Posted On: Nov 26, 2023
Application Load Balancer (ALB) now supports Mutual TLS enabling you to authenticate clients while establishing TLS encrypted connections.
Mutual TLS for ALB provides two different options for validating your X.509 client certificates. Using ALB’s Mutual TLS passthrough mode, ALB will send the entire client certificate chain to the target using HTTP headers, enabling you to implement relevant authentication and authorization logic in your application. Alternatively, if you are using Mutual TLS verify mode, you can offload the X.509 client certificate authentication to the ALB when negotiating TLS connections. You can authenticate clients from any third-party Certificate Authority (CA) or the AWS Private Certificate Authority (PCA). You also can optionally enable revocation checks to restrict access for compromised client certificates.
You can get started by configuring Mutual TLS on ALB using AWS APIs or the AWS Management Console. For passthrough mode, you can simply configure the listener to accept any certificate(s) from the client. For verify mode, you will need to create a new Trust Store (TS) resource, upload your CA bundle and revocation lists, and attach the TS to your listener that is configured to verify client certificates.
Mutual TLS is available for ALBs in all commercial AWS Regions and the AWS GovCloud (US) Regions. To learn more, refer to AWS News Blog, and the ALB documentation. For details on pricing, explore the pricing page.