Mini-Thread: We've just launched TLS/SSL support for AWS Network Load Balancers. You can now use NLB to terminate TLS/SSL directly and still get the great performance, scalability, and insane magic of network transparency! See @jeffbarr's post athttps://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/ …
-
-
This is the "insane magic". You can kind of see how it's possible at the network layer; just route the packets around, rewrite the destination, but leave the source alone. People have been doing this with ordinary routers for some time, yeah yeah.
Show this thread -
But actually what we do is far better than that. We use AWS HyperPlane, an internal service, that tracks the state of billions of connections. It means we can keep connections going to the same target for months, years, no breakage. It's what we use for Elastic File System!
Show this thread -
And now, because we're tracking state, we can actually insert a dedicated secure platform that terminates (and also reinitiates) TLS/SSL, and *still* keep the Network Load Balancer transparent and easy to use. This is doubly insane magic.
Show this thread -
Now with this feature, you can make your front-end world-facing TLS/SSL security our mission, rather than yours. Here are just some of things we do that can be hard to replicate:
Show this thread -
1. NLB uses our
@AWSOpen Open Source implementation of TLS/SSL - Amazon s2n. https://github.com/awslabs/s2n is small and fast and we pour over it for security issues and formally verify more and more of it every year.Show this thread -
2. If/when there are any issues; we take care of the updates and handling, you don't need to drop everything to suddenly upgrade.
Show this thread -
3. We run our TLS/SSL termination on a bastion-like environment. We minimize the surface area, we minimize the number of people who have any kind of access, including access to commit code running on the platform.
Show this thread -
4. Our team who run it are TLS/SSL experts. Folks who've contributed to the RFC. Folks who are clued in on the latest protocol attacks. They are also scale and operational experts. The team started as the front-end team for Amazon S3, and now manage nearly every AWS front end.
Show this thread -
5. NLB's TLS support integrates with Amazon Certificate Manager; we can automatically rotate, replace, and revoke certificates. No more outages because of an expired certificate!
Show this thread -
6. We have access logs, and can tell you about your TLS clients! We log things like the cipher suite and protocol version used, which makes it easy to audit if it's safe to disable an old algorithm.
Show this thread -
7. NLB's TLS support can still use TLS to your targets, so you still get TLS traffic all the way to your target. This might seem strange, if you're going to run TLS on your own end anyway, what's the point?
Show this thread -
... well, NLB runs on Amazon VPC. On VPC we encapsulate, authenticate and secure traffic at the packet level. Packets can't be spoofed or MITMd on VPC. Traffic only goes where you send it. That makes it possible to use a self-signed, or even expired, certificate on your end.
Show this thread -
In TLS/SSL, certificates are just about authenticating the server or the client, but since Amazon VPC does that at the packet level, you can offload the problems that comes with certificate management to us.
Show this thread -
8. You can run plaintext too. I wouldn't recommend it, but you can also use NLB TLS as a total TLS/SSL off-loader; you can run plain TCP to your targets and NLB will translate between TLS to/from your clients and TCP to/from you. We *still* preserve the source IP, even then.
Show this thread -
9. If you've been using our Classic Load Balancer as a L4 load balancer with support for TLS, you can now move to NLB!
Show this thread -
That's it from me! You can start using it right now, I've had a test NLB going for a few weeks myself. Super super delighted to get this out there. AMA and let me know if you have any suggestions or questions! EOF.
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.