All Products
Search
Document Center

Server Load Balancer:Use NLB to enable SSL offloading over TCP (one-way authentication)

Last Updated:Nov 18, 2024

If you use a Layer 4 load balancer and want to use SSL encryption to enhance security, you can configure an SSL certificate on each backend server. However, this method is inefficient. In this case, you can use the SSL offloading feature of Network Load Balancer (NLB). You can deploy an NLB instance as an ingress for traffic and configure an SSL certificate. This way, the NLB instance decrypts encrypted traffic into plaintext traffic and distributes plaintext traffic to backend servers. This improves the efficiency of backend services, simplifies the configuration of backend servers, and ensures security.

Prerequisites

  • An NLB instance is created. For more information, see Create and manage an NLB instance.

  • An NLB backend server group is created. For more information, see Create and manage a server group.

    Important
    • The backend protocol of the server group must be TCP.

    • You cannot associate listeners that use SSL over TCP with server groups for which client IP preservation is enabled. Make sure that the feature is disabled for the server group.

  • ECS01 and ECS02 are added to the backend server group, and services are deployed on ECS01 and ECS02.

Step 1: Prepare a server certificate

You can purchase a server certificate from Alibaba Cloud, or purchase a server certificate from another service provider and upload the certificate.

In this example, the server certificate is purchased from Alibaba Cloud.

Note

Make sure that the domain name that you want to associate with an SSL certificate is registered and has an Internet Content Provider (ICP) number. For more information, see Register a domain name on Alibaba Cloud and ICP filing application overview.

Step 2: Configure a listener that uses SSL over TCP

  1. Log on to the NLB console.

  2. In the left-side navigation pane, choose NLB > Instances.

  3. In the top navigation bar, select the region where the NLB instance is deployed.

  4. On the Instances page, find the NLB instance, and click Create Listener in the Actions column.

  5. In the Configure Listener step, configure the following parameters. You can use the default values or custom values for other parameters. Click Next.

    Parameter

    Description

    Listener Protocol

    Select TCPSSL.

    Listener Port

    In this example, 443 is used.

  6. In the Configure SSL Certificate step, configure the following parameters. You can use the default values or custom values for other parameters. Click Next.

    Parameter

    Description

    Server Certificate

    Select the server certificate obtained in Step 1.

    TLS Security Policy

    Select a security policy based on your business requirements. If you select a later version, make sure that the security policy is compatible with your client.

  7. In the Select Server Group step, configure the following parameters. You can use the default values or custom values for other parameters. Click Next.

    Parameter

    Description

    Server Group

    Select the server group that you created.

  8. In the Configuration Review step, check whether the parameters are correctly set and click Submit.

Step 3: Create a DNS record

In actual business scenarios, we recommend that you use CNAME records to map custom domain names to the domain name of your NLB instance.

  1. In the left-side navigation pane, choose NLB > Instances.

  2. On the Instances page, copy the domain name of the NLB instance that you want to manage.

  3. Perform the following steps to create a CNAME record:

    1. Log on to the Alibaba Cloud DNS console.

    2. On the Domain Name Resolution page, click Add Domain Name.

    3. In the Add Domain Name dialog box, enter your domain name and click OK.

      Important

      Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.

    4. Find the domain name that you want to manage and click DNS Settings in the Actions column.

    5. On the DNS Settings tab of the domain name details page, click Add DNS Record.

    6. In the Add DNS Record panel, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Record Type

      Select CNAME from the drop-down list.

      Hostname

      The prefix of the domain name. In this example, @ is entered.

      Note

      If the domain name is a root domain name, enter @.

      DNS Request Source

      Select Default.

      Record Value

      Enter the CNAME, which is the domain name of the NLB instance.

      TTL

      Specify a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. In this example, the default value is used.

Step 4: Test network connectivity

Enter the domain name associated with your NLB instance in the browser and refresh the page multiple times. The requests are forwarded to the backend service over HTTPS and are distributed between the ECS instances.

Important

In case of browser cache issues, we recommend that you use a browser in private browsing mode to access a domain name when you test the capabilities of a Layer 4 Server Load Balancer (SLB) instance.

ECS01ECS02

References