TLS Passthrough – Load Balancing – ANS-C01 Study Guide

TLS Passthrough

TLS passthrough is the more traditional design for load balancers that do not process SSL/TLS traffic on port 443. The load balancer does not have any digital certificates locally installed and just passes all encrypted traffic to the backend servers for them to perform the encryption and decryption functions, as shown in Figure 4.14.

In this case, the load balancer is not aware of and does not look into the encrypted traffic; it just load balances the connections to the servers in the defined target groups.

FIGURE 4.13 SSL/TLS offload

Summary

This chapter’s focus was the AWS ELB family of services that includes the network load balancer, the application load balancer, and the gateway load balancer. These were introduced in Chapter 1, and we went into much more detail about the products in this chapter.

You learned about the architectural, deployment, operational, and monitoring specifics and many of the configuration options to enable the many features of the ELB services.

We began with the three types currently offered by AWS, how they operate, and what the use cases are for each type. Next you learned about high availability and security.

Internal load balancers use private IP addressing, and public load balancers are Internet-facing with a public IP on the listener interface. Remember that public load balancers can have EC2 target servers in the private IP address space.

The ELB services are integrated with other AWS services including Global Accelerator, CloudFront, the Web Application Firewall, Route 53, Elastic Kubernetes Service, and the AWS Certificate Manager. We went into some detail about how these services enhance a load balancer’s operations and make them easier to deploy and operate.

There are many configuration options available, and you learned about the proxy protocol, X-Forwarded-For, cross-zone, session affinity, and sticky sessions.

FIGURE 4.14 SSL/TLS passthrough

Target groups are configuration containers that define the backend services. There are many options in the target group configurations, and you learned about routing, the different types of targets, IP address types, protocol versions, registering targets, routing algorithms, how to deregister and perform connection draining, deletion protection for the load balancer, what health checks are and what they are used for, how slow starts prevent a new target from being overloaded when it comes online, and the GENEVE protocol that is used in the gateway load balancer.

SSL/TLS handling was detailed, including how the application load balancer can offload the encryption/decryption functions from the target servers and that SSL/TLS passthrough sends the encrypted traffic through the load balancer to the servers where they perform the SSL/TLS encryption/decryption at the server level.

Exam Essentials

Know the different types of load balancers and what makes them different from each other. Know how they are intended to be used and what problems they are designed to solve.

Know when to use a gateway load balancer for a specific situation. Know what the gateway load balancer is used for and why it is different from the others. Read the scenarios over, closely looking for key words that may indicate which type of load balancer is needed in the question.

Know that public-facing load balancers can communicate with target servers. A public load balancer can use either public or private address spaces and have a public IP on the listener interface, and internal load balancers use a private IP for the listener.

Understand autoscaling and the basic configuration options for autoscaling groups. There are a great deal of configuration options and service integrations with the ELB family given that it sits in the middle of traffic and plays a critical networking role in most AWS deployments. Read in detail about the integrations and configuration options. Visit the AWS console, practice setting up load balancers, and read the documentation in detail.