When you configure a TCPSSL listener for a Network Load Balancer (NLB) instance, a TLS security policy specifies the TLS protocol versions and cipher suites that the instance uses during the TLS handshake with clients. NLB provides several commonly used system-defined security policies. If you have specific security or compliance requirements, you can create a custom security policy instead.
How it works
An NLB instance uses a TLS security policy to specify the TLS protocol versions and cipher suites for a TLS handshake. During the handshake, a client sends a Client Hello message listing its supported protocol versions and cipher suites. Based on the policy, the NLB instance selects a mutually supported protocol version and cipher suite from the client's list and confirms the selection in a Server Hello response. Subsequent steps, such as key exchange and session key generation, use these negotiated parameters.
Default policies
For internet-facing applications without special compatibility requirements, use the tls_cipher_policy_1_2 policy or a newer one.
Console
Go to the TLS Security Policies page in the NLB console. The policy details are on the Default Policy tab.
API
Call the ListSystemSecurityPolicy operation to retrieve the default policies.
Custom policies
Create a custom policy
Console
Go to the TLS Security Policies page on the Network Load Balancer (NLB) console and select the region where your NLB instance is deployed.
Click Create Custom Policy. Configure the following parameters, and click Create.
Minimum Version: If your workloads have no special compatibility requirements, we recommend selecting TLS 1.2 or Later for enhanced security.
Enable TLS 1.3: To improve security and efficiency, we recommend enabling this option for compatible services.
Cipher Suite: Select cipher suites that are compatible with the selected TLS protocol versions.
After you create the policy, you can select it when configuring a TLS security policy for a listener.
API
Call the CreateSecurityPolicy operation to create a custom policy. The custom policy must be in the same region as the NLB instance.
Update custom policy attributes
Console
Go to the TLS Security Policies page on the NLB console and select the region of the custom policy.
Find the target custom policy and click Modify in the Actions column. In the Modify TLS Security Policy dialog box, update the TLS protocol versions or cipher suites.
API
Call the UpdateSecurityPolicyAttribute operation to update the attributes of a custom policy.
Replicate a custom policy to other regions
Console
Go to the TLS Security Policies page on the NLB console and select the region of the custom policy.
Find the target custom policy, click Replicate to Other Regions in the Actions column, select a destination region, and click OK.
API
Call the ListSecurityPolicy operation to obtain the TlsVersion and Ciphers parameters of the custom policy. Then, call the CreateSecurityPolicy operation and pass these parameters to create a new policy. In the request, set the RegionId parameter to the ID of the destination region.
Delete a custom policy
You cannot delete a custom policy that is in use by a listener. To delete the policy, you must first change the listener's TLS security policy or delete the listener.
Console
Go to the TLS Security Policies page on the NLB console and select the region of the custom policy.
Find the target custom policy, click Delete in the Actions column, and click OK.
API
Call the DeleteSecurityPolicy operation to delete a custom policy.
Configure TLS security policy for a listener
Console
When you create a TCPSSL listener, select a TLS Security Policy on the Configure SSL Certificate tab. When you quickly create a TCPSSL listener, select a TLS Security Policy in the Quick Create Listener dialog box.
To update the TLS security policy for a listener, go to the Listener tab on the instance details page and click the ID of the TCPSSL listener. On the Listener Details page, update the TLS Security Policy in the SSL Certificate section.
API
When you call the CreateListener operation to create a TCPSSL listener or call the UpdateListenerAttribute operation to update a TCPSSL listener, set the SecurityPolicyId parameter to the ID of the TLS security policy.
Call the ListSystemSecurityPolicy operation to get the
SecurityPolicyIdof a default policy.Call the ListSecurityPolicy operation to get the
SecurityPolicyIdof a custom policy.
Billing
TLS security policies are free of charge. However, you will be charged for the NLB instances that you use. For more information, see NLB billing rules.
Production environment
Backend traffic security: Traffic between a client and an NLB is encrypted using TCPSSL, but traffic between the NLB and its backend servers is plaintext by default. To ensure end-to-end security, deploy the NLB and its backend servers in the same VPC and use security groups to strictly control access.
TLS version: Unless your application has specific compatibility requirements, use TLS 1.2 and TLS 1.3 for stronger security.
Change rollback: If an issue occurs after modifying a TLS security policy, immediately roll back the change by updating the listener configuration. We recommend performing these changes during off-peak hours.
Key exchange algorithm: Unless your application has specific compatibility requirements, avoid using the following RSA-based cipher suites in a production environment:
AES128-GCM-SHA256,AES256-GCM-SHA384,AES128-SHA256,AES256-SHA256,AES128-SHA,AES256-SHA, andDES-CBC3-SHA. These suites lack Perfect Forward Secrecy (PFS) and are vulnerable to side-channel attacks. Prioritize cipher suites that include an ECDHE or DHE key exchange.
TLS cipher suite reference
This table maps each cipher suite to its corresponding OpenSSL format, IANA standard format, and hexadecimal representation.