- If you're paranoid, you can ensure that only the proxied EC2(s) and the ELB are able to communicate with each other via security groups.
- If you're under compliance-requirements (e.g., PCI/DSS), you can enable end-to-end SSL such that:
- Connections between Internet-based client and the ELB are encrypted
- Connections between the ELB and the application-hosting EC2(s) is encrypted
Technical need aside... Implementing end-to-end SSL is trivial:
- ACM allows easy provisioning of SSL certificates for the ELB (with the security-bonus of automatically rotating said certificates).
- You can very generic, self-signed certificates on your application-hosting EC2s:
- The certificate's Subject doesn't matter
- The certificate's validity window doesn't matter (no need to worry about rotating certificates that have expired)
- Create an EC2-hosted application/service:
- Launch EC2
- Install HTTPS-capable application
- Generate a self-signed certificate (setting the -days to as little as 1 day). Example (using the OpenSSL utility):
openssl req -x509 -nodes -days 1 -newkey rsa:2048 \ -keyout peer.key -out peer.crt
When prompted for input, just hit the <RETURN> key (this will create a cert with defaulted values ...which, as noted previously, don't really have bearing on the ELB's trust of the certificate). Similary, one can wholly omit the -days 1 flag and value – the default certificate will be valid for 30 days (but, ELB doesn't care about the validity time-window).
- Configure the HTTPS-capable application to load the certificate
- Configure the EC2's host-based firewall to allow connections to whatever port the application listens on for SSL-protected connections
- Configure the EC2's security group to allow connections to whatever port the application listens on for SSL-protected connections
- Create an ELB:
- Set the ELB to listen for SSL-based connection-requests (using a certificate from ACM or IAM)
- Set the ELB to forward connections using the HTTPS protocol to connect to the target EC2(s) over whatever port the application listens on for SSL-protected connections
- Ensure the ELB's healthcheck is requesting a suitable URL to establish the health of the application
Once the ELB's healthcheck goes green, it should be possible to connect to the EC2-hosted application via SSL.If one wants to verify the encryption-state of the connetction between the ELB and EC2(s), one would need to login to the EC2(s) and sniff the inbound packets (e.g., by using a tool like WireShark).