gRPC ã® TLS ã‚’ NLBã§çµ‚ç«¯ã—ã‚ˆã†ã¨æ€ã£ã¦ã„ãŸã‚‰ãšã„ã¶ã‚“ã¨ãƒˆãƒ©ãƒ–ã£ã¦ã—ã¾ã„ã¾ã—ãŸã€‚ çµå±€ã®ã¨ã“ã‚ãã®åŽŸå› ã¯ ALPN ã«ã‚ã£ãŸã®ã§ã™ãŒã€ã¼ãè‡ªèº«ãŒ ALPN ã«è©³ã—ããªã„ãŸã‚ã€ãªã‹ãªã‹ã‚ˆãã‚ã‹ã‚‰ãªã‹ã£ãŸã€‚ ã“ã®ãŸã‚ã€ãã¡ã‚“ã¨ ALPN ã‚’ç†è§£ã—ã‚ˆã†ã¨ã„ã†ã®ãŒæœ¬ã‚¨ãƒ³ãƒˆãƒªã®è¶£æ—¨ã«ãªã‚Šã¾ã™ã€‚

ALPN

ALPN ã¯ Application-Layer Protocol Negotiation ã®ç•¥ã§ã€TLS ã®æ‹¡å¼µã§ã™ã€‚RFC ã¯ RFC 7301 - Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extensionã€‚ ALPN ãŒä½•ã‚’ã—ã¦ãã‚Œã‚‹æ‹¡å¼µã‹ã¨ã„ã†ã¨ã€TLS ã®ä¸Šã®ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ãƒ¬ã‚¤ãƒ¤ã§ä½¿ç”¨ã™ã‚‹ãƒ—ãƒãƒˆã‚³ãƒ«ã‚’ Client - Server é–“ã§ãƒã‚´ã‚·ã‚¨ãƒ¼ã‚·ãƒ§ãƒ³ã™ã‚‹ãŸã‚ã®æ‹¡å¼µã«ãªã‚Šã¾ã™ã€‚

Client ã¯ TLS ã® ClientHello ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã®ä¸ã§ã€è‡ªåˆ†ã®ã‚µãƒãƒ¼ãƒˆã§ãã‚‹ãƒ—ãƒãƒˆã‚³ãƒ«ã‚’ãƒªã‚¹ãƒˆå½¢å¼ã§ Server ã«é€ã‚Šã¾ã™ã€‚ã“ã®ãƒªã‚¹ãƒˆã¯ã€è‡ªåˆ†ãŒåˆ©ç”¨ã‚’æœ›ã‚€ãƒ—ãƒãƒˆã‚³ãƒ«é †ã«ãªã£ã¦ã„ã¾ã™ã€‚ Server ã¯ã€ãã®ä¸ã§ Server è‡ªèº«ãŒå¯¾å¿œã—ã¦ã„ã‚‹ãƒ—ãƒãƒˆã‚³ãƒ«ã‚’é¸ã³ã€ServerHello ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã®ä¸ã§ãã®é¸æŠžçµæžœã‚’è¿”å´ã—ã¾ã™ã€‚

RFC ã®ä¸ã®å›³ã§èª¬æ˜Žã™ã‚‹ã¨ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚ã¾ã ã‚³ãƒã‚¯ã‚·ãƒ§ãƒ³ç¢ºç«‹å‰ã®æ®µéšŽãªã®ã§ã€ã“ã‚Œã‚‰ã®ãƒã‚´ã‚·ã‚¨ãƒ¼ã‚·ãƒ§ãƒ³ã¯å¹³æ–‡ã§è¡Œã‚ã‚Œã¾ã™ã€‚

  Client                                              Server

   ClientHello                     -------->       ServerHello
     (ALPN extension &                               (ALPN extension &
      list of protocols)                              selected protocol)
                                                   Certificate*
                                                   ServerKeyExchange*
                                                   CertificateRequest*
                                   <--------       ServerHelloDone
   Certificate*
   ClientKeyExchange
   CertificateVerify*
   [ChangeCipherSpec]
   Finished                        -------->
                                                   [ChangeCipherSpec]
                                   <--------       Finished
   Application Data                <------->       Application Data

ã˜ã‚ƒãã©ã†ã„ã†ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ãƒ—ãƒãƒˆã‚³ãƒ«ãŒã“ã‚Œã‚‰ã®é¸æŠžè‚¢ã«å…¥ã‚‹ã‹ã¨ã„ã†ã¨ã€HTTP/1.1 ã‚„ SPDY/3ã€ HTTP/2 over TLS ã‚„ HTTP/2 over TCP ãªã©ãŒã‚ã‚Šã¾ã™ã€‚

ALPN ã¨ HTTP/2

HTTP/2 ã® RFC (RFC 7540) ã«ã¯ä»¥ä¸‹ã®è¨˜è¿°ãŒã‚ã‚Šã€TLS ã§ HTTP/2 ã‚’ä½¿ãŠã†ã¨ã™ã‚‹ã¨ã€ALPN ãŒå‰æã«ãªã£ã¦ã„ã‚‹ã“ã¨ãŒã‚ã‹ã‚Šã¾ã™ã€‚

A client that makes a request to an "https" URI uses TLS with the application-layer protocol negotiation (ALPN) extension.

ãªãœ NLB ä¸Šã§ gRPC ãŒä½¿ç”¨ã§ããªã‹ã£ãŸã®ã‹

ã“ã“ã‹ã‚‰ã¯æƒ³åƒã‚’å«ã¿ã¾ã™ã€‚

NLB ã§ TLS ã‚’çµ‚ç«¯ã—ã‚ˆã†ã¨ã—ã¦ã„ãŸ
- 新機能 – Network Load Balancer の TLS 終端 | Amazon Web Services ブログ
ãã—ã¦ NLB ã§ã¯ãŠãã‚‰ã ALPN ã‚’ã‚µãƒãƒ¼ãƒˆã—ã¦ã„ãªã„ã€‚
- java - Does AWS Network Load Balancer (NLB) support ALPN? - Stack Overflow

ã¨ã„ã†ã‚ã‘ã§ã€gRPC ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆãŒ NLB ã¨ã® ALPN ã®ãƒã‚´ã‚·ã‚¨ãƒ¼ã‚·ãƒ§ãƒ³ã§å¤±æ•—ã—ã¦ã„ãŸã¨ã„ã†ã“ã¨ãŒç†ç”±ãªã‚“ã ã¨ç†è§£ã—ã¦ã„ã¾ã™ã€‚ è¨³ãŒã‚ã‹ã‚‰ãªã‹ã£ãŸã®ã¯ã€Go ã® gRPC ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã§ã¯æˆåŠŸã—ãŸã«ã‚‚ã‹ã‹ã‚ã‚‰ãš node.js ã® gRPC ã®ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã§å¤±æ•—ã—ã€è¨€èªžé–“ã§æŒ™å‹•ãŒç•°ãªã£ã¦ã„ãŸã¨ã„ã†ã“ã¨ã€‚ ã“ã‚Œã¯ãŠãã‚‰ãã€Go ã® gRPC ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã®ãƒã‚°ã€‚