skip to Main Content

Background

Currently I have configured an AWS EC2 instance to serve a Express App using NGINX Reverse Proxy.

Now my next step should be configuring SSL.

Problem

Here is what I am confused about:

So I’ve seen tutorials on how to create an SSL certificate with some third-party library and install it directly onto the EC2 instance my NGINX is running.

I’ve also seen an official tutorial on AWS on configuring SSL on the Application Load Balancer to handle traffic on top of my EC2 instance. From what it’s telling me is that the load balancer is going to forward traffic to my EC2 instance. Then here’s my question, if the load balancer has SSL but the EC2 instance behind it doesn’t, then how is that anyway secure?

I am still a bit new to using AWS EC2 and the load balancer so I hope someone can help explain.

3

Answers


  1. You can do both. This is an implementation detail and depends on the security requirements of your system.

    Usually, to keep things simple, most people handle SSL on the load balancer.

    if the load balancer has SSL but the EC2 instance behind it doesn’t, then how is that anyway secure?

    The connection between your load balancer and the EC2 instance won’t use SSL. However, this is a risk most people take especially if your resources are in a VPC. You can further improve this part by sending encrypted data.

    If the data you are transferring is too sensitive, you can require SSL both on the load balancer and the EC2 instances.

    Overall, the choice depends on your security requirements.

    Login or Signup to reply.
  2. Your understanding is correct that if you have a certificate installed on your ALB, TLS is terminated at that point. The traffic from the ALB to your EC2 instance is not sent via a TLS connection.

    However this doesn’t necessarily mean that traffic is not secure. Once traffic over the internet reaches the ALB, it is within AWS global infrastructure. This means that AWS is now responsible for the security of this data in transit, per the shared responsibility model.

    Because the load balancer is in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid. – Target Groups: Routing Configuration

    You can of course install certificates on your instances as well, and the ALB will then establish TLS connections using these certificates. This is commonly done for compliance reasons, or if additional security is required depending on the application use cases.

    Login or Signup to reply.
  3. To further secure traffic going to your EC2, you can configure SG for EC2 in such a way that traffic will come from SG of ALB rather than being open to the whole world.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search