Check if Network Load Balancers (NLB) has TLS termination enabled
Overview
This check verifies that your Network Load Balancers (NLBs) have TLS listeners configured. TLS termination at the load balancer level means the NLB handles the encryption/decryption work instead of your backend servers.
Risk
Without TLS termination on your NLB:
- Data may travel unencrypted between clients and your load balancer
- Backend servers work harder because they handle encryption themselves
- Security is inconsistent across your environment
- Vulnerability increases to protocol downgrade attacks and connection floods
Enabling TLS termination centralizes encryption management and improves overall performance.
Remediation Steps
Prerequisites
- AWS Console access with permissions to modify load balancers
- An SSL/TLS certificate in AWS Certificate Manager (ACM)
- An existing Network Load Balancer (or plans to create one)
Need to create an ACM certificate first?
- Go to AWS Certificate Manager in the AWS Console
- Click Request a certificate
- Choose Request a public certificate
- Enter your domain name (e.g.,
example.com) - Choose DNS or email validation
- Complete the validation process
- Wait for the certificate status to become Issued
AWS Console Method
- Open the EC2 Console at https://console.aws.amazon.com/ec2/
- In the left sidebar, click Load Balancers (under Load Balancing)
- Select your Network Load Balancer from the list
- Click the Listeners tab
- Click Add listener
- Configure the listener:
- Protocol: Select TLS
- Port: Enter 443 (or your desired port)
- Default SSL/TLS certificate: Choose your ACM certificate
- Security policy: Select ELBSecurityPolicy-TLS13-1-2-2021-06 (recommended)
- Under Default action, click Add action and select Forward to
- Choose your target group
- Click Add
Your NLB now terminates TLS connections on port 443.
AWS CLI (optional)
Add a TLS listener to an existing NLB:
aws elbv2 create-listener \
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/my-nlb/abc123def456 \
--protocol TLS \
--port 443 \
--ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
--certificates CertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123-def456 \
--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-targets/abc123def456 \
--region us-east-1
Find your NLB ARN:
aws elbv2 describe-load-balancers \
--names my-nlb \
--query 'LoadBalancers[0].LoadBalancerArn' \
--output text \
--region us-east-1
List available security policies:
aws elbv2 describe-ssl-policies \
--query 'SslPolicies[*].Name' \
--region us-east-1
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Network Load Balancer with TLS termination enabled
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Description: VPC ID where the NLB will be deployed
SubnetIds:
Type: List<AWS::EC2::Subnet::Id>
Description: Subnet IDs for the NLB (at least 2 in different AZs)
CertificateArn:
Type: String
Description: ARN of the ACM certificate for TLS termination
Resources:
NetworkLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: my-nlb-with-tls
Type: network
Scheme: internet-facing
Subnets: !Ref SubnetIds
Tags:
- Key: Name
Value: my-nlb-with-tls
TLSTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: my-tls-target-group
Port: 443
Protocol: TCP
VpcId: !Ref VpcId
TargetType: instance
HealthCheckEnabled: true
HealthCheckProtocol: TCP
HealthCheckPort: traffic-port
TLSListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref NetworkLoadBalancer
Port: 443
Protocol: TLS
SslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
Certificates:
- CertificateArn: !Ref CertificateArn
DefaultActions:
- Type: forward
TargetGroupArn: !Ref TLSTargetGroup
Outputs:
LoadBalancerArn:
Description: ARN of the Network Load Balancer
Value: !Ref NetworkLoadBalancer
LoadBalancerDNS:
Description: DNS name of the Network Load Balancer
Value: !GetAtt NetworkLoadBalancer.DNSName
ListenerArn:
Description: ARN of the TLS listener
Value: !Ref TLSListener
Deploy the stack:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name nlb-tls-termination \
--parameter-overrides \
VpcId=vpc-12345678 \
SubnetIds=subnet-11111111,subnet-22222222 \
CertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123-def456 \
--region us-east-1
Terraform (optional)
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "vpc_id" {
description = "VPC ID where the NLB will be deployed"
type = string
}
variable "subnet_ids" {
description = "List of subnet IDs for the NLB"
type = list(string)
}
variable "certificate_arn" {
description = "ARN of the ACM certificate for TLS termination"
type = string
}
resource "aws_lb" "nlb" {
name = "my-nlb-with-tls"
internal = false
load_balancer_type = "network"
subnets = var.subnet_ids
tags = {
Name = "my-nlb-with-tls"
}
}
resource "aws_lb_target_group" "tls" {
name = "my-tls-target-group"
port = 443
protocol = "TCP"
vpc_id = var.vpc_id
health_check {
enabled = true
protocol = "TCP"
port = "traffic-port"
}
}
resource "aws_lb_listener" "tls" {
load_balancer_arn = aws_lb.nlb.arn
port = 443
protocol = "TLS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
certificate_arn = var.certificate_arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.tls.arn
}
}
output "nlb_arn" {
description = "ARN of the Network Load Balancer"
value = aws_lb.nlb.arn
}
output "nlb_dns_name" {
description = "DNS name of the Network Load Balancer"
value = aws_lb.nlb.dns_name
}
output "listener_arn" {
description = "ARN of the TLS listener"
value = aws_lb_listener.tls.arn
}
Deploy with Terraform:
terraform init
terraform plan -var="vpc_id=vpc-12345678" \
-var='subnet_ids=["subnet-11111111","subnet-22222222"]' \
-var="certificate_arn=arn:aws:acm:us-east-1:123456789012:certificate/abc123-def456"
terraform apply
Verification
After adding the TLS listener, verify your configuration:
- In the EC2 Console, go to Load Balancers
- Select your NLB and click the Listeners tab
- Confirm you see a listener with:
- Protocol: TLS
- Port: 443 (or your configured port)
- A valid SSL certificate attached
CLI verification commands
List listeners for your NLB:
aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/my-nlb/abc123def456 \
--query 'Listeners[*].{Port:Port,Protocol:Protocol,SSLPolicy:SslPolicy}' \
--output table \
--region us-east-1
Run Prowler to confirm the fix:
prowler aws --check elbv2_nlb_tls_termination_enabled --region us-east-1
Additional Resources
- AWS: TLS listeners for your Network Load Balancer
- AWS: Security policies for Network Load Balancers
- AWS Certificate Manager User Guide
- Prowler Check Documentation
Notes
-
Security policy choice matters: Use
ELBSecurityPolicy-TLS13-1-2-2021-06or newer for the strongest cipher suites. Avoid older policies that support deprecated protocols. -
Certificate renewal: ACM certificates automatically renew if validated via DNS. Ensure your DNS validation records remain in place.
-
End-to-end encryption: TLS termination encrypts traffic between clients and the NLB. If you also need encryption between the NLB and your targets, configure your targets to accept TLS connections and use a TCP listener that passes through traffic, or use a TLS listener with TLS-enabled targets.
-
Existing TCP listeners: If you have existing TCP listeners on port 443, consider migrating them to TLS listeners. You can run both temporarily during the transition.
-
Cost considerations: TLS listeners on NLBs incur additional charges for new TLS connections and certificate usage. Review the NLB pricing page for details.