Is this page helpful?

Some of this information, while technically correct, may not be as relevant when specifically considering Kit Application streaming.

TLS Termination at the POD with Envoy Proxy (Sidecar Approach)

Overview:

In this approach, Envoy Proxy is deployed as a sidecar alongside the streaming Kit Application pod. The Envoy proxy handles TLS termination, meaning that all traffic between the client and the Kit Application is encrypted until it reaches the Envoy sidecar within the pod.

Pros:

  • End-to-End Encryption: The connection remains encrypted all the way to the pod, ensuring the entire communication path (from client to application) is secure.

  • Granular Control: Allows more fine-grained control over traffic management at the application level, including advanced features like rate limiting, traffic shaping, and authentication at the pod level.

  • Flexible Routing: Envoy Proxy can be configured with advanced routing capabilities, load balancing, and service discovery. This allows different pods to have different certificate configurations if needed.

Cons:

  • Increased Complexity: Deploying Envoy as a sidecar adds complexity to the deployment, with the need for managing Envoy configurations and certificate distribution at the pod level.

  • Resource Overhead: Running an Envoy sidecar alongside every pod increases the resource consumption (CPU, memory) since each pod will have its own instance of Envoy.

  • Operational Overhead: Managing TLS certificates at the pod level can become more complex, particularly if you are dealing with many pods, each requiring secure certificate updates and renewals.

TLS Termination at the Network Load Balancer (NLB)

Overview:

In this approach, TLS termination happens at the NLB, meaning that traffic between the client and the NLB is encrypted, but traffic between the NLB and the Kit Application pods within the cluster is not. The NLB handles the TLS certificates and decryption.

Pros:

  • Simplified Management: TLS certificates are managed centrally at the NLB level, simplifying certificate management and updates. There’s no need to distribute certificates across all the pods.

  • Lower Resource Overhead: Since TLS termination occurs at the NLB, the pods only handle unencrypted traffic, reducing the computational load on each pod.

  • Performance: Offloading TLS termination to the NLB can reduce the overhead on the application pods, potentially improving performance, especially in high-throughput streaming environments.

  • Centralized Control: By managing TLS at the NLB, it is easier to implement consistent security policies across all incoming traffic.

Cons:

  • Lack of End-to-End Encryption: The communication between the NLB and the Kit Application pods is unencrypted, which could expose internal traffic to security risks unless it is running in a secure, private network.

  • Less Granular Control: Since TLS termination happens at the NLB, there is less control over traffic management at the application level. Features like fine-grained authentication or advanced traffic policies would need to be handled at the NLB, which may be limited in functionality compared to Envoy.

  • Single Point of Failure for TLS: The NLB becomes the single point responsible for terminating TLS, which could be a risk if not managed properly (e.g., certificate expiry, NLB misconfiguration).

Key Differences:

Aspect

TLS at Envoy Sidecar (Pod-Level)

TLS at Network Load Balancer (NLB)

Encryption Scope

End-to-end encryption, including pod-level communication

Encryption ends at the NLB; internal traffic is unencrypted

Traffic Control

Granular control over traffic at the application/pod level

Centralized control, but less granularity over traffic policies

Operational Complexity

Higher complexity due to managing sidecars and certificates

Simpler, with centralized TLS management at the NLB

Resource Overhead

Higher, as each pod requires additional resources for Envoy

Lower, as TLS termination is offloaded to the NLB

Performance

Potential performance impact due to pod-level TLS handling

Potential performance gain, as pods only handle unencrypted traffic

Security

Stronger security with end-to-end encryption

Weaker internal security unless additional internal encryption is added

Certificate Management

Certificates managed per pod; more complex to scale

Centralized certificate management at the NLB

When to Choose Each Approach:

Envoy Sidecar:

  • When you need end-to-end encryption and fine-grained control over traffic at the pod level.

  • When the security requirements demand that even internal traffic between the NLB and the pods must be encrypted.

  • If you need to implement advanced routing, mutual TLS, or complex traffic policies.

NLB Termination:

  • When you want to simplify TLS management and reduce the resource overhead on application pods.

  • When internal traffic is either trusted or within a secure network (e.g., private VPC), and encryption beyond the NLB is not necessary.

  • When you need to optimize performance for high-throughput applications without the overhead of pod-level TLS termination.

Conclusion

Both approaches have trade-offs between security, performance, and operational complexity, and the right choice depends on your deployment’s specific security and performance requirements.

On this page