Mini-Thread: We've just launched TLS/SSL support for AWS Network Load Balancers. You can now use NLB to terminate TLS/SSL directly and still get the great performance, scalability, and insane magic of network transparency! See @jeffbarr's post at aws.amazon.com/blogs/aws/new-…

Quick reminder: NLB is our "Layer 4" load balancing offering. It's integrated directly into the Software Defined Networking fabric of Amazon VPC, which means it can scale to terabits of traffic, millions of new connections per second, hundreds of millions of active connections.

It also means that NLB is transparent. When you put targets behind an NLB, those targets still see the original source IP/port of the client. That means no need to use X-Forwarded-For, or Proxy Protocol, or to reconfigure your logging or on-host security rules.

This is the "insane magic". You can kind of see how it's possible at the network layer; just route the packets around, rewrite the destination, but leave the source alone. People have been doing this with ordinary routers for some time, yeah yeah.

But actually what we do is far better than that. We use AWS HyperPlane, an internal service, that tracks the state of billions of connections. It means we can keep connections going to the same target for months, years, no breakage. It's what we use for Elastic File System!

And now, because we're tracking state, we can actually insert a dedicated secure platform that terminates (and also reinitiates) TLS/SSL, and *still* keep the Network Load Balancer transparent and easy to use. This is doubly insane magic.

Now with this feature, you can make your front-end world-facing TLS/SSL security our mission, rather than yours. Here are just some of things we do that can be hard to replicate:

1. NLB uses our @AWSOpen Open Source implementation of TLS/SSL - Amazon s2n. github.com/awslabs/s2n is small and fast and we pour over it for security issues and formally verify more and more of it every year.

2. If/when there are any issues; we take care of the updates and handling, you don't need to drop everything to suddenly upgrade.

3. We run our TLS/SSL termination on a bastion-like environment. We minimize the surface area, we minimize the number of people who have any kind of access, including access to commit code running on the platform.

4. Our team who run it are TLS/SSL experts. Folks who've contributed to the RFC. Folks who are clued in on the latest protocol attacks. They are also scale and operational experts. The team started as the front-end team for Amazon S3, and now manage nearly every AWS front end.

5. NLB's TLS support integrates with Amazon Certificate Manager; we can automatically rotate, replace, and revoke certificates. No more outages because of an expired certificate!

6. We have access logs, and can tell you about your TLS clients! We log things like the cipher suite and protocol version used, which makes it easy to audit if it's safe to disable an old algorithm.

7. NLB's TLS support can still use TLS to your targets, so you still get TLS traffic all the way to your target. This might seem strange, if you're going to run TLS on your own end anyway, what's the point?

... well, NLB runs on Amazon VPC. On VPC we encapsulate, authenticate and secure traffic at the packet level. Packets can't be spoofed or MITMd on VPC. Traffic only goes where you send it. That makes it possible to use a self-signed, or even expired, certificate on your end.

In TLS/SSL, certificates are just about authenticating the server or the client, but since Amazon VPC does that at the packet level, you can offload the problems that comes with certificate management to us.

8. You can run plaintext too. I wouldn't recommend it, but you can also use NLB TLS as a total TLS/SSL off-loader; you can run plain TCP to your targets and NLB will translate between TLS to/from your clients and TCP to/from you. We *still* preserve the source IP, even then.

9. If you've been using our Classic Load Balancer as a L4 load balancer with support for TLS, you can now move to NLB!

That's it from me! You can start using it right now, I've had a test NLB going for a few weeks myself. Super super delighted to get this out there. AMA and let me know if you have any suggestions or questions! EOF.