Secure Communication for Legacy Protocol Applications with ELB and EC2 Instances | Exam Prep

Securing Communication between Client and EC2 Instances Behind ELB

Prev Question Next Question

Question

Your company has a set of EC2 Instances that are placed behind an ELB.

Some of the applications hosted on these instances communicate via a legacy protocol.

There is a security mandate that all traffics between the client and the EC2 Instances need to be secure.

How would you accomplish this?

Answers

A. Use an Application Load balancer and terminate the SSL connection at the EL.

B. Use a Classic Load balancer and terminate the SSL connection at the EL.

C. Use an Application Load balancer and terminate the SSL connection at the EC2 Instances.

D. Use a Classic Load balancer and terminate the SSL connection at the EC2 Instances.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - D.

Since there are applications that work on legacy protocols, you need to ensure that the ELB can be used at the network layer as well.

Hence you should choose the Classic ELB.

Since the traffic needs to be secure till the EC2 Instances, the SSL termination should occur on the EC2 Instances.

Options A and C are invalid because the Application Load Balancer does not support SSL pass-through.

You need to use a Classic Load balancer.

Option B is incorrect since the encryption is required until the EC2 Instance.

For more information on HTTPS listeners for classic load balancers, please refer to the below URL.

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-https-load-balancers.html

The best option for securing traffic between the clients and the EC2 instances that communicate via a legacy protocol behind an ELB is to use an Application Load Balancer (ALB) and terminate the SSL connection at the EC2 instances (Option C).

Explanation:

Application Load Balancer (ALB) vs. Classic Load Balancer (CLB):

ALB is a Layer 7 load balancer that can route traffic based on content such as URL or HTTP headers.
CLB is a Layer 4 load balancer that balances traffic based on IP and port.
ALB provides better performance, advanced routing capabilities, and more flexible security options.

Terminating SSL connection:

When SSL is terminated, the ELB decrypts the incoming SSL traffic and forwards it in plain HTTP to the backend EC2 instances.
The reverse process happens for the outgoing traffic. The EC2 instance responds in plain HTTP, and the ELB encrypts it back into SSL before sending it to the client.

Security:

Terminating SSL at the ELB provides security benefits such as SSL offloading and DDoS protection. However, it is not suitable for legacy protocols because they may not support SSL.
Terminating SSL at the EC2 instances provides end-to-end encryption between the client and the instances, ensuring that the legacy protocol traffic is secure.

Therefore, option C is the best choice for securing traffic between clients and EC2 instances that communicate via a legacy protocol behind an ELB.

Prev Question Next Question