Introduction

In the age of the Internet there a real need to have a secure method to communicate over this untrusted medium. The de facto standard for web communication is the TLS certificates securing the end to end connectivity between a client and a web server.
Most of my customers are deploying an architecture that has an OCI Load Balancer which frontends application servers.
In this blogpost I will describe the possible deployment patterns for using a TLS certificate on the load balancer.

Historically, the TLS certificate was stored locally on the load balancer (Load Balancer Managed Certificate). Imagine a fleet of 10+ LBs where you need to upload the certificates to each of them. This task was time consuming and prone to human error.

A more modern approach is to use the OCI Certificate Service to do the TLS handling for the LBaaS. The Certificate Authority within the service is a private one and will not be useful when you need to protect internet facing applications.

If you do not have a valid public certificate, check out this previous blog post where I covered the generation of a certificate with Let's Encrypt. Once you have the certificate, you can follow this blog to import it to the Certificate Service.

Protecting workloads with TLS

There are three possible deployments for securing a web traffic with TLS certificates with the aid of a Load Balancer.

• Transparent
• TLS Offloading
• Point-to-Point TLS

Transparent

In this scenario, the backend server a.k.a. the webserver handles the TLS traffic. The LB is configured with a TCP listener and no TLS is configured on the LB. In this deployment, the LB doesn't see the real HTTP traffic and balancing of the traffic is done at Layer 4.

TLS Offloading

In this scenario, the TLS traffic is terminated at the LB level and traffic is sent as plain HTTP to the backend. This ensures that the encryption/decryption of the traffic are handled by the LB and the backends servers are not aware of any encryption.
This scenario ensures that the backends servers are only processing the HTTP requests and in achieves the best throughput for the backend.

The configuration needed for this scenario is a https listener that uses the imported certificate from the OCI Certificate Service.

Point-to-Point TLS

In this scenario, the LB accepts the encrypted traffic from the clients, decrypts the traffic, processed it and re-encrypts the traffic sent to the backends servers. With this implementation, the HTTP traffic is processed by the LB and the traffic is load balanced at Layer 7.

The configuration steps are the following:

• Create a HTTPS listener which will use the imported Certificate.
• Create a backend-set which will need a Certificate Authority from the Certificate Service to encrypt the traffic from the LB to the backends servers.
  If you do not have a Certificate Authority configured you can provision one by following this blog.

Conclusion

This blog post enumerates the possible scenarios that can be used to secure the web traffic with the aid of a LBaaS in OCI.