Introducing mTLS for Application Load Balancer

Networking & Content Delivery Blog

This article introduces a new feature on AWS Application Load Balancer (ALB) that allows for mutual TLS (mTLS) authentication between clients and the ALB. It explains the concepts of mTLS and how it enhances security by requiring both the client and server to authenticate each other using X.509 certificates.

Specifically, the article covers:

mTLS concepts like Certificate Authority, TLS certificates, certificate chain of trust, TLS handshake, and Certificate Revocation List (CRL)
Two modes of mTLS operation with ALB:
- mTLS verify mode: ALB verifies client certificates using a trust store and either allows or blocks requests
- mTLS passthrough mode: ALB forwards the client certificate chain to backend targets for authentication
Monitoring and CloudWatch metrics for mTLS on ALB
Comparison of ALB's mTLS modes with Network Load Balancer (NLB)
Conclusion highlighting use cases for each mTLS mode and pricing considerations

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Mar 14
2024

Application Load Balancer enables configuring HTTP client keepalive duration

Feb 1
2024

Enabling mTLS with ALB in Amazon EKS

Nov 20
2025

Drive application performance with Application Load Balancer Target Optimizer

Feb 13
2025

Exploring new subnet management capabilities of Network Load Balancer

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Introducing mTLS for Application Load Balancer

Related articles