When you configure a TCP/SSL listener for a Network Load Balancer (NLB) instance, a TLS security policy determines which TLS protocol versions and cipher suites the instance supports during the TLS handshake with clients. NLB provides several system-defined security policies that you can select. For use cases with specific security or compliance requirements, create a custom security policy instead.
How it works
A TLS security policy, configured on an NLB instance, defines the TLS protocol versions and cipher suites the NLB instance supports. During the TLS handshake, the client sends a list of its supported protocol versions and cipher suites in the Client Hello message. The NLB instance then selects a mutually supported protocol version and cipher suite based on the security policy and responds with a Server Hello message. Subsequent steps, such as key exchange and session key generation, then use these negotiated parameters.
Default policies
For internet-facing applications with no special compatibility requirements, we recommend using tls_cipher_policy_1_2 or a higher version.
Console
Go to the TLS Security Policies page in the NLB console and view policy details on the Default Policy tab.
API
Call the ListSystemSecurityPolicy operation to list the default policies.
Custom policies
Create a custom policy
Console
Go to the TLS Security Policies page in the NLB console and select the region where your NLB instance is located.
Click Create Custom Policy, configure the following parameters, then click Create.
Minimum Version: If your workloads have no special compatibility needs, select TLS 1.2 or Later for enhanced security.
Enable TLS 1.3: For compatible services, enable this option to improve security and performance.
Cipher Suite: Select cipher suites that are compatible with the selected TLS versions.
After the policy is created, you can select it when you configure a TLS security policy for a listener.
API
Call the CreateSecurityPolicy operation to create a custom policy. Note that the custom policy must be in the same region as your NLB instance.
Update custom policy attributes
Console
Go to the TLS Security Policies page in the NLB console and select the region of the custom policy.
Find the target custom policy and click Modify in the Actions column. In the Modify TLS Security Policy dialog box, update the TLS version or cipher suite.
API
Call the UpdateSecurityPolicyAttribute operation to update the attributes of a custom policy.
Replicate a custom policy to another region
Console
Go to the TLS Security Policies page in the NLB console and select the region of the custom policy.
Find the target custom policy, and click Replicate to Other Regions in the Actions column. Select a destination region and click OK.
API
Call the ListSecurityPolicy operation to retrieve the values of the TlsVersion and Ciphers parameters from the custom policy. Then, call CreateSecurityPolicy to create a new custom policy, passing the retrieved values and setting RegionId to the ID of the destination region in the request.
Delete a custom policy
A custom policy cannot be deleted while it is used by a listener. To delete the policy, you must first either change the listener's TLS security policy or delete the listener.
Console
Go to the TLS Security Policies page in the NLB console and select the region of the custom policy.
Find the target custom policy, click Delete in the Actions column, then click OK.
API
Call the DeleteSecurityPolicy operation to delete a custom policy.
Configure a TLS security policy for a listener
Console
When creating a TCP/SSL listener, select a TLS Security Policy either in the Configure SSL Certificate step or in the Quick Create Listener dialog box.
To change a TLS security policy for a listener, navigate to the Listener tab on the instance details page. Click the ID of the target listener to go to the Listener Details page. In the SSL Certificate section, change the TLS Security Policy.
API
When you call the CreateListener operation to create a TCP/SSL listener or call UpdateListenerAttribute to update the configuration of a TCP/SSL listener, set the SecurityPolicyId parameter to the ID of the TLS security policy.
Call ListSystemSecurityPolicy to query the
SecurityPolicyIdof a default policy.Call ListSecurityPolicy to query the
SecurityPolicyIdof a custom policy.
Billing
TLS security policies are free of charge. You are charged only for the NLB instances you use. For more information, see NLB billing rules.
Apply in production
Backend traffic security: Traffic between the client and the NLB instance is encrypted by using SSL over TCP, but traffic between the NLB instance and its backend servers is unencrypted (plaintext) by default. For end-to-end security, deploy the NLB instance and backend servers in the same VPC and strictly control access by using security groups and other policies.
TLS version: If your application has no special compatibility requirements, use TLS 1.2 and TLS 1.3 for enhanced security.
Change rollback: If you encounter issues after changing the TLS security policy for a listener, change it back to the previous policy. Perform such changes during off-peak hours to minimize potential service disruption.