I'm curious about how to merge the low latency benefits of Network Load Balancers (NLB) with the security features provided by TLS. I've heard that NLBs don't support TLS since they terminate SSL/TLS but can't inspect encrypted traffic, which is crucial for managing session cookies. However, I came across some suggestions about stacking an NLB before an Application Load Balancer (ALB), which can incorporate Web Application Firewall (WAF) functionalities and mutual TLS. Has anyone tried this NLB-ALB stack or have other strategies to achieve low latency with TLS security?
3 Answers
Actually, NLBs can do TLS termination, but they miss out on Layer 7 features like cookie-based stickiness and WAF. If you need those, then go for ALBs. If you want the static IP and PrivateLink features of NLBs, you can link them by creating an ALB type Target Group for the NLB. Check out this guide for more details: [AWS Blog on NLB and ALB integration](https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/)
You could place the NLB in front of the ALB, or just directly in front of your instances with a WAF installed that then forwards the requests to your application. Both setups can work depending on your needs.
I've been using NLBs together with ingress gateways in my Kubernetes setups. The ingress manages the TLS part, while the NLB just routes the traffic. It's a straightforward and effective method.
Thanks for this! That's super helpful.