1
00:00:00,300 --> 00:00:01,760
Okay, so now let's talk

2
00:00:01,760 --> 00:00:04,174
about SSL and TLS certificates.

3
00:00:04,174 --> 00:00:08,690
So this is a dumbed down version of how this works.

4
00:00:08,690 --> 00:00:10,160
This is obviously way more complicated

5
00:00:10,160 --> 00:00:11,740
but I want to introduce you to the concepts

6
00:00:11,740 --> 00:00:12,910
in case you don't know it.

7
00:00:12,910 --> 00:00:15,085
And even if you do know SSL and TLS

8
00:00:15,085 --> 00:00:17,780
please watch this lecture, I'm going to talk about SNI,

9
00:00:17,780 --> 00:00:19,380
and I'm going to talk about the integrations

10
00:00:19,380 --> 00:00:20,260
of load balancers.

11
00:00:20,260 --> 00:00:21,760
So bare with me, please.

12
00:00:21,760 --> 00:00:24,760
So an SSL certificates, it allows the traffic

13
00:00:24,760 --> 00:00:26,766
between your clients and your load balancer

14
00:00:26,766 --> 00:00:29,540
to be encrypted while in transit.

15
00:00:29,540 --> 00:00:31,650
This is called in-flight encryption.

16
00:00:31,650 --> 00:00:33,610
So it means the data, as it goes through a network

17
00:00:33,610 --> 00:00:34,630
is going to be encrypted

18
00:00:34,630 --> 00:00:36,445
and only going to be able to be decrypted

19
00:00:36,445 --> 00:00:38,250
by the sender and the receiver.

20
00:00:38,250 --> 00:00:42,860
So SSL refers to Secure Sockets Layer

21
00:00:42,860 --> 00:00:45,150
and it's used to encrypt connections

22
00:00:45,150 --> 00:00:48,049
and TLS is the newer version of SSL

23
00:00:48,049 --> 00:00:51,810
and it refers to Transport Layer Security.

24
00:00:51,810 --> 00:00:53,400
But the thing is nowadays,

25
00:00:53,400 --> 00:00:56,230
TLS certificates are the one that are mainly used,

26
00:00:56,230 --> 00:00:57,650
but people, including myself,

27
00:00:57,650 --> 00:01:00,170
I will still refer this as SSL.

28
00:01:00,170 --> 00:01:02,970
So I'm making a mistake, but I'm making it on purpose, okay?

29
00:01:02,970 --> 00:01:05,209
So it's better to say a TLS certificate

30
00:01:05,209 --> 00:01:08,110
than SSL certificate, but for many reasons,

31
00:01:08,110 --> 00:01:11,060
I'm still going to say SSL 'cause it's easier to understand.

32
00:01:11,060 --> 00:01:14,020
So public SSL certificates are issued

33
00:01:14,020 --> 00:01:15,710
by certificate Authorities

34
00:01:15,710 --> 00:01:17,909
and they include something like Comodo, Symantec,

35
00:01:17,909 --> 00:01:20,582
GoDaddy, GlobalSign, Digicert, Letsencrypt and so on.

36
00:01:20,582 --> 00:01:23,420
And using this public SSL certificate

37
00:01:23,420 --> 00:01:24,890
attached to our load balancer,

38
00:01:24,890 --> 00:01:26,781
we're able to encrypt the connection

39
00:01:26,781 --> 00:01:29,640
between the clients and the load balancer.

40
00:01:29,640 --> 00:01:31,670
So whenever you go to a website,

41
00:01:31,670 --> 00:01:33,910
for example Google.com or anything, any other website

42
00:01:33,910 --> 00:01:36,140
and you have a lock or a green lock

43
00:01:36,140 --> 00:01:38,000
that means that your traffic is encrypted.

44
00:01:38,000 --> 00:01:39,780
And if traffic is not encrypted

45
00:01:39,780 --> 00:01:41,140
that you'll have a red sign saying,

46
00:01:41,140 --> 00:01:42,580
hey, traffic is not encrypted,

47
00:01:42,580 --> 00:01:43,970
don't put your credit card details,

48
00:01:43,970 --> 00:01:46,995
don't put your login information because it's not secure.

