Can Application Load balancer perform Cognito auth on specific routes?


I have the following architecture in mind. Does this require two separate ALBs (i.e. configure one of two ALBs to perform auth) or can a single ALB be configured to do cognito auth on specific routes?

Enter image description here

2 Answers

Yes, it is possible.

When you create a rule for a specific path (e.g. /get_y) with your Application Load Balancer, you are able to include THEN clause called "Authenticate using Cognito" where you specify your UserPoolID, ClientID, etc. Also you include your target as forward to your ECS. Each HTTP request is then evaluated whether it contains specific token in HTTP headers. If it does not contain it, user is redirected to Cognito. You then create another rule (e.g. /get_x) where you don't require Authentication, so you omit the Authentication clause and just foward to your ECS.

I hope it helps.

answered a year ago

Hello AWS Customer,

Application Load Balancers support path-based routing and priority rules (so that multiple services can use the same listener port on a single Application Load Balancer).[1]

You can configure your Application Load Balancer's listener rules to configure different forwarding targets based on routes.

Hope you will find this information useful. Please let me know if you have any further questions or concerns. I will be more than glad to assist you.

I hope you are always healthy and have a nice day.

profile pictureAWS
answered a year ago
  • Thanks @jisso_K but your response does not answer the specific question which was Can Application Load balancer perform Cognito auth on specific routes?. i.e. the diagram shows the requirement for one route to trigger Cognito authentication but not for the other. Is this possible?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions