0Pricing
AWS Solutions Architect · Lesson

SSL Termination and Sticky Sessions

Offload TLS at the load balancer using ACM certificates, and enable sticky sessions when stateful workloads require client affinity.

SSL/TLS Termination at the Load Balancer

SSL/TLS termination means the load balancer decrypts incoming HTTPS traffic, inspects the plaintext HTTP request (for routing decisions), and then optionally re-encrypts the request before forwarding to the backend. When termination happens at the ALB, your application servers can receive unencrypted HTTP traffic from the load balancer, simplifying backend configuration.

Termination at the load balancer reduces CPU overhead on application servers (no TLS handshake per connection), enables content-based routing (which requires reading HTTP headers), and centralises certificate management.

AWS Certificate Manager (ACM) Integration

AWS Certificate Manager (ACM) provisions, manages, and renews SSL/TLS certificates at no extra cost. ALB and NLB integrate directly with ACM: you select an ACM certificate in the HTTPS listener configuration and the load balancer presents it to connecting clients.

ACM certificates are automatically renewed before expiry—no manual renewal, no downtime due to expired certificates. For public certificates, ACM validates domain ownership via DNS validation (CNAME record in Route 53) or email validation. For internal use, ACM Private CA can issue private certificates.

# Request a public certificate in ACM
aws acm request-certificate \
  --domain-name api.example.com \
  --subject-alternative-names '*.example.com' \
  --validation-method DNS \
  --region us-east-1

# Create an HTTPS listener using the ACM certificate
aws elbv2 create-listener \
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789:loadbalancer/app/my-alb/abc \
  --protocol HTTPS \
  --port 443 \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
  --certificates CertificateArn=arn:aws:acm:us-east-1:123456789:certificate/cert-id \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789:targetgroup/my-tg/xyz

All lessons in this course

  1. ALB vs NLB vs GLB: When to Use Which
  2. Target Groups and Health Checks
  3. Listener Rules and Path-Based Routing
  4. SSL Termination and Sticky Sessions
← Back to AWS Solutions Architect