If you use a Layer 4 load balancer and want to use SSL encryption to enhance security, you can configure an SSL certificate on each backend server. However, this method is inefficient. In this case, you can use the SSL offloading feature of Network Load Balancer (NLB). You can deploy an NLB instance as an ingress to distribute network traffic and configure an SSL certificate. This way, the NLB instance decrypts encrypted traffic into plaintext traffic and distributes plaintext traffic to backend servers. This improves the work efficiency of backend services, simplifies the configuration of backend servers, and ensures security. For scenarios that require SSL offloading for TCP traffic, NLB provides some commonly used TLS security policies to enhance the security of services. You can select system TLS security policies or configure custom TLS security policies to protect your services.
System TLS security policies
System TLS security policies
A TLS security policy consists of TLS versions and cipher suites. A later version supports higher protection but lower compatibility with browsers.
Security policy | Supported TLS version | Supported cipher suite |
tls_cipher_policy_1_0 |
|
|
tls_cipher_policy_1_1 |
|
|
tls_cipher_policy_1_2 | TLSv1.2 |
|
tls_cipher_policy_1_2_strict | TLSv1.2 |
|
tls_cipher_policy_1_2_strict_with_1_3 |
|
|
Differences between system TLS security policies
In the following table, a check mark (✔) indicates that the cipher suite is supported by the TLS version. A hyphen (-) indicates that the cipher suite is not supported by the TLS version.
Security policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
TLS | v1.0 | ✔ | - | - | - | - |
v1.1 | ✔ | ✔ | - | - | - | |
v1.2 | ✔ | ✔ | ✔ | ✔ | ✔ | |
v1.3 | - | - | - | - | ✔ | |
CIPHER | ECDHE-ECDSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
ECDHE-ECDSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
ECDHE-ECDSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-SHA | ✔ | ✔ | ✔ | - | - | |
AES256-SHA | ✔ | ✔ | ✔ | - | - | |
DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ |
Custom TLS security policies
Applicable scenarios
NLB provides commonly used TLS security policies to enhance the security of services. NLB also allows you to configure custom TLS security policies. For example, you can specify the TLS versions that you want to use, or disable certain TLS cipher suites.
Procedure
To create a custom TLS security policy, perform the following steps:
Log on to the NLB console.
In the left-side navigation pane, choose
.On the TLS Security Policies page, click Create Custom Policy on the Custom Policy tab.
In the Create TLS Security Policy dialog box, set the following parameters, use the default values for the other parameters or customize them based on your business needs, then click Create.
Parameter
Description
Minimal Version
Select the versions of the TLS security policy that you want to create.
TLS 1.0 or later
TLS 1.1 or later
TLS 1.2 or later
Enable TLS 1.3
Select whether to enable TLS 1.3.
ImportantTo enable TLS 1.3, you must select a cipher suite that is supported by TLS 1.3. If you do not select the supported cipher suite, the system may fail to create the connection.
Cipher Suite
Select cipher suites that are supported by the specified TLS version.
After you create the custom TLS security policy, you must create a listener that uses SSL over TCP, and an SSL certificate. For more information, see Add a listener that uses SSL over TCP.
References
For more information about how to configure a TCP/SSL listener, see Add a TCP/SSL listener.
For more information about configuring TCP/SSL listeners for different scenarios, see Use NLB to enable SSL offloading over TCP (one-way authentication) and Use NLB to enable SSL offloading over TCP (mutual authentication).