AWS elasticbeanstalk documentation change
Summary
Added TLS listener support documentation and example configuration for Network Load Balancer
Security assessment
Documented TLS listener configuration with SSL certificates and security policies, enhancing instructions for encrypted traffic handling. No specific vulnerability addressed, but expands security feature documentation.
Diff
diff --git a/elasticbeanstalk/latest/dg/environments-cfg-nlb.md b/elasticbeanstalk/latest/dg/environments-cfg-nlb.md index 9fb392e13..c457c3ef4 100644 --- a//elasticbeanstalk/latest/dg/environments-cfg-nlb.md +++ b//elasticbeanstalk/latest/dg/environments-cfg-nlb.md @@ -25 +25 @@ With a Network Load Balancer, the default listener accepts TCP requests on port -Unlike a Classic Load Balancer or an Application Load Balancer, a Network Load Balancer can't have application layer (layer 7) HTTP or HTTPS listeners. It only supports transport layer (layer 4) TCP listeners. HTTP and HTTPS traffic can be routed to your environment over TCP. To establish secure HTTPS connections between web clients and your environment, install a [self-signed certificate](./configuring-https-ssl.html) on the environment's instances, and configure the instances to listen on the appropriate port (typically 443) and terminate HTTPS connections. The configuration varies per platform. See [Configuring HTTPS Termination at the instance](./https-singleinstance.html) for instructions. Then configure your Network Load Balancer to add a listener that maps to a process listening on the appropriate port. +Unlike a Classic Load Balancer or an Application Load Balancer, a Network Load Balancer can't have application layer (layer 7) HTTP or HTTPS listeners. It supports transport layer (layer 4) TCP and TLS listeners. To establish secure HTTPS connections between web clients and your environment, you can configure a TLS listener with an SSL certificate and security policy. You can also use a TCP listener and install a [self-signed certificate](./configuring-https-ssl.html) on the environment's instances, and configure the instances to listen on the appropriate port (typically 443) and handle HTTPS connections directly. The configuration varies per platform. See [Configuring HTTPS Termination at the instance](./https-singleinstance.html) for instructions. Then configure your Network Load Balancer to add a listener that maps to a process listening on the appropriate port. @@ -254,0 +255,12 @@ The following configuration file modifies health check settings on the default p +###### Example.ebextensions/nlb-tls-listener.config + +The following configuration file adds a TLS listener on port 443 with an SSL certificate. The load balancer handles the secure connection and forwards traffic to the default process on port 80. + + + option_settings: + aws:elbv2:listener:443: + ListenerEnabled: 'true' + Protocol: TLS + SSLCertificateArns: arn:aws:acm:us-east-2:1234567890123:certificate/#################################### + SSLPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06 + @@ -257 +269 @@ The following configuration file modifies health check settings on the default p -The following configuration file adds a listener for secure traffic on port 443 and a matching target process that listens to port 443. +The following configuration file uses a TCP listener to forward encrypted traffic to instances. The instances handle the secure connection directly. @@ -269 +281 @@ The `DefaultProcess` option is named this way because of Application Load Balanc -In this example, we named the process `https` because it listens to secure (HTTPS) traffic. The listener sends traffic to the process on the designated port using the TCP protocol, because a Network Load Balancer works only with TCP. This is okay, because network traffic for HTTP and HTTPS is implemented on top of TCP. +In this example, we named the process `https` because it listens to secure (HTTPS) traffic. The listener sends traffic to the process on the designated port using the TCP protocol. This is okay, because network traffic for HTTP and HTTPS is implemented on top of TCP.