CODEWITHSUNDEEP
load-balancingnlb
Manohar
Manohar

Reputation: 3975

How is TLS termination implemented in AWS NLB?

AWS NLB supports TLS termination https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/

NLB being a Layer 4 load balancer I would expect it to work in a passthrough mode by directing the incoming packets to one of the backends without much of state maintenance (except for the flow tracking)

Are there any details available on how AWS implements the TLS termination in NLB ?

Is it possible to do it with open source tooling (like IPVS or haproxy) or AWS has some secret sauce here ?

Upvotes: 4

Views: 4999

Answers (2)

John
John

Reputation: 11921

In my SO question here, I have an example of how to terminate a TCP session in HAProxy and pass the unencrypted traffic to a backend.

In short, you need to use ssl in the frontend bind section and both frontend and backend configurations require use of tcp mode. Here is an example of terminating on port 443 and forwarding to port 4567.

frontend tcp-proxy
  bind :443 ssl crt combined-cert-key.pem
  mode tcp
  default_backend bk_default

backend bk_default
  mode tcp
  server server1 1.2.3.4:4567

Upvotes: 1

coderanger
coderanger

Reputation: 54267

The TLS termination itself is just what it says it is. TLS is a generic streaming protocol just like TCP one level up so you can unwrap it at the LB in a generic way. The magic is that they keep the IPs intact probably with very fancy routing magic, but it seems unlikely AWS will tell you how they did it.

Upvotes: 2

Related Questions