Load Balancer SSL Certificates
An Application Load Balancer can terminate HTTPS: it performs the SSL/TLS handshake at the load balancer, decrypts incoming requests, and forwards them to the backends. This lets you manage the certificate in one place instead of on every backend server.
This page covers how a load balancer uses an SSL certificate. To buy, import, validate, download, or delete certificates, use the SSL Certificate Manager — see SSL Certificates.
SSL termination applies to Application Load Balancers (HTTP/HTTPS). A Network Load Balancer forwards TCP traffic and does not terminate SSL at the load balancer.
Before You Begin: Import the Certificate
A load balancer can only use a certificate that has already been imported into the SSL Certificate Manager with all three components — the SSL certificate, its private key, and the certificate chain.
This matters most for certificates purchased from E2E: the purchase does not include the private key (it is generated locally when you create the CSR and is never stored by E2E), so a purchased certificate must be imported with your private key before a load balancer can use it.
Only certificates imported with all required components appear in the load balancer's SSL dropdown. For the import steps, see SSL Certificates › Import an SSL Certificate.
Attach a Certificate to a Load Balancer
You choose the certificate when the front-end protocol uses HTTPS:
- Set the Frontend Protocol to HTTPS or Both (HTTP and HTTPS) — during creation, or later from the Info tab.
- Choose the imported certificate from the SSL dropdown. If it is not listed, import it first — the dropdown links to Buy or Import SSL Certificate.
- Optionally enable Redirect HTTP to HTTPS so plain HTTP requests are upgraded to HTTPS (available when the protocol is HTTPS or Both).
- Save. The load balancer now serves HTTPS using that certificate.
For the full create flow, see Create an Application Load Balancer.
Encrypt Traffic to the Backends
The certificate above secures traffic between the client and the load balancer. To also encrypt traffic between the load balancer and its backends, set the Backend Protocol to HTTPS on the backend group; the backend certificate may be self-signed or issued by an internal CA. See Backend Mapping.
Notes
- Only imported certificates appear in the load balancer's SSL dropdown.
- A certificate that is attached to a load balancer cannot be deleted from the SSL Certificate Manager — the portal blocks it with "SSL is currently enabled on the Load Balancer. It cannot be deleted." Change or detach it from the load balancer first.
Related Resources
| Resource | Use it for |
|---|---|
| SSL Certificates | Buy, import, validate, download, and delete certificates. |
| Create an Application Load Balancer | Select HTTPS and a certificate during creation. |
| Info tab | Change the front-end protocol and certificate later. |
| Backend Mapping | Enable HTTPS to the backends. |