Availability and Scalability - SSL/Connection Drain Flashcards
What is the purpose of an SSL/TLS certificate?
An SSL/TLS certificate encrypts traffic between clients and load balancers to ensure data is secure during transit (in-flight encryption).
How are SSL/TLS certificates typically used in a load balancer setup?
The SSL/TLS certificate is attached to the load balancer to secure communication between the client and the load balancer via HTTPS.
What is SSL termination in the context of a load balancer?
SSL termination is when the load balancer decrypts SSL/TLS traffic (HTTPS) and forwards it to backend systems over HTTP.
What service in AWS can you use to manage SSL/TLS certificates?
You can manage SSL/TLS certificates using AWS Certificate Manager (ACM).
What is the Server Name Indication (SNI)?
SNI is an extension to SSL/TLS where the client specifies the hostname during the handshake, allowing the server to choose the correct SSL certificate for the requested domain.
Why is SNI important in load balancing?
SNI allows multiple SSL certificates to be used on a single load balancer, enabling it to serve multiple domains securely with different certificates.
Which AWS load balancers support SNI?
Application Load Balancer (ALB), Network Load Balancer (NLB), and CloudFront support SNI.
What happens when a client connects to a load balancer using SNI?
The client sends the requested hostname during the SSL handshake. The load balancer uses this information to load the appropriate SSL certificate and route the request to the correct target group.
How can an ALB or NLB support multiple SSL certificates?
An ALB or NLB can support multiple SSL certificates by using SNI, allowing different certificates for different domains or subdomains.
What happens if a website does not use SSL/TLS encryption?
If SSL/TLS is not used, the browser will display a warning (e.g., a red warning sign) indicating that the traffic is not encrypted, and sensitive information should not be submitted.
How do you configure SSL certificates for multiple domains on an ALB or NLB?
You can configure multiple SSL certificates on an ALB or NLB by using SNI to assign different certificates to different hostnames, allowing multiple domains to be served securely.
What is Connection Draining in the context of AWS Load Balancers?
Connection Draining (for Classic Load Balancers) or Deregistration Delay (for ALBs and NLBs) allows existing connections to complete before an EC2 instance is deregistered or marked unhealthy.
What happens when an EC2 instance is set to Connection Draining or Deregistration Delay?
When an EC2 instance is in the draining state, the load balancer stops sending new requests to it, but allows existing connections to finish within the specified draining period.
How does Connection Draining (or Deregistration Delay) work with existing user connections?
Users already connected to a draining EC2 instance are given time to finish their ongoing requests. Once their requests are completed, the connections are shut down.
How does the load balancer handle new user connections when an EC2 instance is in draining mode?
The load balancer will only establish new connections with other healthy EC2 instances, not the instance in draining mode.
