ELBs

  • ELBs provides security policies that have predefined SSL negotiation configurations to use to negotiate SSL connections between clients and your load balancer.

    • If you are using the HTTPS/SSL protocol for your listener, you can use one of the predefined security policies, or use your own custom security policy.

  • If you create an HTTPS/SSL listener without associating a security policy, ELBs associate the default predefined security policy, ELBSecurityPolicy-2016-08, with your load balancer.

  • When you use TCP for both front-end and back-end connections, your load balancer forwards the request to the back-end instances without modifying the headers.

    • After your load balancer receives the request, it attempts to open a TCP connection to the back-end instance on the port specified in the listener configuration.

  • Because load balancers intercept traffic between clients and your back-end instances, the access logs for your back-end instance contain the IP address of the load balancer instead of the originating client.

    • You can enable Proxy Protocol, which adds a header with the connection information of the client, such as the source IP address, destination IP address, and port numbers.

      • The header is then sent to the back-end instance as a part of the request.

  • Take note that ALBs do NOT support SSL renegotiation for client or target connections.

    • It is not capable of re-negotiating or re-spawning an SSL connection between the load balancer and the target EC2 instances.

Last updated

Was this helpful?