A Load Balancer (LB) provides automated traffic distribution from one entry point to multiple servers in VCN. This post covers everything you should know about SSL/TLS on Load Balancer in OCI.
There are two types of Load Balancer
- Public LB: Accessible over the Internet.
- Private LB: Accessible only on OCI Infrastructure.
To know more about Load Balancer in OCI and How to create a Load Balancer click here.
SSL On LB
Secure Sockets Layer (SSL) creates an encrypted link between a client and a server. We can configure SSL on LB to transmit information between client and server in a secure way (like credit card and debit card details). We can configure SSL on LB in different ways.
- SSL termination/offloading: The SSL traffic directed to the load balancer and passes to the backend server in unencrypted form.
- End to end SSL: Load balancer terminates the SSL connection with an incoming traffic client, and then initiates an SSL connection to a backend server.
- SSL tunneling: It is used for private Client to server connection (tunneling) using a Load Balancer.
Steps To Configure SSL On LB In OCI
Note: You must create at least two Backend Servers and configure a Load Balancer on those servers. We need two backend servers so to transmit traffic from one server to another in case one server get unhealthy.
Note: Also we need to create an SSL certificate using OpenSSL and add this certificate to Load Balancer. To Know about the steps to create an SSL certificate click here.
Configuring SSL Termination At LB
1) Open the navigation menu. Under the Core Infrastructure group, go to Networking, click Load Balancers and Select Load Balancer (PoC_K21_Load_Balancer)
2) In the Resources menu, click Certificates, and then click Add Certificate
3) In the Add Certificate dialog box, enter the following:
- Certificate Name: Enter PoC_K21_SSL_Certificate
- SSL Certificate: Paste SSL Certificate Which we created
- Private Key: Paste Private Key Which we created
- Enter Private Key Pass Phare: Enter welcome
- Click On Add Certificate
4) Under Resources, click Listeners, then click create Listener
5) In the Edit Listener dialog box, Edit the following:
Note: We need to tick the checkbox “Use SSL” for configuring SSL on LB
6) Verify LB for HTTP connection by hitting the IP address of the Load Balancer created.
https://129.146.158.67
Configuring End To End SSL (Between LB And Backend)
As we have done in the previous section, we attached the SSL certificate to Listener but to configure SSL between LB and Backend (that means encrypted information is transmitted from client to server) we also need to add the SSL certificate to Backend sets.
1) Navigate to the Load Balancer Created–> Under Resources –> click Backend Sets–> click the action button (three dots) of the Backend Set.
2) Click on Edit
3) In Edit Backend Set click Use SSL (checkbox)
Conclusion
It is necessary to have a secured end to end transfer of requests. To implement the same we use SSL on Load Balancer in OCI. In this post, I have covered an Overview on SSL on LB and Steps to configure SSL on LB. I hope it will help you understand the whole process.
SSL on LB is also covered in our OCI Architect Professional [1z0-997] Certification training. To know more about this training click here.
Related/Further Readings
- Oracle Cloud Infrastructure 2019 Architect Professional | 1Z0-997
- [1Z0-997]Oracle Cloud Infrastructure (OCI) Architect Professional Certification: Step by Step Hands-On Lab
- Traffic Management in OCI
- Web Application Firewall in OCI
- Health Check in OCI
- Secret Management in OCI
Next Task For You
In our OCI Architect Professional [1Z0-997] Certification training, we cover SSL on LB in Design for Hybrid Cloud Architecture module. In this module, we also cover Virtual Cloud Network, Load Balancer, Fast Connect, VPN Connect, DNS Traffic Management Steering Policies, DNS Zone Management.
For the list of Hands-On guide click here.
Prashanth Katkam says
Could you please tell me where you have downloaded the SSL certificate(.pem) file and private key
Rahul Dangayach says
Hi Prashanth,
Regarding your request, Please check the link below to download the SSL certificate and private key.
https://k21academy.com/1z099715
Hope this helps.
Thanks and Regards
Rahul Dangayach
Team K21 Academy
Felipe says
Hi,
I’m developing a application that doesn’t handle sensitive data.
How secure is to implement https only on the load balancer, and http on the backend servers?
Thanks and Regards.
Rahul Dangayach says
Hi Felipe,
This configuration is done at the backend, where load balancer to backend configuration when you define it on SSL it will work, so please check the configuration between backend and TLS.
Also please add backend servers on HTTP for the load balancer.
Please check the kink below for reference:
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/create_backend_server.htm#add
Hope this helps.
Thanks and Regards
Rahul Dangayach
Team K21Academy
Parvez says
Hi Rahul,
I have created API Gateway which works using POSTMAN. Now, I am putting this API Gateway behind the load balancer but this health check fails. Can you please assist what cud be going wrong? Do I need to put the certificate for the backend set for the update health check to work.
Surbhi Sharma says
Hi Parvez,
Check the ports are open via the firewall. Enable log flow and check what messages are there in that. Certificates are optional when you need SSL then only it is required. Usually, it is recommended for prod at least.
Regards,
Surbhi
Team K21