5

We use an Application Load Balancer behind which we have an nginx server. Our client has asked us to implement mTLS but I don't think that works if the ALB terminates TLS connections.

I know that our ALB currently swaps out the self-signed certificate of our nginx server and replaces it with its own, which is a pretty good indication that it terminates TLS connections.

If we can't change that we'd have to switch to an NLB instead.

Can an ALB be configured to work without terminating TLS connections in AWS, or is that impossible?

sashoalm
  • 75,001
  • 122
  • 434
  • 781

1 Answers1

11

You are correct. ALB unfortunately does not support mTLS at this time, (I really wish AWS would add that feature). And since ALB needs to terminate the SSL connection in order to do all the things it does like path forwarding, etc.. there is no way for them to add TCP pass-through to the ALB. You will need to switch to an NLB, and handle all the SSL certificate stuff on your server.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Thank you for the answer! I have [another question](https://stackoverflow.com/questions/71158891/can-an-elb-enforce-tls-authentication) - if it is possible for the ELB itself to do it. Sorry for asking many questions... – sashoalm Feb 17 '22 at 13:20
  • 1
    @sashoalm I already answered that question. That's just a rephrased duplicate of this question. There is no way to do mTLS directly on the AWS load balancer (any load balancer type). You have to use TCP passthrough on the load balancer and handle mTLS on your server. – Mark B Feb 17 '22 at 13:22
  • Checked with AWS support in March 2023: still not possible. There is a feature request for adding TCP pass-through support to ALB, but no one knows if and when it will be added. – gizit Mar 30 '23 at 13:36
  • Adittionaly to the connection termination behaviour on the ALB, it is necessary to have inbound rule on port 80 for the EC2 instance's security group. I think this is necessary because the ALB performed the connection termination on the port 443. – Felipe Jun 23 '23 at 10:19
  • 1
    @Felipe it is only necessary to have an inbound rule on port 80 if you have a load balancer listener on port 80. – Mark B Jun 23 '23 at 11:47
  • Yes. That is true. Because security groups are stateful. – Felipe Jun 23 '23 at 15:51