load balancer ssl certificate setup

Load Balancer SSL Certificate

We have got queries from several users regarding which certificate is right to use for a load balancer with web servers behind it. The answer depends on how you handle TLS termination (also called SSL Offload) in your server architecture.

TLS termination at Web Server

In this case, you will set up/configure SSL certificates in the backend web servers, and not in the load balancer. The backend web servers will have to use their CPUs for encryption in addition to providing the application functionality.

If you configure the certificate on each of the backend web servers, then those servers would have their own separate TLS session caches increasing overheads across all web servers. A returning client may or may not be directed to the backend web server with its TLS session cached which will result in a new TLS session cache for that user further increasing web server overheads.

If you go for this kind of setup then you will need SSL certificates for each web server. Depending on your web server host naming convention you may need a Wildcard SSL certificate or a Multi-Domain SSL certificate.

TLS termination at Load Balancer

A common practice is to set up/configure an SSL certificate in the load balancer, and not in the backend web servers. The connection between the balancer and backend web servers will be using HTTP.

This enables the load balancer to handle or offload the TLS handshake/termination overhead (i.e. memory/CPU for TLS messages), rather than having the backend web servers use their CPUs for that encryption in addition to providing the application functionality.

TLS session caching can now happen on the single route to your servers (i.e. at the load balancer) reducing overheads across all web servers.

If you opt for this setup then all you need is a Regular SSL certificate for the load balancer’s hostname (domain/sub-domain). You do not need SSL certificates for the backend web servers.

Recommendation

As has been explained above, from the point of view of efficiency of resource usage and cost management, it is a good idea to terminate the TLS connection with a Regular SSL certificate at the load balancer.

Tagged , , , , , , , .