I guess that "terminating TLS/SSL on the EC2" doesn´t include the option to "terminate the TLS/SSL" on the LB and then re-encrypt the communication again towards the EC2. It might be worth to point that out on the lecture, since the ALB is capable of doing that.
When terminating the TLS/SSL on the EC2 using a Classic ELB, you need to configure a TCP Listener and a TCP Instance Protocol, right?
When terminating the TLS/SSL on the EC2 using a NLB, you need to configure a TCP Listener and a TCP Target Group, right?
Yes you have to setup a TCP listener on the target (always). In case you are terminating on TLS EC2 – you will also have to setup the certs on EC2.
Earlier you could Not terminate TLS on NLB now (very recently) you can.
There is nothing called "TCP Target Group" , you have "target type" – IP and Instance
Hi, did you see somewhere in the documentation that the ALB is capable of re-encrypting the traffic? I would be interested to see that,
I always thought that terminating the SSL at LB and re-encrypting the traffic up to the EC2 level is good practice. If SSL is terminated at LB level, LB can do LBing on many other factors such as sticky sessions/or based on the application URL.
Also, traffic from LB to EC2, if it is not re-encrypted, it goes through the logically isolated channel to reach EC2 instance and it is not physically isolated. Considering the number of vulnerabilities at different layers and in the protocol level, I always consider re-encrypting again is good practice. I agree you will incur additional processing and complexities because you need to maintain the certification at different levels.
I agree with @lulon83 and paul. It is definitely possible to re-encrypt the traffic at the ALB level.
However, it seems not to give the desired security assertions:
"Amazon’s ALB’s do not validate TLS certificates from internal services" 
"You’re right that ALB does not validate the certificates on targets, but it’s important to understand the context that ALBs run in to see why this is still a pending item on our roadmap, rather than something we’ve shipped already as a “must have”." (AWS’s response to ALB internal validation failures) 
"Also, there is a feature request in place for backend server authentication on ALB. However, I can’t guarantee that the feature will be implemented or provide any ETA regarding it." (AWS Support) 
I don’t know… did anyone see this is already shipped? I could not find any evidence they implemented certificate validation. This makes the whole re-encryption relying on the VPC infrastructure rather than PKI only.