Join Log in
Score:0
RustyShackleford avatar Server

Achieving mTLS with AWS ALB

fm flag
RustyShackleford

If I have an ALB in my infrastructure with ECS target groups downstream, will SSL/TLS always be terminated at the ALB?

If so, are my only options ELB/NLB to preserve the SSL/TLS context?

944
0 + 0
nlb
Score:1
Tim avatar Server
gp flag
Tim

ALB always terminates https, but can create a new https session to your target servers if you set them up with certificates. Information here. Note that you can't use AWS Certificate Manager for servers, you need third party certificates.

If you want TLS terminated on the servers themselves your best option is to use an NLB. ELB are generally not used these days unless you have a very good reason, they're first gen.

0 + 0
RustyShackleford avatar
fm flag
RustyShackleford
A new session would satisfy my requirements. How do I create a new https session to my target group?
0
Reply
Tim avatar
gp flag
Tim
Answer edited. You set up your servers with https certificates and make sure the target group is set to use https
0
Reply
RustyShackleford avatar
fm flag
RustyShackleford
Why can't you use AWS cert manager?
0
Reply
RustyShackleford avatar
fm flag
RustyShackleford
It seems that the cert is not validated in the ALB, so it wouldn't be as secure as end to end mTLS. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-routing-configuration
0
Reply
Tim avatar
gp flag
Tim
I can never remember if self signed certs are ok, looks like they are. You can't use AWS Certificate Manager because it's not possible to export a private key to put on your instance.
0
Reply
RustyShackleford avatar
fm flag
RustyShackleford
Couldn't the server just do `acm:exportcertificate` and that would return the exported file contains the certificate, the certificate chain, and the encrypted private key. @Tim
0
Reply
RustyShackleford avatar
fm flag
RustyShackleford
Seems like you can export cert/ca/private key from private CA, not public
0
Reply
Tim avatar
gp flag
Tim
Exactly, and a private CA costs about $600 per month from memory. For my personal servers I use Let's Encrypt certificates with certbot. Commercially I tend to use self signed certs unless there's a good reason to use Let's Encrypt / commercial / something else.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.