This section explains the steps to configure EBS Encryption using NSX Advanced Load Balancer UI.

The following are the steps configure EBS Encryption Using NSX Advanced Load Balancer UI:


  1. To enable the encryption on UI, navigate to Infrastructure > Clouds, and select the AWS cloud to enable encryption for. Click the Edit icon.
  2. In the AWS User Credentials section, enable the checkbox for Use Encryption for SE S3 Bucket to encrypt S3 bucket used during the Service Engine image upload and enable the checkbox for Use Encryption for SE AMI/EBS volumes to encrypt Service Engine AMI, snapshot, or volume.
  3. Select SSE KMS from the dropdown menu for Encryption Mode. For the AWS KMS Master Key ARN ID field, choose one of the relevant options:
    1. If the given credentials or Controller role has sufficient permissions to read the list of the keys, then they will be displayed in a drop-down menu. Choose the displayed option.
    2. The key ARN can be entered manually in the Customer Master Key (CMK) format arn:aws:kms:AWS-Region:AWS-Account-ID:key/CMK-key-ID. If left blank, the default KMS CMK of the service will be used.



What to do next

  • Most instance types are supported for EBS encryption. For complete information, see Amazon EBS Encryption.

  • The S3 bucket encryption feature requires VMimport.

  • As a part of cloud orchestration, NSX Advanced Load Balancer Controller will upload and manage either an unencrypted or encrypted Service Engine AMI based on the Use Encryption for SE AMI/EBS volumes option.