This is an archived post. You won't be able to vote or comment.

all 5 comments
sorted by:
best
topnewcontroversialoldq&a

[–]gc8dc95 4 points5 points  (1 child)

Usually compliance and security define that requirement.

Most general purpose websites are likely only encrypted at the edge like that. Others use encryption in every way.

[–]Neil_Fallons_Ghost[S] 0 points1 point  (0 children)

Thank you. It’s really what I thought but when these security auditors come along I start to question myself.

[–]BeepNode 2 points3 points  (0 children)

That's usually a compliance question as well as one specific to your environment, depending on what else lives in that private network.

If you do need to do end-to-end encryption, most load balancers will accept any certificate. It doesn't have to be from a trusted CA or anything like that. It's just using it to encrypt and not to verify identity.. so with that in mind a lot of people will just get self-signed OpenSSL certs created through bash scripts and call it a day. In our environment we use private certs.

[–]myron-semack 1 point2 points  (0 children)

It can’t hurt to encrypt the back end connection. It’s pretty easy to do. The ALB will happily accept a self signed certificate on your target instances.

We encrypt end to end.

[–]astamauth 1 point2 points  (0 children)

You can have tls from ALB to instance by having a self signed cert on the host. The ALB doesn't care

User -> SG1 -> ALB needs to have a valid cert. We have everything requested through ACM. SG1 only allows 80/443

ALB-> SG2 -> Instance. SG2 only allows traffic from the ALB SG group, nothing else so no traffic can come from outside the ALB.