Reputation: 79685
I am using AWS::ElasticLoadBalancingV2::LoadBalancer and we need to start using client certificates (i.e. mTLS / two-way TLS). Our ELB is terminating TLS connections and has a server side certificate.
Can the ELB itself be configured to enforce client authentication (by giving it a certificate for example)?
Upvotes: 4
Views: 4378
Reputation: 996
As of the announcement at AWS re:Invent 2023 in November, there is finally support for mTLS for ALBs, and you can use AWS's PCA (Private CA) to manage client certs.
How-To: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html
Private CA: https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html
Upvotes: 3
Reputation: 11
While an AWS load balancer doesn't provide mTLS authentication via a client-provided certificate, you could do that by instead using an API Gateway.
There's an example blog post from AWS here showing how it works: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/
Upvotes: 1
Reputation: 201058
As I answered in your previous question, this is not a supported feature of AWS load balancers at this time. You have to switch to a load balancer type that supports TCP passthrough, and handle mTLS on your server.
Upvotes: 7