Security Considerations with ELB

Security architecture must consider where traffic terminates.

TLS Termination

You can terminate TLS at:

• The load balancer
• The backend instances
• Both (re-encryption)

Terminating at ELB:

• Offloads CPU from instances
• Centralizes certificate management (via ACM)
• Simplifies rotation

However, for strict compliance environments, you may re-encrypt to backend targets.

Security Groups and Network Isolation

ALB and NLB (in most configurations) are placed inside a VPC and associated with security groups.

Best practice:

• Restrict inbound traffic to required ports (80/443).
• Backend security groups should allow traffic only from the load balancer’s security group.

This enforces network-level trust boundaries.

Web Application Firewall (WAF)

ALB integrates with AWS WAF.

Architecturally:

• WAF sits logically in front of the ALB.
• Blocks malicious patterns before reaching backend.

This reduces attack surface and backend load.

DDoS Protection

NLB and ALB benefit from AWS Shield (standard).

Architectural insight:

The load balancer acts as a buffering and absorption layer, protecting backend systems from direct exposure.

In this section, I learned:

0 of 4 completed

How TLS termination works in ELBHow to design security groups properlyHow WAF integrates with ALBWhy ELB reduces direct exposure of backend systems