ELBs

• ELBs provides security policies that have predefined SSL negotiation configurations to use to negotiate SSL connections between clients and your load balancer.

  • If you are using the HTTPS/SSL protocol for your listener, you can use one of the predefined security policies, or use your own custom security policy.

• If you create an HTTPS/SSL listener without associating a security policy, ELBs associate the default predefined security policy, ELBSecurityPolicy-2016-08, with your load balancer.

• When you use TCP for both front-end and back-end connections, your load balancer forwards the request to the back-end instances without modifying the headers.

  • After your load balancer receives the request, it attempts to open a TCP connection to the back-end instance on the port specified in the listener configuration.

• Because load balancers intercept traffic between clients and your back-end instances, the access logs for your back-end instance contain the IP address of the load balancer instead of the originating client.

  • You can enable Proxy Protocol, which adds a header with the connection information of the client, such as the source IP address, destination IP address, and port numbers.

    • The header is then sent to the back-end instance as a part of the request.

• Take note that ALBs do NOT support SSL renegotiation for client or target connections.

  • It is not capable of re-negotiating or re-spawning an SSL connection between the load balancer and the target EC2 instances.