SSL Termination at Application Server or Load Balancer?

In the industry there has/is always been an argument whether SSL termination should happen on the Load Balancer or on the application server. Here are few points to consider when make the decision for your application:

1. Security

If SSL termination happens in the load balancer then traffic from the load balancer to the application server will go in clear.

In the traditional data center world, if there is a cross data center fail over then load balancer in one data center will fail over the traffic to application servers in alternate data center. In such circumstance transactions will go in clear over Wide Area Network (WAN).

Similarly in the modern cloud world, load balancer can be one data center and application servers have the potential to be in a different data center. In such circumstance also transactions will go in clear over WAN.

In both circumstance your transactions are susceptible to external attack.

2. Certificate Expiration

If SSL certificate installed on the load balancer expires before renewed certificate is installed (which *does* happens often in production environment), then your application would be completely hard down. In other words 100% of your transactions will fail. On the other hand if you are installing certificates on the application server with different expiration dates, then if one of the server’s certificate expires only that particular server’s transactions would fail, this approach will prevent from have 100% failures.

3. CPU Load

SSL encryption/decryption consumes CPU cycles. If SSL termination is done on the Load Balancer then your entire application’s traffic encryption/decryption will be done on one single machine. It would exert enormous CPU stress on the machine.

However if you are using hardware based SSL acclerators which can terminates thousands of SSL transactions in seconds/milliseconds then this is not a concern.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: