What is the process for configuring mutual authentication for an application Load Balancer in TypeScript

Question

Pulumi · Accepted Answer

Mutual authentication with a Load Balancer in the context of cloud providers typically refers to an Application Load Balancer (ALB) where clients and the server perform mutual TLS (mTLS) verification. This process ensures that both the client and the server can verify each other's identities.

In AWS, for example, configuring an Application Load Balancer to use mTLS involves:

1. Setting up an HTTPS listener with a default certificate.
2. Enabling client authentication (mutual TLS) at the listener level.
3. Providing the CA certificate that will be used to authenticate clients.

Below is an example of how you might set up a mutual TLS enabled Application Load Balancer in AWS using Pulumi's AWSX package. The AWSX package is a higher-level abstraction that simplifies resource creation in AWS. We'll use the `awsx.lb.ApplicationLoadBalancer` and `aws.alb.Listener` resources, where we specify an HTTPS listener and attach a client CA certificate for mTLS.

```typescript
import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
import * as awsx from '@pulumi/awsx';

// LoadBalancer with mutual TLS (mTLS) authentication
const loadBalancer = new awsx.lb.ApplicationLoadBalancer('my-loadbalancer', {
    // Specify additional properties for your load balancer here
});

// Note: The certificate that the ALB presents and the certificate authority (CA) certificate used to authenticate clients should already exist.

const clientCACertificateArn = 'arn:aws:acm:region:account-id:certificate/ca-certificate-id'; // ARN of the CA certificate

const httpsListener = new aws.alb.Listener('https-listener', {
    loadBalancerArn: loadBalancer.loadBalancer.arn,
    protocol: 'HTTPS',
    port: 443,
    sslPolicy: 'ELBSecurityPolicy-TLS-1-2-2017-01', // Use an SSL policy that supports your required security level
    certificateArn: 'arn:aws:acm:region:account-id:certificate/certificate-id', // ARN of the ALB's server certificate
    defaultActions: [{
        type: 'forward',
        targetGroupArn: loadBalancer.defaultTargetGroup.targetGroup.arn, // Forward to the default target group
    }],
}, {
    dependsOn: [loadBalancer],
});

// Attach a client SSL certificate to the listener for mutual TLS
const clientCert = new aws.alb.ListenerCertificate('client-cert', {
    listenerArn: httpsListener.arn,
    certificateArn: clientCACertificateArn, // ARN of the CA certificate used to verify client certificates
});

// Output the DNS name of the load balancer to access your application
export const applicationUrl = loadBalancer.loadBalancer.dnsName;

```

In this program:
- We first create an Application Load Balancer using the `awsx.lb.ApplicationLoadBalancer` class.
- We configure an HTTPS listener attached to the load balancer through the `aws.alb.Listener` class. This listener specifies the protocol, port, SSL policy, and the default action to forward requests to the default target group.
- We add to the listener a client SSL certificate sourced from AWS Certificate Manager (ACM) using the `ListenerCertificate` resource, which is important for setting up mTLS. The CA certificate's ARN must be provided, which AWS uses to validate client certificates.

Remember, before running this code, you must have the server certificate and the client CA certificate registered in AWS Certificate Manager for the ARNs provided in the code.

Please note that the detailed configuration for mTLS, like handling cipher suites and advanced SSL configurations, depends on the capabilities of the cloud provider's load balancing service and is typically set at the listener level. Always refer to the cloud provider's documentation for specifics on mTLS configurations.