Is SSL Termination possible for Yugabyte DB

Hello everyone,

I have a Yugabyte DB setup which is behind a AWS Network Load Balancer. I have enabled SSL at the listener level (AWS NLB) but not at the Yugabyte Node.

However, after enabling SSL, I am not unable to connect to the DB through the AWS NLB. (Getting “Connection attempt timed out.” while trying to connect through DBeaver).

Hence, is it possible to have a setup which terminates SSL at the AWS NLB level ?

Hi @jotrades

Why have you set up a load balancer in front of the db?
Can you explain your cluster config and aws-nlb config?

Hey @dorian_yugabyte

We have a NLB in front of the DB just for proxy purposes.
The setup and the configs are identical to the docs as per,

The client connects to YugabyteDB same as connecting to PostgreSQL. From a quick search, AWS-nlb doesn’t support SSL termination for PostgreSQL, so it’s not possible either for Yugabyte.

I was assuming you meant for port 5433, correct? Otherwise please be more specific.

Yep it is 5433,
cool, is there any other idea that I can try to implement ?

I don’t think you can do SSL offload in aws-nlb, you’ll just have to do without offloading. IMO you don’t need a load balancer at all, but just a smart driver.

Unless you have a use case?

Agree, a Load Balancer is not required at all, but however, we just dont want to expose our servers directly to anyone, thus having a proxy by using a NLB.

Anyways, I hope this answers the fact that we cant have SSL termination, hence , we will enable SSL.

However, going through the docs, when SSL is enabled for client to server communication , why must server to server communication also have SSL enabled ?, basically it is ok for me to have SSL between a client and a server , however I want to avoid the overhead between server to server communications through SSL, is there a way to disable server to server SSL but not client to server SSL ?

You can use a firewall for this? Or special networking in aws like vpc etc.

I don’t think it’s possible, let me ask internally. But maybe you’re overthinking it, it’s a small overhead.