AWS mTLS access to load balanced EC2 cluster

0 votes
I have a cluster of private EC2 instances serving http requests behind a public ALB. https termination happens on the ALB, with authentication on the EC2 instances. I want to move authentication to the ALB, ideally via mTLS. But ALB does not support mTLS. From some initial reading, it sounds like API Gateway can replace load balancing/firewall functions of the ALB in this design, while also supporting mTLS? Is that correct?

If so, I wonder what would be the best way to implement sticky sessions, which seem not supported by API Gateway, but needed by my app. I guess client request could initially target an API served by any instance, but then subsequent requests would target API unique to the instance that replied?

Are there other drawbacks to API Gateway, other than higher cost at high volume? Is there a better approach to this problem?
Feb 16, 2023 in AWS by sarit
• 1,830 points

1 answer to this question.

0 votes

Yes, you are correct that API Gateway can replace the load balancing and firewall functions of the ALB, and it does support mTLS. With API Gateway, you can enable mTLS to authenticate client certificates, and you can also configure it to pass the client certificate information to your backend EC2 instances. This would allow you to move the authentication to the API Gateway and implement mTLS.

Regarding sticky sessions, you are right that API Gateway does not support sticky sessions by default. One way to implement sticky sessions in this scenario is to have the backend EC2 instances generate a unique identifier when they receive the initial request from the client. This identifier can be included in the response to the client, and subsequent requests from the client can include this identifier as a header. The API Gateway can then use this identifier to route the request to the same EC2 instance that served the initial request.

There are a few drawbacks to using API Gateway. One is the cost, which can be higher than using an ALB, especially at high volume. Additionally, API Gateway may introduce additional latency and overhead compared to a direct connection to the backend EC2 instances. However, these drawbacks may be outweighed by the benefits of using mTLS for authentication and offloading the load balancing and firewall functions to a managed service.

Another approach to this problem is to use a self-managed load balancer that supports mTLS, such as NGINX or HAProxy. This would allow you to terminate TLS and perform mTLS authentication at the load balancer, and then forward the requests to the backend EC2 instances. This approach may provide better performance and lower cost than using API Gateway, but it would also require more management overhead.

Elevate Your Expertise with Microservices Certification!

answered Feb 17, 2023 by anonymous

Related Questions In AWS

+5 votes
2 answers

AWS EC2 Instances are not getting to internet access

Check your VPC settings, whether you are ...READ MORE

answered Oct 16, 2018 in AWS by Omkar
• 69,230 points
0 votes
0 answers

How to specify Ec2 Instance Attributes in a AWS::EMR::Cluster CloudFormation Template?

Very new to AWS and looking at ...READ MORE

Feb 10, 2022 in AWS by Rahul
• 2,080 points
+2 votes
3 answers

Is it possible to ping AWS EC2 instance

1.Go to EC2 Dashboard and click "Running ...READ MORE

answered Nov 13, 2020 in AWS by shivam
• 140 points

edited Nov 13, 2020 by Gitika 20,004 views
0 votes
1 answer
0 votes
1 answer

Using Shapely on AWS Lambda with Python 3

For some reason, the pip install of ...READ MORE

answered Oct 8, 2018 in AWS by Priyaj
• 58,090 points
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP