Is SSL Termination possible for Yugabyte DB

jotrades · March 25, 2024, 11:12am

Hello everyone,

I have a Yugabyte DB setup which is behind a AWS Network Load Balancer. I have enabled SSL at the listener level (AWS NLB) but not at the Yugabyte Node.

However, after enabling SSL, I am not unable to connect to the DB through the AWS NLB. (Getting “Connection attempt timed out.” while trying to connect through DBeaver).

Hence, is it possible to have a setup which terminates SSL at the AWS NLB level ?

dorian_yugabyte · March 25, 2024, 11:22am

Hi @jotrades

Why have you set up a load balancer in front of the db?
Can you explain your cluster config and aws-nlb config?

jotrades · March 25, 2024, 11:34am

Hey @dorian_yugabyte

We have a NLB in front of the DB just for proxy purposes.
The setup and the configs are identical to the docs as per,

dorian_yugabyte · March 25, 2024, 12:04pm

The client connects to YugabyteDB same as connecting to PostgreSQL. From a quick search, AWS-nlb doesn’t support SSL termination for PostgreSQL, so it’s not possible either for Yugabyte.

dorian_yugabyte · March 25, 2024, 12:05pm

I was assuming you meant for port 5433, correct? Otherwise please be more specific.

jotrades · March 25, 2024, 12:23pm

Yep it is 5433,
cool, is there any other idea that I can try to implement ?

dorian_yugabyte · March 26, 2024, 7:53am

I don’t think you can do SSL offload in aws-nlb, you’ll just have to do without offloading. IMO you don’t need a load balancer at all, but just a smart driver.

Unless you have a use case?

jotrades · March 26, 2024, 4:27pm

@dorian_yugabyte
Agree, a Load Balancer is not required at all, but however, we just dont want to expose our servers directly to anyone, thus having a proxy by using a NLB.

Anyways, I hope this answers the fact that we cant have SSL termination, hence , we will enable SSL.

However, going through the docs, when SSL is enabled for client to server communication , why must server to server communication also have SSL enabled ?, basically it is ok for me to have SSL between a client and a server , however I want to avoid the overhead between server to server communications through SSL, is there a way to disable server to server SSL but not client to server SSL ?

dorian_yugabyte · March 26, 2024, 4:55pm

You can use a firewall for this? Or special networking in aws like vpc etc.

I don’t think it’s possible, let me ask internally. But maybe you’re overthinking it, it’s a small overhead.

Topic		Replies	Views
Connection time out error while trying to connect to YbManaged sandbox cluster from node js application General	2	1093	November 8, 2022
Cluster-aware approach for YSQL with a nodejs postgres client? General	2	738	September 9, 2020
Maintaining external connection General	7	1057	March 10, 2021
Cassandra-csharp-driver NoHostAvailable Exception General	4	1099	December 24, 2019
Timeout executing DDL General	3	1020	December 15, 2021

Is SSL Termination possible for Yugabyte DB

Related Topics