4. Our team who run it are TLS/SSL experts. Folks who've contributed to the RFC. Folks who are clued in on the latest protocol attacks. They are also scale and operational experts. The team started as the front-end team for Amazon S3, and now manage nearly every AWS front end.
-
Show this thread
-
5. NLB's TLS support integrates with Amazon Certificate Manager; we can automatically rotate, replace, and revoke certificates. No more outages because of an expired certificate!
1 reply 4 retweets 18 likesShow this thread -
6. We have access logs, and can tell you about your TLS clients! We log things like the cipher suite and protocol version used, which makes it easy to audit if it's safe to disable an old algorithm.
1 reply 1 retweet 11 likesShow this thread -
7. NLB's TLS support can still use TLS to your targets, so you still get TLS traffic all the way to your target. This might seem strange, if you're going to run TLS on your own end anyway, what's the point?
1 reply 0 retweets 6 likesShow this thread -
... well, NLB runs on Amazon VPC. On VPC we encapsulate, authenticate and secure traffic at the packet level. Packets can't be spoofed or MITMd on VPC. Traffic only goes where you send it. That makes it possible to use a self-signed, or even expired, certificate on your end.
1 reply 4 retweets 13 likesShow this thread -
In TLS/SSL, certificates are just about authenticating the server or the client, but since Amazon VPC does that at the packet level, you can offload the problems that comes with certificate management to us.
2 replies 0 retweets 7 likesShow this thread -
8. You can run plaintext too. I wouldn't recommend it, but you can also use NLB TLS as a total TLS/SSL off-loader; you can run plain TCP to your targets and NLB will translate between TLS to/from your clients and TCP to/from you. We *still* preserve the source IP, even then.
2 replies 0 retweets 6 likesShow this thread -
9. If you've been using our Classic Load Balancer as a L4 load balancer with support for TLS, you can now move to NLB!
2 replies 8 retweets 16 likesShow this thread -
That's it from me! You can start using it right now, I've had a test NLB going for a few weeks myself. Super super delighted to get this out there. AMA and let me know if you have any suggestions or questions! EOF.
11 replies 0 retweets 22 likesShow this thread -
Replying to @colmmacc
I frequently hear the request for end to end secure communication. Terminating at the NLB brings discomfort to my clients.
1 reply 0 retweets 1 like
You get to choose! we're never going to break e2e, it'll still work, but customers that use it have to manage the TLS software, settings, certificate/key security, rotating/revocation, and so on. For many customers, having a managed service for all that makes the most sense.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.