How SSL/TLS, SNI, and Load Balancer Encryption Work in AWS
5 min read
Table of contents
- 🌐 What Are SSL and TLS?
- 🔐 What Does an SSL/TLS Certificate Do?
- ⚙️ Where Do SSL Certificates Come From?
- 🌐 How SSL Works with Load Balancers in AWS
- 📄 What Is an X.509 Certificate?
- 📘 What Is SNI (Server Name Indication)?
- 🔀 Example: How SNI Works
- 🍪 SSL Termination and In-VPC Traffic
- ✅ SSL Support Across AWS Load Balancers
- 🧠 Security Policies and Legacy Support
- 🧩 Final Thoughts: Arjun’s Secure Setup
- 🔑 Final Recap for SAA Students
After setting up traffic routing with Application Load Balancers and Network Load Balancers, Arjun thought he had AWS figured out—until one of his app users sent a warning:
“Hey, your site says ‘Not Secure’ in the browser. Is this safe?”
It hit him: he forgot to enable HTTPS.
That's when Arjun stepped into the world of SSL and TLS certificates—essential for keeping web traffic secure and trustworthy.
🌐 What Are SSL and TLS?
SSL stands for Secure Sockets Layer.
TLS stands for Transport Layer Security—it’s the newer and more secure version of SSL.
Even though TLS is the current standard, most people (including AWS and Arjun!) still casually say “SSL” when they mean TLS.
🔐 What Does an SSL/TLS Certificate Do?
Arjun learned that an SSL/TLS certificate:
Encrypts the connection between the client (browser) and the load balancer
Ensures in-transit data (like logins and payments) is safe from hackers
Displays the 🔒 "lock icon" in browsers
Without it, users might see warnings like:
“This site is not secure. Don’t enter passwords or credit card info.”
This kind of security is called in-flight encryption.
⚙️ Where Do SSL Certificates Come From?
SSL/TLS certificates are issued by Certificate Authorities (CAs) like:
DigiCert
Let’s Encrypt
GoDaddy
GlobalSign
AWS Certificate Manager (ACM)
In AWS, Arjun used ACM (AWS Certificate Manager) to:
Get a free public certificate
Attach it to his Application Load Balancer (ALB)
Automatically manage renewals
🌐 How SSL Works with Load Balancers in AWS
When Arjun configured HTTPS on his ALB:
Clients connect via HTTPS over the internet
The ALB handles SSL termination
(i.e., decrypts the data)The backend EC2 instances communicate over HTTP
- This is okay since the traffic is inside a private VPC
This method keeps the internet-facing part secure, while offloading encryption work from backend servers.
📄 What Is an X.509 Certificate?
Behind the scenes, the ALB loads something called an X.509 certificate — the standard format for SSL/TLS.
You can manage and store these certificates in AWS Certificate Manager (ACM) or upload your own.
📘 What Is SNI (Server Name Indication)?
Here’s where things got tricky for Arjun.
He had two websites running behind the same ALB:
Each needed its own SSL certificate. But how would the load balancer know which one to serve?
That’s where SNI (Server Name Indication) comes in.
🧠 Definition:
SNI is an extension to TLS that allows the client to tell the server which hostname it’s trying to reach, during the handshake.
This lets the load balancer:
Load the correct SSL certificate
Route traffic to the correct target group
🔀 Example: How SNI Works
Arjun’s Application Load Balancer was set up like this:
Client → ALB → Target Group (App)
Let’s say a client connects to www.mynewsite.com.
The client sends the hostname (
domain1.genstartup.com) during the TLS handshakeALB sees this using SNI
ALB loads the matching certificate
Traffic is securely decrypted and routed to the correct backend
This allowed Arjun to host multiple secure domains behind one ALB.
🍪 SSL Termination and In-VPC Traffic
One important concept Arjun learned was SSL termination:
The load balancer decrypts traffic
Inside the VPC, communication can happen over plain HTTP
✅ This reduces CPU load on backend servers
✅ Traffic within the VPC is considered secure by AWS standards
✅ SSL Support Across AWS Load Balancers
Arjun made a quick cheat sheet:
| Load Balancer | SSL Support | Multiple Certificates | Uses SNI? |
| ALB (Application Load Balancer) | ✅ Yes | ✅ Yes | ✅ Yes |
| NLB (Network Load Balancer) | ✅ Yes | ✅ Yes | ✅ Yes |
| CLB (Classic Load Balancer) | ✅ Yes | ❌ Only one | ❌ No |
📘 SAA Exam Tip:
If the question says “host multiple SSL certificates on one load balancer,”
✅ Think ALB or NLB — not CLB.
🧠 Security Policies and Legacy Support
When Arjun set up his HTTPS listener, he also had the option to:
Choose a security policy (like modern TLS 1.3 or older TLS 1.0)
Allow or deny support for legacy clients
This let him control which clients could connect securely.
🧩 Final Thoughts: Arjun’s Secure Setup
Arjun ended up with this secure architecture:
User
↓ HTTPS
Application Load Balancer (ALB) — with SSL Termination & SNI
↓ HTTP (Inside VPC)
Target Group (EC2, ECS, or Lambda)
He could:
Serve multiple domains
Use different certificates
Keep all user data encrypted and secure
🔑 Final Recap for SAA Students
| Concept | Explanation |
| SSL/TLS | Protocols for encrypting traffic in transit |
| In-flight encryption | Protects data while moving between client and server |
| SSL Termination | Load balancer decrypts the traffic |
| ACM | AWS Certificate Manager to issue/manage SSL certificates |
| SNI | Lets the load balancer choose the right certificate based on hostname |
| X.509 Certificate | Standard certificate format for TLS |
| CLB Limitation | Only supports one SSL certificate — no SNI |