ALB mTLS support for Targets

Question

We have a use case,
Clients (end users) will be sending TLS connections from the web browser to a reverse proxy server, then the reverse proxy server sends equivalent mTLS requests to the web application server (hosted within EC2). 
I would like to replace, this reverse proxy server with ALB, as there is a new feature of mTLS for ALB released by AWS in November 2023.
Press release at AWS re:invent: https://aws.amazon.com/about-aws/whats-new/2023/11/application-load-balancer-authenticate-x509-certificate-based-identities/

I am able to configure mTLS from clients to ALB; but I can't figure out how to implement this for our use case.
Can anyone please let me know if our use case is currently supported in AWS, if yes could you please show some light on this.

Thank you.

Answer

I haven't tested this but looking at this blog here - https://aws.amazon.com/blogs/aws/mutual-authentication-for-application-load-balancer-to-reliably-verify-certificate-based-client-identities/ - your use case is not supported. Your options are mTLS passthrough where the mTLS auth is happening between origin and client or "verify with trust store" where the mTLS happens between Client and ALB. I don't see any way to configure it to do TLS to ALB and mTLS from ALB to origin.

Given this is a newly supported feature, I would not be surprised to see additional releases in future which may then cover your use case but for now the mTLS options on ALB won't work for your quoted use case.

ALB mTLS support for Targets

相關內容