I'm trying to set up end-to-end encryption for my AWS EKS cluster. I'm considering using the AWS/k8s Gateway API Controller along with VPC Lattice to manage inbound connections, but I have a couple of questions. Should I incorporate a Network Load Balancer (NLB) targeting the VPC Lattice service, or are there better alternatives to an NLB? I've heard that using an Application Load Balancer (ALB) for end-to-end encryption has some limitations. Alternatively, could I use a public Nginx pod pointed to by a Route53 record? I appreciate any guidance on this!
1 Answer
Just a heads up, if you terminate TLS at a load balancer, it technically isn't true end-to-end encryption since it decrypts before reaching the final destination. As for the NLB, if you really want to maintain encryption, passing traffic through it might feel a bit overkill. However, it could be sufficient if your particular compliance needs allow for that.
Exactly! For things like HIPAA, having the ALB decrypt and then encrypt again to the container could be acceptable, even if it's not perfect. But if you'd like to keep the flow secure later down the line, the NLB seems like a heavy choice. Maybe there's an alternative approach!