If you use a Layer 4 load balancer and want to use SSL encryption to enhance security, you can configure an SSL certificate on each backend server. However, this method is inefficient. In this case, you can use the SSL offloading feature of Network Load Balancer (NLB). You can deploy an NLB instance as an ingress for traffic and configure an SSL certificate. This way, the NLB instance decrypts encrypted traffic into plaintext traffic and distributes plaintext traffic to backend servers. This improves the efficiency of backend services, simplifies the configuration of backend servers, and ensures security.
Prerequisites
An NLB instance is created. For more information, see Create and manage an NLB instance.
An NLB backend server group is created. For more information, see Create and manage a server group.
ImportantThe backend protocol of the server group must be TCP.
You cannot associate listeners that use SSL over TCP with server groups for which client IP preservation is enabled. Make sure that the feature is disabled for the server group.
ECS01 and ECS02 are added to the backend server group, and services are deployed on ECS01 and ECS02.
Step 1: Prepare a server certificate
You can purchase a server certificate from Alibaba Cloud, or purchase a server certificate from another service provider and upload the certificate.
In this example, the server certificate is purchased from Alibaba Cloud.
For more information about how to purchase a server certificate, see Purchase an SSL certificate.
For more information about how to upload a certificate, see Upload an SSL certificate.
Make sure that the domain name that you want to associate with an SSL certificate is registered and has an Internet Content Provider (ICP) number. For more information, see Register a domain name on Alibaba Cloud and ICP filing application overview.
Step 2: Configure a listener that uses SSL over TCP
Log on to the NLB console.
In the left-side navigation pane, choose
.In the top navigation bar, select the region where the NLB instance is deployed.
On the Instances page, find the NLB instance, and click Create Listener in the Actions column.
In the Configure Listener step, configure the following parameters. You can use the default values or custom values for other parameters. Click Next.
Parameter
Description
Listener Protocol
Select TCPSSL.
Listener Port
In this example, 443 is used.
In the Configure SSL Certificate step, configure the following parameters. You can use the default values or custom values for other parameters. Click Next.
Parameter
Description
Server Certificate
Select the server certificate obtained in Step 1.
TLS Security Policy
Select a security policy based on your business requirements. If you select a later version, make sure that the security policy is compatible with your client.
In the Select Server Group step, configure the following parameters. You can use the default values or custom values for other parameters. Click Next.
Parameter
Description
Server Group
Select the server group that you created.
In the Configuration Review step, check whether the parameters are correctly set and click Submit.
Step 3: Create a DNS record
In actual business scenarios, we recommend that you use CNAME records to map custom domain names to the domain name of your NLB instance.
In the left-side navigation pane, choose .
On the Instances page, copy the domain name of the NLB instance that you want to manage.
Perform the following steps to create a CNAME record:
Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, click Add Domain Name.
In the Add Domain Name dialog box, enter your domain name and click OK.
ImportantBefore you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
Find the domain name that you want to manage and click DNS Settings in the Actions column.
On the DNS Settings tab of the domain name details page, click Add DNS Record.
In the Add DNS Record panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Record Type
Select CNAME from the drop-down list.
Hostname
The prefix of the domain name. In this example, @ is entered.
NoteIf the domain name is a root domain name, enter @.
DNS Request Source
Select Default.
Record Value
Enter the CNAME, which is the domain name of the NLB instance.
TTL
Specify a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. In this example, the default value is used.
Step 4: Test network connectivity
Enter the domain name associated with your NLB instance in the browser and refresh the page multiple times. The requests are forwarded to the backend service over HTTPS and are distributed between the ECS instances.
In case of browser cache issues, we recommend that you use a browser in private browsing mode to access a domain name when you test the capabilities of a Layer 4 Server Load Balancer (SLB) instance.
References
If you need to use a third-party server certificate, see Upload and share an SSL certificate.
For more information about how to add a listener that uses SSL over TCP, see Add a listener that uses SSL over TCP.
If you want to implement mutual authentication to meet higher security requirements, refer to Use NLB to enable SSL offloading over TCP (mutual authentication).