Applications in cloud deployments have diverse security needs. When you use a load balancer as an HTTPS or TLS front end, you need to be able to control how it secures connections to clients. In some cases, your security or compliance requirements may restrict the TLS protocols and ciphers that the load balancer can use. For other applications, you may need the load balancer to support older TLS features in order to accommodate legacy clients. Today we’re introducing SSL policies for HTTPS and SSL Proxy load balancers on GCP, giving you the controls you need for this.
Introducing SSL policies
The TLS protocol is at the heart of how we secure the internet, but in the 20+ years since its inception it has by no means remained static. What began as SSL has evolved through several TLS versions, each one adding new cryptographic techniques and enhancing performance. When using TLS, servers and clients negotiate exactly how to speak TLS to one another, including the version of the protocol and the underlying ciphers. With our new SSL policies feature, you can consider both what TLS capabilities your load balancer is willing to negotiate and how you manage those settings over time.
When you create an SSL policy, you specify two things:
- A minimum TLS version: Setting this to 1.1, for example, means that the load balancer will only negotiate TLS with clients that support TLS version 1.1 or newer.
- A profile of features: This selects the set of cipher suites that the load balancer can use.
To see which TLS features are enabled by each of these profiles, check our SSL policies documentation.
You need only a single gcloud command to create an SSL policy:
gcloud beta compute ssl-policies create web-front-end-app-policy \ --profile MODERN --min-tls-version 1.1
You can then attach this SSL policy to your load balancer with a second command:
gcloud beta compute target-https-proxies update my_https_lb \ --ssl-policy my_ssl_policy
Here's a preview of the configuration via the console (available soon):
Keeping up with TLS advances
We’ve designed the pre-defined profiles to satisfy a wide set of security needs. We manage these profiles for you, automatically enabling new features that are broadly implemented by clients and disabling features when they're no longer appropriate. With pre-defined profiles, there’s no need to manually revisit your policy in order to keep your load balancer up-to-date with modern TLS capabilities.
If pre-defined profiles aren’t right for you, use a CUSTOM profile instead. Here's a preview of custom profile configuration via the console (available soon):
With a CUSTOM profile, you can select exactly the TLS features that you want and manage the introduction of new features to keep your SSL policy current.