Score:13

Server

Should you encrypt data between 2 servers in the cloud?

Tono Nam

10/27/23, 6:44 AM

If I have several AWS EC2 and azure instances running on separate regions. I am using rabbitmq to exchange messages between them. Should I worry about adding TLS and encrypting those connections?

In other words if server A is on AWS us-east for example and server B is in azure how bad will it be if they exchange information without it being encrypted? Only the internet service provider and Amazon/Microsoft will be able to see that unencrypted data correct?

I will obviously encrypt anything that deals with the client. I am just curious about 2 backend servers talking to each other.

Edit

Thanks for the help guys. I know how to encrypt the connection and also how to set up a VPN. Sorry I phrased the question incorrectly.

I just wanted to know who will be able to see that traffic between those servers. Why will it be risky? I know it will be risky I believe you lol. I just want to know why. Also how bad will it be to generate my own ssl certificates and trust it on each server.

3310

3 + 7

security

ssl

Greg Askew

10/27/23, 9:22 AM

`Only the internet service provider and Amazon/Microsoft will be able to see that unencrypted data correct?` No, that is not correct.

diya

10/27/23, 2:43 PM

"Also how bad will it be to generate my own ssl certificates and trust it on each server." - With a self signed certificates you get the same levels of transport encryption and security, but less guarantees that you're connection is not with a man-in-the-middle spoofing the identity of the server you're attempting to reach.

Romeo Ninov

10/27/23, 3:07 PM

@diya, this is not true. If you create own CA you will be sure who you connect. Especially if you implement mutual authentication. Because hypothetically external CA can issue to someone else certificate for your other site.

diya

10/27/23, 3:16 PM

Indeed but `self signed certificate` != `internal CA` and my comment was intended as a general recommendation. IMHO with certificate pinning you could arguably even ensure suitable protection with a self signed certificate alone but that is hardly I would consider a conventional approach that would work for most.

psmears

10/27/23, 3:47 PM

@diya: "generate my own ssl certificates and trust it on each server" implies either trusting the (self-signed) CA certificate, or trusting the individual (self-signed) server certificates directly. Either way you can be confident that you're connected to the right server.

Nikita Kipriyanov

10/27/23, 4:53 PM

@diya generating two self signed certificates and adding each them as trusted on the other system is actually more secure that anything else, because servers essentially will trust each other's public key directly. This is on the the same level of security as SSH or WireGuard keys. When you use *third party* CA to issue certificates you must trust also that CA, and even if you create own CA and make it trusted on both systems and issue certificates, this is still an additional point of trust which could be subverted, which is avoided with self signed certificates.

Mark

10/27/23, 11:18 PM

Google discovered the hard way that the NSA is quite capable of listening in on traffic between servers. They now encrypt everything, including datacenter-internal traffic.

Score:25

Server

diya

10/27/23, 9:38 AM

Should you encrypt data between 2 servers in the cloud?

Yes.

Modern security thinking is that you don't consider your own network / datacenter as more trusted (than your WAN or the regular internet).

Traditionally one would allow for more relaxed security standards in the datacenter, within the "secure" perimeter of your own network. Both internal systems and users would be trusted, implicitly expected to be secure and never abusive or malicious. One only added for example TLS for connections crossing the perimeter and borders of your "secure" internal network.

Nowadays the increasingly more prevalent security concept is one of "zero trust", which abandons the concept of a secure and trusted internal networks/systems/users and applies the same rigorous level of security everywhere, regardless.

So for two back-end servers exchanging information with each-other:

both servers and and all their services should be configured with TLS certificates (for server authentication and transport encryption)
their communication should be encrypted
clients should authenticate to services (with username password, a token, client certificate or whatever is suitable)
your applications/(micro-)services should still do input validation and not trust the input from the internal clients/backend-systems to always be correct and safe to use verbatim.
etc.
etc.

In response to your edit

I just wanted to know who will be able to see that traffic between those servers
_{(server A is on AWS us-east for example and server B is in
Azure)}

Unless Amazon and Microsoft have their own physical datacenter interlinks, traffic between AWS and Azure clouds will be routed over the public internet and/or transit one or more network segments operated by third parties. The exact path your traffic takes and which third parties that are can change at any moment due to how routing protocols and the internet work.

When you don't set up transport encryption that traffic will be in clear text and anybody with access to any segment can trivially eavesdrop.

+ 8

Blueriver

10/27/23, 8:47 PM

Is there any particular reason to suspect or assume that Amazon Web Services (I assume that's what you mean by "Amazon") would send the traffic over the public internet instead of through their own network?

Hagen von Eitzen

10/27/23, 9:24 PM

@Blueriver Because Amazon may not have their completely own private sea cables between continents?

Blueriver

10/27/23, 10:00 PM

@HagenvonEitzen Any reason to suspect they don't? Because https://aws.amazon.com/about-aws/global-infrastructure/global_network/ states they do: "Every data center, AZ, and AWS Region is interconnected via a purpose-built, highly available, and low-latency private global network infrastructure." By the way, again I'm assuming you mean Amazon Web Services, which is a subsidiary of Amazon, but I don't know that Amazon offers cloud services

Peter Cordes

10/28/23, 1:46 AM

@Blueriver: The question is asking about sending data between Azure and AWS, two separate cloud companies, one owned by Microsoft. Not just within AWS. Interesting that within AWS, your traffic would normally go through private links, even between regions. But you have to wonder if it *could* route over the public Internet in case of outages, in which case BGP hijacking or misconfiguration could maybe result in AWS <-> AWS traffic going over public Internet backbone links.

Barmar

10/28/23, 2:51 PM

@PeterCordes If they do need to use the public Internet, I think it's likely they'd use a VPN between datacenters.

Barmar

10/28/23, 2:54 PM

@Blueriver I think AWS is often referred to as a cloud service.

user253751

10/28/23, 5:28 PM

@HagenvonEitzen Google did, and the NSA "simply" tapped the cables anyway. But we should ask whether AWS encrypts the data they send across those cables.

Yogu

10/29/23, 12:01 PM

[All data flowing across AWS Regions over the AWS global network is automatically encrypted at the physical layer before it leaves AWS secured facilities.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit); [Whenever Azure Customer traffic moves between datacenters ... a data-link layer encryption ... is applied from point-to-point across the underlying network hardware.](https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview#data-link-layer-encryption-in-azure). Obviously says nothing about AWS <-> Azure.

Score:5

Server

fraxinus

10/27/23, 6:25 PM

Depending on the stakes, one could not label "trusted" a physical network that is not physically visible end-to-end.

For a human with an average vision this amounts to a cable between two computers on a single desk.

In a sense, you can label a network "trusted" if you operate, manage and physically control it.

The Internet is not only owned, controlled and operated by multiple parties. One can even not be sure that the path that packets take today between points A and B will be the same tomorrow.

Packets between two different datacenters in the same city could route thru another continent. This can happen even if these datacenters have a dedicated direct connection between them. The direct connection can fail or be compromised in a number of ways and the connectivity will be maintained by other means.

And then, there is such things as https://en.wikipedia.org/wiki/BGP_hijacking - an attack that routes the traffic of interest towards devices that the attacker controls.

+ 0

Score:4

Server

Romeo Ninov

10/27/23, 7:13 AM

From security point of view is reasonable to secure the connections if they leave datacenter/service provider. This can be done by adding SSL/TLS to both parties. Also you can establish mutual authentication (client/server certificates). Another approach is to establish VPN connection between the hosts and tunnel the entire communication.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Should you encrypt data between 2 servers in the cloud?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.