How do I migrate my configuration that uses a Network Load Balancer for mTLS authentication to one that uses an Application Load Balancer?

3 minute read
0

I want to change the Network Load Balancer that ends in an mTLS connection on the target and replace it with an Application Load Balancer to enhance security and scalability.

Short description

Many organizations use Network Load Balancers as passthrough load balancers for Amazon Elastic Compute Cloud (Amazon EC2) instances that end in Mutual TLS (mTLS) connections. This architecture allows for mTLS authentication, but it requires you to install and maintain a certificate on each EC2 instance. The configuration often leads to resource over-provisioning, where EC2 instances solely manage mTLS connections.

Use an Application Load Balancer instead of the Network Load Balancer for mTLS connections. The replacement allows organizations to streamline their architecture, centralize certificate management, and optimize resource utilization. The AWS Web Application Firewall (AWS WAF) on the Application Load Balancer provides an additional layer of security against common web issues and application-level attacks.

Resolution

To migrate your mTLS architecture from the Network Load Balancer to the Application Load Balancer, use the following sections in sequence.

Create an Application Load Balancer in mode or passthrough mode

Complete the following steps:

  1. Create an Application Load Balancer in your AWS environment with an HTTPS listener to manage incoming mTLS connections.
  2. Configure mTLS on the Application Load Balancer either in the verify mode or the passthrough mode. For more information, see Mutual authentication with TLS in Application Load Balancer.

Migrate traffic from the Network Load Balancer to the Application Load Balancer

To shift traffic, use the Amazon Route 53 weighted routing policy:

  1. Initially, set a higher weight for the Network Load Balancer's DNS record and a lower weight for the Application Load Balancer's DNS record.
  2. Then, gradually increase the weight for the Application Load Balancer's DNS record. At the same time, decrease the weight for the Network Load Balancer's DNS record. This rerouting redirects more traffic to the Application Load Balancer.

Monitor the migration and then decommission the earlier setup

Complete the following steps:

  1. Monitor the migration process to verify that the Application Load Balancer-based architecture is working correctly.
  2. Make sure that you successfully shifted all traffic to the Application Load Balancer. Then, decommission the Network Load Balancer and the Amazon Elastic Compute Cloud (Amazon EC2) instances that were ending in mTLS.

Related information

Introducing mTLS for Application Load Balancer

CloudWatch metrics for your Application Load Balancer

Access logs for your Application Load Balancer

Connection logs for your Application Load Balancer