AWS Load Balancing: Encryption and Authentication Strategies

This guide explores how AWS Elastic Load Balancers (ELB) handle encrypted traffic and user authentication. Mastering the choice between terminating encryption at the load balancer or passing it through to the backend is critical for the ANS-C01 exam.

Learning Objectives

• Differentiate between TLS termination (offload) and TLS passthrough.
• Evaluate the security and performance trade-offs of centralized certificate management.
• Identify use cases for Application Load Balancer (ALB) user authentication (OIDC/Cognito).
• Select the appropriate Load Balancer type (ALB vs. NLB) based on encryption requirements.

Key Terms & Glossary

• TLS Termination (SSL Offload): The process where a load balancer decrypts incoming encrypted traffic before sending it to backend targets.
• TLS Passthrough: A configuration where the load balancer passes encrypted traffic directly to backend servers without decrypting it.
• SNI (Server Name Indication): An extension of TLS that allows a single load balancer listener to host multiple certificates for different domains.
• Cipher Suite: A set of algorithms (key exchange, encryption, and MAC) used to secure a network connection.
• ALB Authentication: A feature of the Application Load Balancer that integrates with Identity Providers (IdP) to authenticate users before they reach the application.

The "Big Idea"

In cloud architecture, the Load Balancer acts as the "Front Door." You must decide whether to hand the keys (SSL certificates) to the front door (Termination) so it can inspect who is coming in, or let guests keep their keys and unlock the inner doors (Backend Servers) themselves (Passthrough). Termination simplifies management and improves performance, while Passthrough maximizes end-to-end privacy and compliance.

Formula / Concept Box

Hierarchical Outline

1. Encryption at the Edge
   • TLS Offloading: Centralized decryption point.
   • Certificate Management: Integration with AWS Certificate Manager (ACM) for auto-rotation.
2. Architectural Patterns
   • End-to-Edge: Client to LB is encrypted; LB to Backend is plaintext (High performance).
   • End-to-End: Client to LB is encrypted; LB to Backend is re-encrypted (Highest security).
   • Passthrough: LB acts as a blind pipe for TCP traffic (Layer 4).
3. ALB User Authentication
   • OIDC/SAML Support: Integration with Amazon Cognito or external IdPs (Okta, Ping, etc.).
   • Flow: Load balancer intercepts request -> Redirects to IdP -> Validates token -> Forwards user identity in headers to backend.

Visual Anchors

TLS Termination Flow (ALB)

TLS Passthrough Mechanism

Definition-Example Pairs

• TLS Termination
  • Definition: The LB ends the TLS session, decrypts traffic, and initiates a new connection (encrypted or unencrypted) to the backend.
  • Example: An e-commerce site uses an ALB to offload SSL processing so the EC2 instances can focus solely on processing orders rather than heavy math for decryption.
• Mutual TLS (mTLS)
  • Definition: A process where both the client and the server provide digital certificates to prove their identities to each other.
  • Example: A highly regulated banking API requires mTLS. Since ALBs only recently added support for this, many architects use NLB Passthrough to let the backend handle the specific certificate handshake.

Worked Examples

Scenario: Configuring End-to-End Encryption with ALB

Goal: Secure traffic from the internet to the ALB, and from the ALB to the backend EC2 instances.

1. Listener Configuration: Create an HTTPS listener on port 443 of the ALB. Associate an ACM certificate (e.g., api.example.com).
2. Target Group Configuration: Create a target group with the protocol set to HTTPS (port 443).
3. Certificate on Backend: Ensure the EC2 instances have a valid (or self-signed) certificate installed. The ALB will act as a client and perform a TLS handshake with the instance.
4. Verification: The ALB will now terminate the client's connection and start a new encrypted connection to the backend, ensuring data is never in plaintext on the wire.

Checkpoint Questions

1. Which load balancer type is required if you need to perform TLS passthrough for a non-HTTP protocol?
2. How does an ALB pass the user's identity to the backend application after successful authentication?
3. True/False: Using TLS Termination allows you to use AWS WAF for deep packet inspection.
4. What AWS service integrates with ELB to provide easy certificate rotation?

▶Click to see Answers

1. Network Load Balancer (NLB).
2. By inserting the user's identity into HTTP headers (like x-amzn-oidc-data).
3. True (The ALB must decrypt the traffic to inspect the L7 content).
4. AWS Certificate Manager (ACM).

Muddy Points & Cross-Refs

• Termination vs. End-to-End: Students often think "Termination" means the traffic is plaintext for the rest of the journey. In AWS, you can terminate at the ALB and then re-encrypt to the backend. This is still called "Termination" because the original TLS session from the client ends at the ALB.
• Deep Packet Inspection: You cannot use AWS WAF with NLB Passthrough because the NLB never sees the unencrypted data to inspect it.

Comparison Tables

ALB vs. NLB Security Features

[!IMPORTANT] If the exam question mentions mTLS (Mutual TLS) and doesn't specify the ALB's new mTLS feature, NLB Passthrough is usually the historical correct answer to ensure the backend receives the client certificate.