Load Balancers 3 Flashcards
SSL Offload
Three ways ELBs can handle SSL?
Bridging, pass-thru, offloading
SSL Offload
What is Bridging?
ELB is SSL server, separate HTTPS connection to back-end instances
SSL Offload
Bad security part of Bridging?
AWS has some access to keys, ELB has unencrypted access to data
SSL Offload
Bad throughput part of Bridging?
Back-end EC2 instances have to do the SSL processing
SSL Offload
Good part of Bridging?
ALBs can look at the content and make routing decisions
SSL Offload
What is Passthru?
NLBs: doesn’t “break SSL”
SSL Offload
What is offloading?
HTTPS to the ELB, but plain HTTP to back-end EC2 instances
SSL Offload
Good thing about offloading?
EC2 instances don’t have to have keys or do SSL crypto
SSL Offload
Bad thing about offloading?
non-encrypted traffic (but still in a VPC and controllable)
Stickiness
Where do you turn on session stickiness?
Individual Target Groups in ALBs
Stickiness
How does an ALB implement stickiness?
Sends “AWSALB” cookie
Stickiness
What happens to sticky sessions if the target host fails?
A new host is created and all old sessions are pinned to new hosts (self-heals)
Stickiness
When does an ALB change the target host for a request with an AWSALB cookie?
When the cookie expires
Stickiness
Examples of when a user lost their session state and might need stickiness turned on
Users getting logged out, losing their shopping carts, lost progress in workflows
Security Policies
What is a LB Security Policy?
What SSL ciphers and protocols the LB will use
