We use the following AWS infrastructure:
Route53-> CloundFront -> Elasticbeanstalk(+LoadBalancer=ELB) -> EC2 instances
Now we have ssl certificates set up on CloudFront level and the same one on ELB level thus providing us end-to-end encryption between CF and ELB. End2End between AWS CF and origin is described as best practice here.
This refers to Full SSL(strict) on this picture(this is for CloudFlare stack but it is for better illustration so never mind). We want to offload SSL on AWS CF level to avoid roundtrips from CF to ELB moving to Flexible SSL as depicted on the picture.
Is it a good idea to offload SSL on CF level? Will there be any performance improvements worth dropping end2end encryption after CF level?
Can we somehow restrict ELB to accept connections only from some AWS CF?
Moreover there are some performance concerns about ELB SSL performance(seems to be proven to be good at it but I still have concerns). In general it also interesting if AWS CF is performing better at SSL decryption work than ELB.
Offload SSL at CF or not based on the nature of your application and compliance requirements.
Normally if all the entities access the application through CF (e.g Not having VPN connections from some clients to backend VPC) offloading at CF is sufficient. The performance difference of having SSL at both is not significant.
To only allow inbound from CF to ELB, there are no direct approaches available at the moment. One possible approach is to update the security group of ELB using a Lambda function, getting the CF IP range from AWS provided JSON url.
Also SSL Offload at CF is faster compared to ELB, since there are many servers that operates at edge location accepting your connection while ELB has servers for each AZs (Usually 2 or 3).
