Load balance with ssl-id with AWS CloudFront

0
votes

Our application needs end-end SSL encryption and here is the architecture:

Browser(https)-> AWS CloudFront(Https)- ON-perm F5 Loadbalancer(HTTPS)-> webserver.

AWS CloudFront with Origin pointing to On-Perm Load balancer(F5). On-Perm Load balancer configured to do a sticky session with SSL-session-id(not application session-id)

Since AWS CloudFront domain name is mapped to dynamic IP and do SSL shake based on edge location IP SSL-sessionId changes even though the request is from the same application session-id it is causing session data loss for the user.

It's not an option for us to change the Load balancer to do session affinity based on application session-id nor we can do SSL termination at Loadbalancer. can someone please help me how can I do the session affinity in this scenario?

1
load-balancingsession-variablesamazon-cloudfrontsession-state

1 Answers

0
votes

What you are attempting cannot be accomplished with Amazon CloudFront.

CloudFront is designed for performance, which means a single viewer connection can use multiple back-end connections in parallel and multiple viewers can also make sequential requests over a single back-end connection.

TLS through CloudFront is not end-to-end -- that would be impossible. CloudFront needs to decrypt and re-encrypt the traffic since it operates at the HTTP layer.