Vapor: Load Balancer Security Policy Updates

Nov, 17 2020#vapor

By default, Vapor routes HTTP traffic to your serverless applications using AWS API Gateway. As an alternative to API Gateway, some customers have chosen to route their application traffic using Load Balancers, which can provide large cost savings at scale.

AWS load balancers use "security policies" to determine which versions of the TLS protocol are supported. The default AWS load balancer security policy (ELBSecurityPolicy-2016-08) supports TLS 1.0, TLS 1.1, and TLS 1.2.

However, versions of TLS prior to TLS 1.2 have known security vulnerabilities. Therefore, beginning today, all new load balancers will use a security policy that no longer supports TLS 1.0 and TLS 1.1 (ELBSecurityPolicy-TLS-1-2-Ext-2018-06). All modern browsers, including IE 11, and 98.5% of all Internet devices support TLS 1.2.


For existing load balancers, it is highly recommended that you modify them to use TLS 1.2 only. To do so, you can manually update the security policy by clicking on the "Edit" load balancer button in the network details of the Vapor UI. This update will not cause downtime for your application.


At Laravel, we're committed to providing you with the most robust and developer friendly PHP experience in the world. If you haven't checked out Vapor, now is a great time to start! You can create your account today at:

By Nuno Maduro

Software Engineer at Laravel.

Follow the RSS Feed.