Security – Load Balancing – ANS-C01 Study Guide

Security

The application load balancer will terminate all encrypted TLS/SSL connections and allow end-to-end encryption between the client and target server. The incoming TLS session will be terminated on the ALB for inspection and processing. There will be a second connection created on the backend between the ALB and the target. In this case, the ALB will be acting as the client. This means that all ALBs must have TLS/SSL certificates directly installed on them if TLS is being used since it acts as the target server that is terminating the encrypted TLS connections.

You can secure your public-facing listener and reduce the load by using CloudFront as a front-end service and restricting access to the ELB listener to the CloudFront service. When using an application load balancer, you can take advantage of its layer 7 capabilities to have CloudFront insert custom HTTP header values before sending the request to an application load balancer. Then the ALB needs to be configured to process only those requests that contain that header. This prevents users from bypassing CloudFront and going directly to the ALB.

The Web Application Firewall can be placed in front of the ELB’s listening interface for public Internet-facing deployments. The WAF reduces the impact of denial-of-service acts, allows you to define access filtering, and is a fully managed and monitored service from AWS.

The VPC security functions of AWS such as access control lists and security groups are available. AWS has a large suite of security services that can detect anomalies and do monitoring such as CloudWatch.

ELB Connectivity Patterns

In this section, we will cover placement options of the load balancers in your deployment such as Internet-facing or for internal designs that enable resiliency, scalability, and service separation.

Internal Load Balancers

Internal load balancers are defined by the VPC subnet the ELB is placed in. If you create an internal load balancer and are using a private listener IP address, then, by definition, this will be an internal load balancer. The IP addressing is the primary difference between a public and private ELB. Other than this distinction, they are the same product with the same feature sets. Figure 4.2 illustrates the placement of the internal load balancer. Remember that internal load balancers are in reference to the placement of the service and not its functionality. An internal load balancer can be any type such as a network or application load balancer.

FIGURE 4.2 Internal load balancing

Architecturally a private ELB is the same as a public load balancer except that they have only private IP addresses assigned to their nodes. A multitier architecture may include a public load balancer terminating user requests from the Internet to a pool of backend web servers and then these web servers connecting to internal load balancers with a pool of backend application servers.

Internal load balancers are generally used to separate different tiers of applications in a VPC such as the web tier to the presentation, application, and data tiers.