SSL Termination is a new feature available for Cloud Load Balancers that allows for the termination of secure traffic at the load balancer once the load balancer is configured for it. Without this feature enabled, secure traffic is decrypted only by the webserver which holds the SSL certificate. With this feature enabled, customers can now balance SSL traffic over multiple Cloud Servers. This can amount to a significant performance increase when dealing with high-volume SSL traffic.
Secure traffic comes in to your site over an encrypted SSL connection, and it must be decrypted by the webserver which holds the SSL certificate. The Cloud Load Balancer passes all traffic directly to the Cloud Server with the corresponding SSL certificate, placing the burden of the decryption on that server alone. This is because each device (Cloudserver or Cloud Load Balancer) handling traffic through an SSL connection requires either its own SSL certificate or a Licensed Certificate Option.
With SSL Termination the traffic is decrypted at the Cloud Load Balancer, and unencrypted traffic can now be distributed to one or more Cloud Servers to be processed.
Other benefits include:
Yes, SSL Termination on Cloud Load Balancers is supported via the API and the Cloud Control Panel. SSL Termination can be established through the Load Balancer detail screen in the Cloud Control Panel.
SSL Termination allows users to have their secure traffic terminate at the load balancer with centralized certificate management. Features of this service include: SSL acceleration for improved throughput, reduced CPU load at the application level for better performance, and HTTP/HTTPS session persistence. SSL Termination should not be used when transferring certain types of Personally Identifiable Information (PII).
After SSL Termination decrypts the data at the Cloud Load Balancer it passes the unencrypted data to any nodes that are configured for that device. If you have nodes that are not in the same datacenter as the SSL-enabled load balancer, that unencrypted data will be sent over the public internet to those nodes. Therefore we recommend you use an SSL-enabled load balancer only with nodes that reside in the same datacenter as the load balancer. Their proximity allows the load balancer to use the nodes’ private IP addresses (the servicenet) to limit unencrypted traffic to within the datacenter’s network, as illustrated below.
ServiceNet is an internal only, multi-tenant network connection within each Rackspace datacenter. ServiceNet IPs are not accessible from the public Internet and are local per datacenter. Rackspace customers may configure their account resources to utilize a ServiceNet IP address so that traffic over the internal network is not billed.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License