49
00:01:46,995 --> 00:01:48,797
So the SSL certificates,

50
00:01:48,797 --> 00:01:51,658
they have an expiration date that you set

51
00:01:51,658 --> 00:01:53,700
and they must be renewed regularly

52
00:01:53,700 --> 00:01:55,552
to make sure that they're authentic, okay.

53
00:01:55,552 --> 00:01:59,040
So how does it work from a load balancer perspective?

54
00:01:59,040 --> 00:02:01,900
So users connect over HTTPS

55
00:02:01,900 --> 00:02:04,580
and it's S because it's using SSL certificates

56
00:02:04,580 --> 00:02:06,420
and it's encrypted, it's secure,

57
00:02:06,420 --> 00:02:08,490
and it connects over the public internet

58
00:02:08,490 --> 00:02:09,418
to your load balancer

59
00:02:09,418 --> 00:02:12,190
and internally, your load balancer does something

60
00:02:12,190 --> 00:02:14,800
called SSL certificate termination.

61
00:02:14,800 --> 00:02:15,830
And in the backend,

62
00:02:15,830 --> 00:02:19,240
it can talk to your EC2 instance using HTTP.

63
00:02:19,240 --> 00:02:22,870
So not encrypted, but the traffic goes over your VPC

64
00:02:22,870 --> 00:02:27,150
which is prior network and that is somewhat secure.

65
00:02:27,150 --> 00:02:30,610
So the load balancer will load an X509 certificate,

66
00:02:30,610 --> 00:02:33,719
which is called the SSL or TLS server certificates.

67
00:02:33,719 --> 00:02:37,663
And you can manage these SSL certificates in AWS using ACM,

68
00:02:37,663 --> 00:02:40,990
meaning AWS certificates Manager.

69
00:02:40,990 --> 00:02:42,980
So we're not going to view ACM in that lecture

70
00:02:42,980 --> 00:02:45,180
but just to get an idea of what it is.

71
00:02:45,180 --> 00:02:47,020
Now you can also upload your own certificates

72
00:02:47,020 --> 00:02:48,830
to ACM if you wanted to.

73
00:02:48,830 --> 00:02:51,070
And when you set an HTTP listener, you must,

74
00:02:51,070 --> 00:02:52,000
HTTPS listener,

75
00:02:52,000 --> 00:02:53,878
you must specify a default certificate,

76
00:02:53,878 --> 00:02:56,190
then you can add an optional list of certs

77
00:02:56,190 --> 00:02:57,515
to support multiple domains

78
00:02:57,515 --> 00:03:00,010
and clients can use something called SNI

79
00:03:00,010 --> 00:03:01,315
or Server Name Indication

80
00:03:01,315 --> 00:03:03,630
to specify the host name they reach.

81
00:03:03,630 --> 00:03:04,860
Now don't worry, I'm going to explain

82
00:03:04,860 --> 00:03:06,799
what SNI is in details in the next slide,

83
00:03:06,799 --> 00:03:08,600
because it is really, really important

84
00:03:08,600 --> 00:03:10,520
for you to understand what it means.

85
00:03:10,520 --> 00:03:13,400
That means that, and you can also finally for HTTPS,

86
00:03:13,400 --> 00:03:15,809
set a specific security policy, if you wanted to,

87
00:03:15,809 --> 00:03:19,080
if to support older versions of SSL and TLS

88
00:03:19,080 --> 00:03:20,841
called also legacy clients.

89
00:03:20,841 --> 00:03:24,670
Okay, so let's talk about SNI 'cause it is so important.

90
00:03:24,670 --> 00:03:27,170
SNI solves a very important problem

91
00:03:27,170 --> 00:03:30,270
which is how do you load multiple SSL certificates

92
00:03:30,270 --> 00:03:33,170
onto one web server in order for that web server

93
00:03:33,170 --> 00:03:34,788
to serve multiple websites?

94
00:03:34,788 --> 00:03:37,440
And there's a newer protocol

95
00:03:37,440 --> 00:03:40,063
that now requires the client to indicate the host name

96
00:03:40,063 --> 00:03:43,900
of the target server in the initial SSL handshake.

97
00:03:43,900 --> 00:03:45,547
So, the client will say

98
00:03:45,547 --> 00:03:47,360
"I want to connect to this website"

99
00:03:47,360 --> 00:03:49,732
and the server will know what certificates to load.

