AWScloud~5 mins

SSL/TLS termination in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

SSL/TLS termination means stopping the secure connection at a point before the traffic reaches your app. This helps your app handle normal traffic without worrying about encryption, making things faster and simpler.

When you want to secure your website with HTTPS but keep your app servers simple.

When you use a load balancer to share traffic among many servers and want to manage SSL certificates in one place.

When you want to reduce the work your app servers do by handling encryption outside them.

When you want to easily update or change SSL certificates without touching your app servers.

When you want to monitor and control secure traffic centrally before it reaches your backend.

Config File - main.tf

main.tf

provider "aws" {
  region = "us-east-1"
}

resource "aws_lb" "example" {
  name               = "example-lb"
  internal           = false
  load_balancer_type = "application"
  subnets            = ["subnet-0123456789abcdef0", "subnet-0fedcba9876543210"]
}

resource "aws_lb_target_group" "example_tg" {
  name     = "example-tg"
  port     = 80
  protocol = "HTTP"
  vpc_id   = "vpc-0123456789abcdef0"
}

resource "aws_lb_listener" "https_listener" {
  load_balancer_arn = aws_lb.example.arn
  port              = 443
  protocol          = "HTTPS"

  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-5678-90ab-cdef-EXAMPLE11111"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.example_tg.arn
  }
}

This Terraform file creates an AWS Application Load Balancer (ALB) that listens on port 443 for HTTPS traffic.

The aws_lb resource sets up the load balancer.

The aws_lb_target_group defines where the traffic will be sent after SSL termination, here on port 80 using HTTP.

The aws_lb_listener listens on HTTPS port 443, uses an SSL certificate from AWS Certificate Manager (ACM), and forwards decrypted traffic to the target group.

Commands

This command prepares Terraform to work with AWS by downloading necessary plugins and setting up the environment.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized!

This command creates the AWS resources defined in the Terraform file, including the load balancer with SSL termination.

Terminal

terraform apply -auto-approve

Expected OutputExpected

aws_lb.example: Creating... aws_lb_target_group.example_tg: Creating... aws_lb_target_group.example_tg: Creation complete after 2s [id=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/example-tg/abcdef1234567890] aws_lb.example: Creation complete after 10s [id=arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/example-lb/1234567890abcdef] aws_lb_listener.https_listener: Creating... aws_lb_listener.https_listener: Creation complete after 3s [id=arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/example-lb/1234567890abcdef/abcdef1234567890] Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

→

-auto-approve - Automatically approve the plan without asking for confirmation

This command checks the listeners on the load balancer to confirm the HTTPS listener with SSL termination is active.

Terminal

aws elbv2 describe-listeners --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/example-lb/1234567890abcdef

Expected OutputExpected

{ "Listeners": [ { "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/example-lb/1234567890abcdef/abcdef1234567890", "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/example-lb/1234567890abcdef", "Port": 443, "Protocol": "HTTPS", "Certificates": [ { "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-5678-90ab-cdef-EXAMPLE11111" } ], "DefaultActions": [ { "Type": "forward", "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/example-tg/abcdef1234567890" } ] } ] }

→

--load-balancer-arn - Specifies which load balancer to describe

Key Concept

If you remember nothing else from this pattern, remember: SSL/TLS termination moves encryption work from your app servers to a central place like a load balancer to simplify and speed up your backend.

Common Mistakes

Not attaching a valid SSL certificate to the load balancer listener.

Without a valid certificate, the load balancer cannot accept HTTPS traffic, causing connection errors.

Always request or import a valid SSL certificate in AWS Certificate Manager and reference its ARN in the listener configuration.

Configuring the target group to use HTTPS instead of HTTP after SSL termination.

This causes double encryption which is unnecessary and can cause connection failures if backend servers are not set up for HTTPS.

Set the target group protocol to HTTP so decrypted traffic is forwarded to backend servers.

Not opening port 443 in the load balancer security group.

Traffic on HTTPS port will be blocked, making the service unreachable over HTTPS.

Ensure the security group attached to the load balancer allows inbound traffic on port 443.

Summary

Use Terraform to create an AWS Application Load Balancer with an HTTPS listener for SSL termination.

Attach a valid SSL certificate from AWS Certificate Manager to the listener to enable secure connections.

Forward decrypted HTTP traffic from the load balancer to backend servers using a target group.

Verify the listener and certificate setup using AWS CLI commands.