AWS NLB HTTPs health check using mTLS

Question

Is it possible to do a AWS NLB HTTPs health check using mTLS?

I tried setting up a TLS listener, loaded my cert, setup a TLS target group with HTTPs health check, but the health checks are still failing despite the cert loaded on the NLB.

score 0 · Answer 1 · answered Mar 02 '22 at 13:47

0

I don't think so, an NLB operates at Layer 4, whereas TLS operates a level higher. I believe you can only do TCP/UDP healthchecks - ("is it reachable").

answered Mar 02 '22 at 13:47

shearn89

3,403
2
15
39

score 0 · Answer 2 · answered Jun 12 '23 at 17:35

0

This is not true as of a while now. NLB supports both TCP connection health checks as well as HTTP plaintext and HTTP TLS health checks with configurable health endpoint

answered Jun 12 '23 at 17:35

user1028195

1

NLB does not use security groups so you need to add the NLB or VPC subnets directly to the EC2 security groups as well as whitelist the actual client IP address The TLS health check does not do cert validation so using self signed certs will work just fine. As long as the target group health check config specifies TLS and not TCP it should work fine. – user1028195 Jun 12 '23 at 17:40

AWS NLB HTTPs health check using mTLS

2 Answers2