- Encrypts traffic in transit between client and load balancer
- SSL = Secure Sockets Layer (legacy)
- TLS = Transport Layer Security (modern standard, replaces SSL)
- Still commonly called “SSL certificates” even when TLS is used
- Certificates are issued by Certificate Authorities (CA) such as Comodo, Symantec, GoDaddy, GlobalSign, Digicert, Let’s Encrypt, etc.
- Certificates expire and must be renewed
Certificates on Load Balancers
- Uses X.509 server certificates for encryption
- Managed via AWS Certificate Manager (ACM) or uploaded manually
- For HTTPS listeners:
- Must define a default certificate
- Can add multiple certificates (multi-domain support)
- Uses SNI (Server Name Indication) so clients can specify hostname during handshake
- Security policy can allow or block older SSL/TLS versions
Traffic Example:
Client → HTTPS to LB (encrypted) → HTTP to backend EC2 (inside VPC)
Server Name Indication (SNI)
- Allows multiple SSL/TLS certificates on the same LB/listener
- Client specifies hostname during initial handshake
- LB selects correct certificate based on hostname, or uses default if no match
- Supported by ALB, NLB, CloudFront
- Not supported by CLB
Service Behavior
Classic Load Balancer (CLB)
- Only 1 SSL certificate per LB
- Multiple hostnames with different certs require multiple CLBs
Application Load Balancer (ALB)
- Multiple listeners, multiple certificates
- Uses SNI to match hostname to certificate
Network Load Balancer (NLB)
- Same as ALB: multiple listeners, multiple certificates via SNI