1

We currently have a AWS Fargate service running Nginx behind a AWS Application Load Balancer. In front of this, we also use Cloudflare (hence having Cloudflare origin certificate in ACM). Since the ALB terminates the SSL connection, the traffic between the ALB and the Fargate containers is not encrypted, if you do not use a self signed certificate in Nginx and forwards the traffic through 443 instead of 80.

As we want to have end-to-end encryption (we do not need to follow any particular compliance but it just feels like good practice and wrong having the traffic between the ALB<->Fargate unencrypted) - is it then not better to use a Network Load Balancer and terminate the SSL connection in Nginx? This would also reduce one SSL handshake - which could potentially lead to a (marginal?) decreased response time.

Question1: Is using a Network Load Balancer instead of a Application Load Balancer in this case a better alternative?

Question2: Are there any other "features" or functionalities we are missing by doing this? It feels like AWS is really advocating using a ALB instead of a NLB.

Thanks

cabz
  • 11
  • 2

1 Answers1

1

I don't think you need an NLB here.

First Option

Install an https certificate on Nginx in your fargate container - self signed or other. You can't use AWS Certificate Manager as ACM won't share the private key, which Nginx needs.

Have the ALB connect to the https port. Just create a target group that uses the https protocol.

Second Option

Given you're already trusting AWS with virtualising your compute and storage, trusting them with virtual network is a reasonable decision if you don't have a compliance need to encrypt. It may also be slightly faster.

This would be my suggested option given what you've said in your question. There are no practical benefits to https between the ALB and containers.

Tim
  • 30,383
  • 6
  • 47
  • 77