SSL certificate for communication between load balancer and servers necessary?

Question

I am using the Google Cloud Platform to implement a REST API which is accessible through HTTPS only using a load balancer.

My setup looks like this:

VM instances:

• 2 instances which run the same node.js server. One outputs "server1" the other outputs "server2".

Instance groups:

• One instance group which contains both VMs.

Back-end services:

• One back-end service which uses the instance groups and a simple health check.

Load balancing:

• One load balancer.
• Frontend: HTTPS PUBLIC_IP:443 my-ssl-certificate
• Backend: My back-end service
• Host and path rules: All unmatched (default) => My back-end service (default)

I now configured my domain's (api.domain.com) DNS with an A-Record for PUBLIC_IP. https://api.domain.com's output successfully switches between "server1" and "server2". The load balancer and the HTTPS-certificate my-ssl-certificate is working great! my-ssl-certificate is a Let's Encrypt SSL-certificate for my domain api.domain.com.

Question: Do I need 2 other certificates for my 2 VM instances, when they communicate with the load balancer? Or is this communication internally and doesn't require further SSL-certificates? If I need those certificates, how do I set them up with IPs? Because accessing my 2 VM instances IPs via https://VM1_PUBLIC_IP results in a chrome warning, that the certificate is not valid.

Answer 1

If you are using load-balancer with SSL certificates, then there was no need of public facing VM's, you should kept it private subnets and communication should happen over private ip's between LB and VM.