Migrating Load Balancer and Ensuring Secure Connections with TLS

Correct Answer - B, E.

In order to make the full path secure, there are two parts to be considered if Network Load Balancer is used.

1, TLS termination on Load Balancer.

A listener with TLS and port 443 is required.

2, Configure targets using protocol TLS and port 443.

The details can be found in https://network.exampleloadbalancer.com/nlbtls_demo.html.

Option A is incorrect because the ALB terminates SSL traffic, and the requirement is to get secure traffic up to the EC2 instances.

Option B is CORRECT because this is the correct way to implement the TLS termination on the load balancer.

Option C is incorrect because the ALB terminates SSL traffic, and the requirement is to get secure traffic up to the EC2 instances.

Option D is incorrect because although this option is partially correct, as the listener is based on TLS as Option B, the target protocol cannot be HTTPS.

Option E is CORRECT because the TLS connection is set up between load balancer and targets.

Together with Option B, the connections between clients and EC2 instances are kept secure.

The best option to meet the requirements of secure connections and adherence to TLS protocol is to use option A: In the “Create Load Balancer” console, create an Application Load Balancer, add a listener with protocol TLS and port 443 so that the TLS connections terminate at the Load Balancer.

Explanation:

Classic Load Balancer is an older type of load balancer in AWS and there are newer types of load balancers that provide better features and performance. The operation team wants to migrate the Classic Load Balancer to a new one. There are two types of load balancers available in AWS, Application Load Balancer (ALB) and Network Load Balancer (NLB).

ALB is a Layer 7 (application layer) load balancer, which means it can route traffic based on application-level information such as HTTP headers and cookies. ALB also provides SSL/TLS termination, which allows clients to terminate their SSL/TLS sessions at the load balancer, and then communicate with the backend instances over HTTP or HTTPS. This way, the load balancer can offload SSL/TLS encryption and decryption from the backend instances, which can help improve performance.

NLB is a Layer 4 (transport layer) load balancer, which means it can route traffic based on IP protocol data such as TCP and UDP. NLB also provides SSL/TLS termination, which allows clients to terminate their SSL/TLS sessions at the load balancer, and then communicate with the backend instances over TCP or TLS. NLB supports TLS offloading, which can help improve performance.

To meet the requirement of secure connections and adherence to TLS protocol, the best option is to use ALB with a listener that terminates TLS connections at the load balancer. This can be achieved by creating an ALB with a listener that listens to the traffic with protocol TLS and port 443. This way, all the connections between clients and ALB are secured with TLS protocol.

Option B is not the best choice because NLB is a Layer 4 load balancer, which means it does not support SSL/TLS termination at the load balancer. Therefore, it cannot meet the requirement of terminating TLS connections at the load balancer.

Option C is not the best choice because it uses HTTPS instead of TLS. While HTTPS is a secure protocol that uses SSL/TLS encryption, it is not the same as using TLS directly. Also, it is recommended to use port 443 for HTTPS, not port 80.

Option D is not the best choice because it only sets up the connections between the load balancer and the backend instances securely. It does not address the requirement of terminating TLS connections at the load balancer.

Option E is not the best choice because it uses TLS as the target protocol, which is not supported by ALB. Also, it does not address the requirement of terminating TLS connections at the load balancer.