要約

In certain environments, it might be mandatory to have all network traffic encrypted, even the internal traffic between your Jira nodes and the Load Balancer. AWS NLB offers the ability to encrypt traffic between the target group (Jira application nodes) and the load balancer VPS with TLS, however that removes the session stickiness functionality which is required for a Jira Data Environment.

Without session stickiness, users will keep being redirected to different nodes each time they make a request, and their requests will fail as sessions are not replicated across Jira nodes (see  JRASERVER-67647 - Getting issue details... STATUS ).

環境

1. Jira Data Center
2. AWS NLB as Load Balancer
3. TLS traffic between targets and the NLB

ソリューション

Due to architectural restrictions in AWS NLB, it's not possible to enable stickiness when using TLS encryption between the LB and the targets. Customers that have faced such requirements have been instructed by Amazon support to move TLS encryption back in the chain, onto the app servers directly. The traffic can then be passed through the NLB as TCP traffic and not TLS traffic, and session stickiness is enabled on the NLB directly, without compromising complete end-to-end encryption in the environment.