SSL Offloading – AWS Application Load Balancer

Did you know that AWS Application Load Balancer (ALB) supports SSL offloading out of the box! To start create Amazon issued certificate from AWS Certificate Manager. Then, assign this certificate into ALB HTTPS:443 listener and route the traffic to a target group which is set to listen on port HTTP:80.

One great benefit of such setup is that Amazon will automatically rotate your ALB assigned certificate. And that eliminates manual work required to renew your instance certificates.

Important consideration is that the traffic from ALB farther into your infrastructure is not encrypted! In some scenarios this is not acceptable as in-transit traffic must be encrypted at all times, even within your VPC. Another important consideration is that open port 80 on compute instance may not be ideal. Therefore, make sure to setup your security group to limit access to that port on this instance to a traffic within your VPC or subnet only! Otherwise you risk non-secure open to the world traffic to this instance.