Sticky sessions for AWS NLB over TLS

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Data Center Only - This article only applies to Atlassian products on the data center platform.

 

Summary

In certain environments, it might be mandatory to have all network traffic encrypted, even the internal traffic between your Jira nodes and the Load Balancer. AWS NLB offers the ability to encrypt traffic between the target group (Jira application nodes) and the load balancer VPS with TLS, however that removes the session stickiness functionality which is required for a Jira Data Environment.

Without session stickiness, users will keep being redirected to different nodes each time they make a request, and their requests will fail as sessions are not replicated across Jira nodes (see  JRASERVER-67647 - Getting issue details... STATUS ).

Environment

  1. Jira Data Center
  2. AWS NLB as Load Balancer
  3. TLS traffic between targets and the NLB


Solution

Due to architectural restrictions in AWS NLB, it's not possible to enable stickiness when using TLS encryption between the LB and the targets. Customers that have faced such requirements have been instructed by Amazon support to move TLS encryption back in the chain, onto the app servers directly. The traffic can then be passed through the NLB as TCP traffic and not TLS traffic, and session stickiness is enabled on the NLB directly, without compromising complete end-to-end encryption in the environment.

Last modified on Jun 1, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.