener does not support Client-Side SSL certificates. I have considered that you are using a 2-way SSL (Mutual or Client Authentication)