100
00:03:49,732 --> 00:03:52,300
And so this is a newer protocol

101
00:03:52,300 --> 00:03:54,578
and this is something new, not every client supports this.

102
00:03:54,578 --> 00:03:57,970
So it only works when you use the application load balancer

103
00:03:57,970 --> 00:03:59,740
and the network load balancer,

104
00:03:59,740 --> 00:04:02,180
so the newer generations or a CloudFront,

105
00:04:02,180 --> 00:04:04,030
and we'll see what CloudFront is later in this course,

106
00:04:04,030 --> 00:04:07,460
and it does not work when you use the classic load balancer

107
00:04:07,460 --> 00:04:09,470
because it is older generation.

108
00:04:09,470 --> 00:04:11,946
So anytime you see multiple SSL certificates

109
00:04:11,946 --> 00:04:15,640
onto your load balancer, think ALB or NLB.

110
00:04:15,640 --> 00:04:17,529
So as a diagram, what does it look like?

111
00:04:17,529 --> 00:04:21,100
We have our ALB here and we have two target groups.

112
00:04:21,100 --> 00:04:23,790
The first one is www.mycorp.com

113
00:04:23,790 --> 00:04:26,950
and the second one is Domain1.example.com

114
00:04:26,950 --> 00:04:29,410
so the ALB will be routing to these target groups

115
00:04:29,410 --> 00:04:32,129
based on some rules and the rules may be directly linked

116
00:04:32,129 --> 00:04:33,741
in this case, to the host name.

117
00:04:33,741 --> 00:04:36,258
So the ALB will have two SSL certificates,

118
00:04:36,258 --> 00:04:40,480
Domain1.example.com and www.mycorp.com

119
00:04:40,480 --> 00:04:43,304
which corresponds to the corresponding target groups.

120
00:04:43,304 --> 00:04:45,940
Now, the clients connects to our ALB,

121
00:04:45,940 --> 00:04:49,270
it says, I would like www.mycorp.com,

122
00:04:49,270 --> 00:04:52,406
and that is part of server name indication.

123
00:04:52,406 --> 00:04:55,521
And the ALB says, okay, I've seen that you want mycorp.com,

124
00:04:55,521 --> 00:04:58,026
let me use the correct SSL certificates

125
00:04:58,026 --> 00:04:59,510
to fill that request.

126
00:04:59,510 --> 00:05:01,705
So it's going to take the right SSL certificates,

127
00:05:01,705 --> 00:05:04,220
encrypt the traffic and then thanks to the rules

128
00:05:04,220 --> 00:05:05,810
it's going to know to either write

129
00:05:05,810 --> 00:05:08,450
to the correct target group, mycorp.com.

130
00:05:08,450 --> 00:05:09,960
And obviously if you have another client

131
00:05:09,960 --> 00:05:12,880
connecting to your ALB for Domain1.example.com,

132
00:05:12,880 --> 00:05:14,170
then it would be able to pull the right

133
00:05:14,170 --> 00:05:15,511
SSL certificate again and

134
00:05:15,511 --> 00:05:17,800
connect it to the right target group.

135
00:05:17,800 --> 00:05:20,221
So using SNI or Server Name Indication,

136
00:05:20,221 --> 00:05:23,017
you are able to have multiple target groups

137
00:05:23,017 --> 00:05:26,728
for different websites using different SSL certificates.

138
00:05:26,728 --> 00:05:30,750
Excellent, so finally, what is it supported

139
00:05:30,750 --> 00:05:31,583
for SSL certificates?

140
00:05:31,583 --> 00:05:33,890
So, Classic Load Balancer is yes,

141
00:05:33,890 --> 00:05:36,283
you can only support one SSL certificate

142
00:05:36,283 --> 00:05:38,430
and if you want multiple host names

143
00:05:38,430 --> 00:05:40,160
with multiple SSL certificates,

144
00:05:40,160 --> 00:05:42,946
the best way is to use multiple Classic Load Balancer.

145
00:05:42,946 --> 00:05:47,005
For ALB, the v2, you can support multiple listeners

146
00:05:47,005 --> 00:05:49,045
with multiple SSL certificates

147
00:05:49,045 --> 00:05:50,710
and that's the great part of it.

148
00:05:50,710 --> 00:05:52,760
And that uses SNI to make it work,

149
00:05:52,760 --> 00:05:54,050
and we just saw what it is.

