When you configure a TCP/SSL listener for an NLB instance, the TLS security policy defines the supported TLS protocol versions and cipher suites for TLS handshakes with clients. You can select from several system-defined security policies, or create a custom one if you have specific security or compliance requirements.
How it works
A TLS security policy for an NLB instance defines the TLS protocol versions and cipher suites that the instance supports during a TLS handshake. During the handshake, a client sends a list of the protocol versions and cipher suites it supports in the Client Hello message. Based on the policy, the NLB instance selects a mutually supported protocol version and cipher suite combination and responds with a Server Hello message. Subsequent steps, such as key exchange and session key generation, use this negotiated combination.
Default policies
For internet-facing applications without special compatibility requirements, we recommend that you use the tls_cipher_policy_1_2 policy or a higher version.
Console
Go to the TLS security policy page in the NLB console. On the System default policy tab, view the policy details.
API
Call the ListSystemSecurityPolicy operation to query the system default policies.
Custom policies
Create a custom policy
Console
-
Go to the TLS Security Policies page in the NLB console and select the region of your NLB instance.
-
Click Create Custom Policy, configure the parameters, then click Create.
-
Minimum version : If your workloads have no special compatibility needs, select TLS 1.2 or Later for enhanced security.
-
Enable TLS 1.3 : Enable this option for compatible services to improve security and performance.
-
Cipher suite: Select cipher suites that are compatible with the selected TLS versions.
-
-
After creating the policy, you can select it when you configure a TLS security policy for a listener.
API
Call the CreateSecurityPolicy operation to create a custom policy in the same region as your NLB instance.
Update a custom policy
Console
-
Go to the TLS Security Policies page in the NLB console and select the region of the custom policy.
-
Find the target custom policy and click Edit in the Actions column. In the Edit TLS Security Policy dialog box, update the TLS protocol versions or cipher suites.
API
Call the UpdateSecurityPolicyAttribute operation to update the attributes of a custom policy.
Replicate a custom policy
Console
-
Go to the TLS Security Policies page in the NLB console and select the region of the custom policy.
-
Find the target custom policy, click Replicate to Other Regions in the Actions column, select a destination region, and then click OK.
API
Call ListSecurityPolicy to obtain parameters such as TlsVersion and Ciphers from a custom policy. When you call CreateSecurityPolicy to create a custom policy, pass these parameters and set the RegionId field to the ID of the destination region.
Delete a custom policy
You cannot delete a custom policy that is in use by a listener. To delete the policy, you must first either change the listener's TLS security policy or delete the listener.
Console
-
Go to the TLS Security Policies page in the NLB console and select the region of the custom policy.
-
Find the target custom policy, click Delete in the Actions column, then click OK.
API
Call the DeleteSecurityPolicy operation to delete a custom policy.
Configure a TLS security policy
Console
-
When you create a TCP/SSL listener, select a TLS security policy on the Configure SSL Certificate tab. When you quickly create a TCP/SSL listener, select a TLS security policy in the Quick Create Listener dialog box.
-
To modify a TLS security policy , navigate to the Listener tab on the instance details page. Click the ID of the target TCP/SSL listener to open the Listener Details page. In the SSL Certificate section, modify the TLS security policy.
API
When you call the CreateListener operation to create a TCP/SSL listener or the UpdateListenerAttribute operation to update the configuration of a TCP/SSL listener, set the SecurityPolicyId parameter to the ID of the TLS security policy.
-
Call the ListSystemSecurityPolicy operation to query the
SecurityPolicyIdof a default policy. -
Call the ListSecurityPolicy operation to query the
SecurityPolicyIdof a custom policy.
Billing
TLS security policies are free of charge. You are only billed for the NLB instances that you use. For more information, see NLB billing rules.
Production considerations
-
Backend traffic security: SSL over TCP encrypts traffic between a client and an NLB instance, but traffic between the NLB instance and its backend servers is unencrypted (plaintext) by default. To ensure end-to-end security, deploy the NLB instance and backend servers in the same VPC and strictly control access by using security groups and other policies.
-
TLS version: If your application has no special compatibility requirements, we recommend using TLS 1.2 and TLS 1.3.
-
Change rollbacks: If issues occur after you modify the TLS security policy, immediately roll back the change by modifying the listener configuration. We recommend making these changes during off-peak hours to minimize potential service disruption.
-
Key exchange algorithms: For production environments with no special compatibility requirements, avoid using the following RSA key exchange algorithm suites:
AES128-GCM-SHA256,AES256-GCM-SHA384,AES128-SHA256,AES256-SHA256,AES128-SHA,AES256-SHA, andDES-CBC3-SHA. These suites do not support forward secrecy (PFS) and are vulnerable to side-channel attacks. Prioritize cipher suites that include ECDHE or DHE for key exchange.
TLS cipher suite mapping
This table maps TLS cipher suite names to their OpenSSL format, IANA standard format, and hexadecimal values.