Posted On: Sep 12, 2019

We are pleased to announce support for multiple TLS certificates on Network Load Balancers using Server Name Indication (SNI). You can now host multiple secure applications, each with its own TLS certificate, on a single load balancer listener. This allows SaaS applications and hosting services to run behind the same load balancer, improving your service security posture, and simplifying management and operations.

Prior to this launch, Network Load Balancers supported only one certificate per TLS listener and you had to use Wildcard or Multi-Domain (SAN) certificates to host multiple secure applications behind the same load balancer. The potential security risks with Wildcard certificates and the operational overhead of managing Multi-Domain certificates presented challenges. With SNI support you can associate multiple certificates with a listener, allowing each secure application behind a load balancer to use its own certificate.

Network Load Balancers also support a smart certificate selection algorithm with SNI. If the hostname indicated by a client matches multiple certificates, the load balancer determines the best certificate to use based on multiple factors including the client TLS capabilities.

SNI is integrated with AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM) for certificate management. You can associate up to 25 certificates to a load balancer in addition to a default certificate per listener.  

To learn more, please visit the TLS certificates section of Network Load Balancer documentation and SNI demo.