Score:0

Achieving mTLS with AWS ALB

fm flag

If I have an ALB in my infrastructure with ECS target groups downstream, will SSL/TLS always be terminated at the ALB?

If so, are my only options ELB/NLB to preserve the SSL/TLS context?

Score:1
gp flag
Tim

ALB always terminates https, but can create a new https session to your target servers if you set them up with certificates. Information here. Note that you can't use AWS Certificate Manager for servers, you need third party certificates.

If you want TLS terminated on the servers themselves your best option is to use an NLB. ELB are generally not used these days unless you have a very good reason, they're first gen.

RustyShackleford avatar
fm flag
A new session would satisfy my requirements. How do I create a new https session to my target group?
Tim avatar
gp flag
Tim
Answer edited. You set up your servers with https certificates and make sure the target group is set to use https
RustyShackleford avatar
fm flag
Why can't you use AWS cert manager?
RustyShackleford avatar
fm flag
It seems that the cert is not validated in the ALB, so it wouldn't be as secure as end to end mTLS. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-routing-configuration
Tim avatar
gp flag
Tim
I can never remember if self signed certs are ok, looks like they are. You can't use AWS Certificate Manager because it's not possible to export a private key to put on your instance.
RustyShackleford avatar
fm flag
Couldn't the server just do `acm:exportcertificate` and that would return the exported file contains the certificate, the certificate chain, and the encrypted private key. @Tim
RustyShackleford avatar
fm flag
Seems like you can export cert/ca/private key from private CA, not public
Tim avatar
gp flag
Tim
Exactly, and a private CA costs about $600 per month from memory. For my personal servers I use Let's Encrypt certificates with certbot. Commercially I tend to use self signed certs unless there's a good reason to use Let's Encrypt / commercial / something else.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.