Posted On: Apr 25, 2024

Application Load Balancer (ALB) now supports Mutual TLS enabling you to authenticate clients while establishing TLS encrypted connections.

Mutual TLS for ALB provides two different options for validating your X.509 client certificates. Using ALB’s Mutual TLS passthrough mode, ALB will send the entire client certificate chain to the target using HTTP headers, enabling you to implement relevant authentication and authorization logic in your application. Alternatively, if you are using Mutual TLS verify mode, you can offload the X.509 client certificate authentication to the ALB when negotiating TLS connections. You can authenticate clients from any third-party Certificate Authority (CA). You also can optionally enable revocation checks to restrict access for compromised client certificates.

You can get started by configuring Mutual TLS on ALB using Amazon Web Services APIs or the Amazon Web Services Management Console. For passthrough mode, you can simply configure the listener to accept any certificate(s) from the client. For verify mode, you will need to create a new Trust Store (TS) resource, upload your CA bundle and revocation lists, and attach the TS to your listener that is configured to verify client certificates. 

Mutual TLS is available for ALBs in Amazon Web Services China (Beijing) region, operated by Sinnet, and Amazon Web Services China (Ningxia) region, operated by NWCD. To learn more, refer to Amazon Web Services News Blog, and the ALB documentation. For details on pricing, explore the Pricing page