Examining Elastic Load Balancing Policies

By Flux7 Labs
July 7, 2014

Elastic Load Balancing (ELB) is now a default program for many customers using Amazon Web Services to create highly available and scalable architectures. It supports HTTP, HTTPS and TCP portals.

You can deploy your SSL certificate at ELB. It supports only one certificate at a time. If you have multiple sub domains, then you need to purchase the Wildcard certificate and upload it to ELB.

It is simple and straightforward to deploy SSL on ELB. But most of the people ignore to select SSL protocols and SSL ciphers. Even a few of them don’t know what it is and whether it exists in ELB.

There are many different algorithms which can be used to encrypt the data. The highest level of security will need more computing power. SSL cipher suites allows to select different levels of securities.

When a connection is established, the server and client will exchange cipher suits that are in common. They then communicate using the common cipher suite that offers the highest level of security. If they do not have a cipher suite in common, then secure communication is not possible and the connection will be closed.

At ELB, you can choose pre-defined security policies, or you can create your own security policies by specifying the the SSL protocols and ciphers.

To learn more about how to configure the security policies, please visit here.

We also need to consider the browser compatibility. A few of the protocols are not supported by all the browsers. If you select highest security protocols, you need to consider your target users using compatible browsers. Otherwise, users get a security warning and they may not able to access your application.

The ELB 2014 security policy includes the following protocols:

TLS v1.0, TLS v1.1, TLS v1.2, SSL v3

The ELB 2011 security policy includes these protocols:

TLSv1, SSLv3.

We have tested both policies using different browsers and discovered which browser is most compatible with which policy. Below, the table shows which browser supports which policy.

Hopefully, this table helps you decide what policy to choose for the requirements of your application. Amazon’s latest policy is the right choice for most users. It supports the most secure protocols, including TLS 1.3 and ciphers such as AES256. Some of the less secure protocols are not included, and it may cause some backwards compatibility issues as noted above.

Let’s keep the conversation going. Tell us about your experience with using ELB policies and browser security. Contact us at info@flux7.com, or learn more about AWS and the cloud at flux7.com.