If you use a Layer 4 load balancer and want to use SSL encryption to enhance security, you can configure an SSL certificate on each backend server. However, this method is inefficient. In this case, you can use the SSL offloading feature of Network Load Balancer (NLB). You can deploy an NLB instance as an ingress to distribute network traffic and configure an SSL certificate. This way, the NLB instance decrypts encrypted traffic into plaintext traffic and distributes plaintext traffic to backend servers. This improves the work efficiency of backend services, simplifies the configuration of backend servers, and ensures security. For scenarios that require SSL offloading for TCP traffic, NLB provides some commonly used TLS security policies to enhance the security of services. You can select system TLS security policies or configure custom TLS security policies to protect your services.
System TLS security policies
System TLS security policies
A TLS security policy consists of TLS versions and cipher suites. A later version supports higher protection but lower compatibility with browsers.
Security policy | Supported TLS version | Supported cipher suite |
tls_cipher_policy_1_0 |
|
|
tls_cipher_policy_1_1 |
|
|
tls_cipher_policy_1_2 | TLSv1.2 |
|
tls_cipher_policy_1_2_strict | TLSv1.2 |
|
tls_cipher_policy_1_2_strict_with_1_3 |
|
|
Differences between system TLS security policies
In the following table, a check mark (✔) indicates that the cipher suite is supported by the TLS version. A hyphen (-) indicates that the cipher suite is not supported by the TLS version.
Security policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
TLS | v1.0 | ✔ | - | - | - | - |
v1.1 | ✔ | ✔ | - | - | - | |
v1.2 | ✔ | ✔ | ✔ | ✔ | ✔ | |
v1.3 | - | - | - | - | ✔ | |
CIPHER | ECDHE-ECDSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
ECDHE-ECDSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
ECDHE-ECDSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-SHA | ✔ | ✔ | ✔ | - | - | |
AES256-SHA | ✔ | ✔ | ✔ | - | - | |
DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
Custom TLS security policies
Applicable scenarios
NLB provides some commonly used TLS security policies to enhance the security of services. NLB also allows you to configure custom TLS security policies. For example, you can specify the TLS versions that you want to use, or disable certain TLS cipher suites.
Procedure
To create a custom TLS security policy, perform the following steps:
Log on to the NLB console.
In the left-side navigation pane, choose .
On the TLS Security Policies page, click Create Custom Policy on the Custom Policy tab.
In the Create TLS Security Policy dialog box, set the parameters. The following table describes only the parameters that are relevant to this topic. You can set the other parameters based on your business requirements, or use the default values. After you set the preceding parameters, click Create.
Parameter
Description
Name
Enter a name for the TLS security policy.
Minimal Version
Select the versions of the TLS security policy that you want to create.
TLS 1.0 or later
TLS 1.1 or later
TLS 1.2 or later
Enable TLS 1.3
Select whether to enable TLS 1.3.
ImportantTo enable TLS 1.3, you must select a cipher suite that is supported by TLS 1.3. If you do not select the supported cipher suite, the system may fail to create the connection.
Cipher Suite
Select cipher suites that are supported by the specified TLS version.
After you create the custom TLS security policy, you must create a listener that uses SSL over TCP, and an SSL certificate. For more information, see Add a listener that uses SSL over TCP.
References
For more information about how to configure a listener that uses SSL over TCP, see Add a listener that uses SSL over TCP.
For more information about how to configure listeners that use SSL over TCP for different scenarios, see Use NLB to enable SSL offloading over TCP (one-way authentication) and Use NLB to enable SSL offloading over TCP (mutual authentication).