Application Load Balancer (ELBv2) SSL pass through

Question

I am trying to configure an AWS Application Load Balancer (vs. a Classic Load Balancer) to distribute traffic to my EC2 web servers. For compliance reasons I need end to end SS

Answer 1

Terminating the SSL connection at the web servers requires you to change the load balancer listener from HTTPS to TCP. ALB doesn't support this, only classic ELB. Further, if you were terminating the SSL at the web server the load balancer wouldn't be able to inspect the request since it wouldn't be able to decrypt it, so it wouldn't be able to do all the fancy new routing stuff that the ALB supports.

If you actually want to use an ALB for the new features it provides, and you need end-to-end encryption, you will have to terminate SSL at the ALB and also have an SSL certificate installed on the web servers. The web server certificate could be something like a self-signed cert since only the ALB is going to see that certificate, not the client.

I assume you need end-to-end encryption for compliance reasons (PCI, HIPAA, etc.). Otherwise there isn't a very compelling reason to go through the hassle of setting it up.