1

I'm configuring mutual TLS (mTLS) on multiple Application Load Balancers (ALBs) spread across different AWS regions, and I have a question about the truststore setup.

In AWS, the truststore is typically stored in S3 buckets. To minimize latency and optimize performance, would it be better to deploy a dedicated truststore in several buckets on each region, or is it sufficient to use a single global truststore stored in one region?

I'm concerned about potential performance issues or increased latency if all ALBs across different regions reference a single truststore in one S3 bucket. However, I couldn't find clear guidance in the AWS documentation regarding performance impacts or best practices for multi-region mTLS setups.

Any insights on whether AWS best practices favor regional truststores over a single global one in this scenario?

Improve this question

2 Answers 2

Reset to default
3

enter image description here

as you can see there, it's mentioned that the Application Load Balancer (ALB) will import the Certificate Revocation List (CRL) from S3 once and perform all CRL checks locally. This means:

• No repeated fetching from S3: The ALB doesn’t continuously retrieve the CRL from S3, avoiding repeated latency and associated S3 access costs.

• No latency impact during client authentication: Since the ALB performs CRL checks locally, there is no added latency during the mTLS handshake process.

https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-mtls-for-application-load-balancer/

Improve this answer
5
  • Many thanks for your answer. However, you're talking about CRL, but what about the list of Certificate Authorities stored in the trust store ? I guess that the same logic applies to it ?
    – Orabîg
    Commented Nov 13 at 7:56
  • 1
    Yes , exactly, even for the List of certificate Authorities, ALB just upload them for the first time from S3, then it does not repeatedly access it for each client connection.
    – Fedi Bounouh
    Commented Nov 13 at 8:02
  • Well, I guess you're actually wrong after all. In fact, it's impossible to attach a TrustStore to a LoadBalancer in a different region (if I try the API call, I get an error: 'Trust store 'arn:...' not found'). So, that answers the question.
    – Orabîg
    Commented Nov 21 at 14:29
  • So, you need to place the Truststore in the different region, but that does not remove the fact, that the ALB will not check the bucket each time, and that doesn't have a problem with the latency or performance, rather just for configuration. and that what i pointed it out in my answer. Thanks
    – Fedi Bounouh
    Commented Nov 21 at 14:33
  • True, but that was not my question :) Thanks for these clarifications
    – Orabîg
    Commented Nov 21 at 16:07
0

Actually, the question doesn't make sense, because it's not possible to associate a TrustStore with a LoadBalancer in a different region. If you try to do it from the AWS console, the TrustStore doesn't appear, and via the API, you get an error message: 'Trust store arn:... not found'.

So, we are necessarily required to deploy a different TrustStore object for each region where we have an ALB, even if all these TrustStores have the same configuration and point to the same S3 bucket.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.