The AWS Certificate Manager allows you to create both public and private digital certificates and has integrated the service into the application load balancer, as shown in Figure 4.6. This integration allows you to specify an AWS certificate directly from the ALB configuration GUI, API, and CLI. The Certificate Manager service enables you to provision, manage, and implement TLS certificates for internal- and external-facing ALB listeners. This integration removes much of the manual process of creating, downloading, and installing certificates into the ALB. The Certificate Manager also handles the renewal of certificates, which is critical for uptime of the ALB. There is no charge for public-issued certificates that are implemented on the ALB; you pay only for the ALB incurred charges and not for the certificates. The ACM does charge for its private certificate authority services, and there is a charge for the private certificates themselves.
FIGURE 4.6 Certificate Manager integration with ALB
The AWS Certificate Manager creates SSL/TLS certificates per region and logs all certificate transaction logs into CloudTrail. You use the Certificate Manager to generate key pairs without the steps usually required such as generating a certificate-signing request, generating the key pair, and downloading it locally for installation into the ALB service. The Certificate Manager handles all of the backend steps required to install the certificate onto the ALB listener and enables SSL/TLS support in addition to locally generated certificates. The Certificate Manager also allows you to import certificates from outside certificate authorities for central management and logging.
There are extensive variations to deploy and configure the different load balancer types offered by AWS in the ELB family of services. This section will introduce you to the main topics and give you the background knowledge to successfully design and deploy your solutions as well as to be able to pass the ELB questions on the exam.
To understand where the packet source originates from, you can use processing decisions, accurate connection logging of the source, security, and analytics in your web deployments. However, with the nature of modern networks, the actual source IP address of the end user may not be present in the packet as it arrives at the load balancer. With layer 7 application load balancers, this information can be included in the headers. However, for a network load balancer, there is no insight or knowledge of the information available at the application layer 7. The network load balancer terminates the TCP connection and places a second session to the backend servers. The backend servers will not see the source IP of the client in this scenario; they see only the source of the load balancer. Also, with the use of web proxies and Network Address Translation (NAT) devices in the source to destination path, the source IP can be changed by the network, and the actual origination IP can be lost. The proxy protocol inserts a header at the TCP level, which means it is not application dependent and can support all TCP-based applications in addition to standard HTTP/HTTPS. For example, you can use the proxy protocol for FTP, SMTP, SSH, or any other application that uses TCP connections. The AWS network load balancer supports version 2 of the proxy protocol, which is binary encoded. The application load balancer does not support the proxy protocol.
The proxy protocol header is a feature that inserts the original source IP for the target servers and applications to reference. When enabled, a human-readable header is added to the request header that contains detailed connection information such as source and destination IP addresses and the application port number. This header is sent to the target instance as part of the request and is in a human-readable format. Proxy protocol works with the TCP protocol to identify the IP address of the clients to the backend servers.
The following is an example of the data inside a proxy-protocol header:
PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + “\r\n”
PROXY TCP4 192.168.1.143 172.16.20.45 32623 80\r\n