150
00:05:54,050 --> 00:05:56,660
And for the NLB or Network Load Balancer,

151
00:05:56,660 --> 00:05:58,250
it supports again multiple listeners

152
00:05:58,250 --> 00:05:59,783
with multiple SSL certificates

153
00:05:59,783 --> 00:06:03,001
and it will use SNI again to make it work.

154
00:06:03,001 --> 00:06:06,779
Okay, so let's look at the Classic Load Balancer.

155
00:06:06,779 --> 00:06:08,885
And if we go to listeners,

156
00:06:08,885 --> 00:06:12,806
here I'm able to edit and add an HTTPS listener

157
00:06:12,806 --> 00:06:15,530
and I need you to set up a cipher,

158
00:06:15,530 --> 00:06:17,751
which is the protocols we want to support

159
00:06:17,751 --> 00:06:19,667
and that's a security cipher.

160
00:06:19,667 --> 00:06:22,154
And then I need to set up an SSL certificate

161
00:06:22,154 --> 00:06:24,320
and I can import it directly

162
00:06:24,320 --> 00:06:26,730
and have it here manually encoded.

163
00:06:26,730 --> 00:06:28,740
Or I can choose a certificates from ACM

164
00:06:28,740 --> 00:06:31,030
which is Amazon certificate Manager

165
00:06:31,030 --> 00:06:32,790
but we don't have one yet, so we can't use it,

166
00:06:32,790 --> 00:06:34,370
but I wanted to show you that yes,

167
00:06:34,370 --> 00:06:37,281
you can set up an HTTPS certificate in here

168
00:06:37,281 --> 00:06:40,051
and it supports only one SSL certificate.

169
00:06:40,051 --> 00:06:42,447
So that is for the Classical Load Balancer.

170
00:06:42,447 --> 00:06:44,510
Next for the Application Load Balancer,

171
00:06:44,510 --> 00:06:46,460
we can add another listener as well.

172
00:06:46,460 --> 00:06:48,901
So we'll say, okay, this listener is HTTPS

173
00:06:48,901 --> 00:06:51,100
and the default action is to

174
00:06:51,100 --> 00:06:53,255
forward to our target group, excellent.

175
00:06:53,255 --> 00:06:56,587
Now we set a security policy, this one,

176
00:06:56,587 --> 00:06:59,190
and then we say, what is the default SSL certificate?

177
00:06:59,190 --> 00:07:02,560
So is it from ACM, from IAM or import?

178
00:07:02,560 --> 00:07:04,760
Okay, and we can choose a certificate we want,

179
00:07:04,760 --> 00:07:07,020
but the idea is that now for each rule

180
00:07:07,020 --> 00:07:09,040
we can have a different SSL certificate

181
00:07:09,040 --> 00:07:12,079
and that would allow us using server name indication SNI,

182
00:07:12,079 --> 00:07:14,740
to have multiple SSL certificates

183
00:07:14,740 --> 00:07:16,040
on different target groups.

184
00:07:16,040 --> 00:07:17,230
So very, very good.

185
00:07:17,230 --> 00:07:18,694
But again, I'm not going to do it

186
00:07:18,694 --> 00:07:20,320
because we don't have the right certificates in place.

187
00:07:20,320 --> 00:07:24,010
And for NLB, listener, again, you can add a listener

188
00:07:24,010 --> 00:07:26,930
and this one can be TLS for secure TCP.

189
00:07:26,930 --> 00:07:29,242
And again, the default SSL certificates we have

190
00:07:29,242 --> 00:07:33,330
can be imported from ACM, IAM or written manually.

191
00:07:33,330 --> 00:07:35,510
All right, so that's it for this lecture.

192
00:07:35,510 --> 00:07:37,440
So just to show you how the settings work.

193
00:07:37,440 --> 00:07:38,760
So what I want you to remember is that

194
00:07:38,760 --> 00:07:40,620
the CLB is the old way of doing things,

195
00:07:40,620 --> 00:07:41,453
it does not support SNI

196
00:07:41,453 --> 00:07:44,550
and ALB and NLB do support SNI

197
00:07:44,550 --> 00:07:46,471
and multiple SSL certificates.

198
00:07:46,471 --> 00:07:47,590
All right, that's it,

199
00:07:47,590 --> 00:07:49,340
I will see you in the next lecture.