I'm exploring best practices for implementing end-to-end encryption in my AWS EKS cluster. I plan to utilize the AWS/k8s Gateway API Controller and VPC Lattice for managing incoming connections at the cluster/private level. Should I incorporate a Network Load Balancer (NLB) that targets the VPC Lattice service, or are there better networking options available? I've noticed that achieving end-to-end encryption with an Application Load Balancer (ALB) might have some limitations. Another alternative I'm considering is having a public Nginx pod that a Route53 record can redirect to. What recommendations do you have?
1 Answer
Just a heads up, terminating TLS with a load balancer can compromise the 'end-to-end' concept. If your TLS setup is solid, you should be good to go. But keep in mind, the NLB might seem a bit hefty for what you're planning, especially if you're looking for a lighter approach!
Yeah, I get that! From what I’ve seen regarding compliance (like HIPAA), using an ALB to decrypt and then re-encrypt for the instances isn’t perfect but often considered good enough. I guess you're right about the NLB, though—it can feel overkill. Just trying to find a more efficient solution!