MTLS for ECS Service

If you’re referring to mutal TLS then an NLB with a TCP listener and target group of your containers. For mTLS support, create a TCP listener instead of a TLS listener. The load balancer passes the request through as is, so you can implement mTLS on the target.

You can consider using a TCP -> TCP listener configuration on Network Load Balancer (NLB) or Classic Load Balancer (CLB), and implement the mTLS on the target/backend. With a TCP -> TCP listener configuration, the Elastic Load Balancer is not doing anything with TLS / Layer 7, and is instead simply forwarding packets. This means that no SSL/TLS termination will be offloaded to the ELB and the SSL/TLS negotiation will occur directly between the client and backend instance.