3

I am using AWS::ElasticLoadBalancingV2::LoadBalancer and we need to start using client certificates (i.e. mTLS / two-way TLS). Our ELB is terminating TLS connections and has a server side certificate.

Can the ELB itself be configured to enforce client authentication (by giving it a certificate for example)?

sashoalm
  • 75,001
  • 122
  • 434
  • 781

1 Answers1

6

As I answered in your previous question, this is not a supported feature of AWS load balancers at this time. You have to switch to a load balancer type that supports TCP passthrough, and handle mTLS on your server.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • 1
    just to be sure, this question is not about passthrough - it is about whether the ELB itself can request the client certificate and authenticate the client. The backend plays no part in the mTLS in this case. – sashoalm Feb 17 '22 at 13:27
  • 4
    I understand the question. I don't feel like you're taking the time to read my answers. I'm telling you there is no way to have the ELB request a client certificate. AWS load balancers do not support mutual TLS. There is no way to make that work on the load balancer itself. So if you want to support mutual TLS in your application, the only option you have is to configure the load balancer in TCP passthrough, and handle mutual TLS yourself. – Mark B Feb 17 '22 at 13:29