Is it possible to do mTLS using a NLB?

Question

Hi there!

I have a service that listens over a normal TCP socket (not HTTP* compatible), and my plan is to run it behind an NLB and offload the SSL to the NLB for clients connecting. However, I've been informed that we need to have mTLS enabled on these communications in our production environment. I know mTLS is possible for ALB, but that requires me to use HTTP* for communications, and this service doesn't support it.

I was wondering if there is a way or something I can use in the AWS Toolkit to do this. I'm trying to avoid updating the service to handle the TLS on both sides.

Thanks
Ian

Leo K · Accepted Answer

No, Network Load Balancers do not support mutual TLS or any other way to authenticate the client. Support for mTLS has existed for a long time on the API Gateway and was introduced only relatively recently for the ALB, with no indication that it would be made available for the NLB.

Broadly speaking, the NLB is positioned as an lean-and-mean traffic processing layer with ultra-high scalability and low latency. I would guess that mTLS with all the complexities related to validating certificates issued by various sources may never fit well with the way the NLB is meant to operate. It might be a better fit in the future for the AWS Network Firewall, but I believe it also doesn't support mTLS now.

Swasti · Answer

NLB is a layer 4 loadbalancer and MTLS works at higher layer. Thus natively it doesnot have a feature to support mTLS, but With TCP listeners you can use NLB as a pass through and allow mutual TLS negotiation between Client and the target.

The main idea here is not to terminate TLS at the NLB and have negotiation on top of the NLB's TCP connection.

Is it possible to do mTLS using a NLB?

Relevant content