I have a cluster of private EC2 instances serving http requests behind a public ALB. https termination happens on the ALB, with authentication on the EC2 instances. I want to move authentication to the ALB, ideally via mTLS. But ALB does not support mTLS. From some initial reading, it sounds like API Gateway can replace load balancing/firewall functions of the ALB in this design, while also supporting mTLS? Is that correct?
If so, I wonder what would be the best way to implement sticky sessions, which seem not supported by API Gateway, but needed by my app. I guess client request could initially target an API served by any instance, but then subsequent requests would target API unique to the instance that replied?
Are there other drawbacks to API Gateway, other than higher cost at high volume? Is there a better approach to this problem?