This article explains how to use SSL offloading with Apache CloudStack starting from version 4.22.0, enabling HTTPS termination directly on the Virtual Router.
This reduces CPU load on backend Instances, simplifies SSL certificate management, and centralises TLS security settings. It covers:
- What SSL offloading is and its key benefits.
- How to upload and manage SSL certificates.
- How to create load balancer rules with SSL.
- How to assign, replace, or remove certificates from existing rules.
- Capacity considerations to handle the extra CPU usage on the Virtual Router.
Creating a Load Balancer with SSL Offloading in Apache CloudStack
A load balancer (LB) is used to distribute network traffic across multiple servers to improve performance, reliability, and scalability. HTTPS is widely adopted because it ensures data encryption, integrity, authentication, and regulatory compliance.
Normally, each backend server behind a load balancer must handle both encryption and decryption of HTTPS traffic. This approach has several drawbacks:
- Increase CPU load on backend Instances: SSL/TLS encryption and decryption are CPU-intensive and can reduce application performance under high traffic.
- More complex certificate management: Each server requires its own SSL certificate, increasing operational overhead during renewals and updates.
- Reduced Scalability: Adding or removing servers requires copying and configuring certificates on each server.
- Limited centralized security control: TLS settings (protocols, ciphers, HSTS, etc.) must be managed per server, making it harder to enforce consistent security policies.
What is SSL offloading?
SSL offloading moves the encryption and decryption process from backend Instances to the load balancer. Once the HTTPS connection is terminated at the load balancer, the backend Instances receive unencrypted (HTTP) or optionally re-encrypted (HTTPS) traffic. This brings several benefits:
- Reduced CPU Load: Backend Instances are relieved from SSL/TLS processing, freeing resources for application workloads.
- Simplified certificate management: Certificates are stored and maintained only on the load balancer.
- Easier scalability: New backend Instances can be added without SSL configuration.
- Centralized security control: TLS protocols, ciphers, and policies can be enforced in one place.
- Enhanced capabilities: Once decrypted, the load balancer can perform intelligent Layer 7 routing based on HTTP headers, URLs, or cookies, enabling features such as advanced health checks, caching, path-based routing, and Web Application Firewall (WAF) integration.
In short, SSL offloading improves performance, scalability, and manageability while maintaining secure HTTPS connections for clients.
SSL Offloading Support in Apache CloudStack
Apache CloudStack supports SSL offloading, enabling the load balancer to terminate HTTPS connections and forward traffic to backend Instances over HTTP or HTTPS.
Historically, SSL offloading was only supported through Citrix NetScaler as an external load balancer. Earlier versions of the built-in CloudStack load balancer did not support this functionality.
Starting with Apache CloudStack 4.22.0, SSL offloading is also supported using the Virtual Router. The next sections will explain how to upload and manage user SSL certificates and configure SSL certificates for load balancers in Apache CloudStack.
Manage SSL certificates for Users
An SSL certificate is required to enable SSL offloading. The first step is to upload SSL certificates for accounts or projects.
Click Upload SSL Certificate button, fill in the fields below, and click Submit:
Name The name of the SSL certificate (required).
Certificate The SSL certificate (required).
Private Key The private key associated with the certificate (required).
Certificate Chain Root CA and intermediate certificates (optional but recommended). If missing, the certificate may not work as expected.
Password Not supported when using the CloudStack Virtual Router.
Evocation Check Should not be enabled when using a self-signed certificate.
For projects, go to the Project page and click the Certificates tab.
Creating a Load Balancer Rule with an SSL Certificate
Before creating a load balancer rule, ensure the following prerequisites are met:
- An Isolated Network with Load Balancing service enabled.
- At least one Instance deployed in the same Network.
Log in to the CloudStack UI, go to Network > Guest Networks, and select the target network.
Next, select Public IP Addresses tab, choose the IP address you want to use, and open the Load Balancing tab.
Fill in the fields (Name, Public Port, Private Port, Source CIDR List, and Algorithm), then:
- Set Protocol to SSL.
- Click Add in the SSL Certificate
- Select an existing SSL certificate and click OK.
- Click Add Instances and choose one or more backend Instances.
- Click OK to create a rule.
The selected certificate will be automatically assigned to the load balancer.
Managing SSL Certificates of a Load Balancer Rule
You can assign, replace, or remove SSL certificates from an existing load balancer rule:
- If the rule was created without a certificate, set the Protocol to SSL.
- Click Manage in the SSL Certificate
- To assign, select a certificate and click Assign.
- To replace, select a new certificate and click Replace.
- To remove, click Remove.
Summary
SSL offloading improves performance and scalability by moving encryption and decryption from backend Instances to the load balancer. It simplifies certificate management and centralises TLS configuration, reducing administrative overhead.
This feature is supported starting from Apache CloudStack 4.22.0 using the Virtual Router. Since SSL offloading increases CPU utilisation on the load balancer, make sure to allocate additional resources to the Virtual Router when handling high traffic.
References
- https://github.com/apache/cloudstack/pull/11468
- https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Offloading+with+Virtual+Router
- https://docs.cloudstack.apache.org/en/latest/adminguide/networking/external_firewalls_and_load_balancers.html#configuring-ssl-certificate-for-load-balancer-rules
Watch the Explainer Video
Wei Zhou works as a Software Architect at ShapeBlue. He has many years experience on cloud computing and a passion for various cutting-edge knowledge. Wei works on software design and implementation, as well as resolving issues for customers and community users. Wei has been a committer of the Apache CloudStack project since 2013 and a PMC member since 2017.
