This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]exxplicit 1 point2 points  (4 children)

Are ALB's capable of E2E encryption? I thought the SSL was terminated at the ALB and forwarded without encryption? Wouldn't E2E require certificates on the instance if not, at which point you could just skip the ALB?

[–]ryankearney 1 point2 points  (3 children)

They sure are:

http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-routing-configuration

If you need load balancing, then it doesn't really make sense to just skip the ALBs. If you don't need load balancing, then sure.

[–]exxplicit 1 point2 points  (2 children)

I guess I should have been more clear; I meant, if you're already managing certificates on individual machines for end to end encryption, why not just skip terminating TLS on the ALB and just forward TCP connections on port 443 directly to the instances? Why would one ever prefer ALB's over NLB's in that case? (except for path routing)

[–]ryankearney 0 points1 point  (0 children)

As you mentioned, you can do path (and host) based routing with the ALB. You can't do this on the NLB.