0

I have a passthrough Network Load Balance forwarding TCP requests to a target group of backend servers on AWS. We require mutual TLS authentication so all requests require client certificates to be passed for encryption and authentication. However, I am struggling to figure out how I would do health checks to target group servers as the health checks would also require a client certificate in order to communicate to the backend servers.

Would it be possible to give the NLB a certificate via ACM and update my servers' truststores in order to then do healthchecks over TLS? I however have not been able to find how to import the AWS certificate chain into a truststore. If this would not work, what other methods would be appropriate for my scenario?

minh ly
  • 143
  • 2
  • 12

1 Answers1

0

As far as the AWS documentation is considered we can't add client side certs in the LB and that too on the fly. TLS Listeners are supported but certificate support is limited there. Reference docs on the TLS LB Listeners: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html

Yes it's possible to use ACM cert with LBs Reference here: https://aws.amazon.com/premiumsupport/knowledge-center/associate-acm-certificate-alb-nlb/

but there's again no reference of exporting (public cert) anything out of ACM.

Hussain Mansoor
  • 2,934
  • 2
  • 27
  • 40
  • I believe using TLS listeners is not what I want. My understanding is that the LB will strip off the client certificate if TLS termination occurs at the LB before it reencrypts and forwards the request. I'll try my idea and get back. Trick will be exporting the certificate chain of trust to the servers' truststore. – minh ly Jan 18 '22 at 12:29
  • If TLS terminates at LB then there is no re-encryption step. From LB onwards everything is HTTP ONLY (in this scenario). – Hussain Mansoor Jan 19 '22 at 07:01