I’m configuring mutual TLS (mTLS) on multiple Application Load Balancers (ALBs) spread across different AWS regions, and I have a question about the truststore setup.
In AWS, the truststore is typically stored in S3 buckets. To minimize latency and optimize performance, would it be better to deploy a dedicated truststore in several buckets on each region, or is it sufficient to use a single global truststore stored in one region?
I’m concerned about potential performance issues or increased latency if all ALBs across different regions reference a single truststore in one S3 bucket. However, I couldn’t find clear guidance in the AWS documentation regarding performance impacts or best practices for multi-region mTLS setups.
Any insights on whether AWS best practices favor regional truststores over a single global one in this scenario?
2
Answers
Actually, the question doesn't make sense, because it's not possible to associate a TrustStore with a LoadBalancer in a different region. If you try to do it from the AWS console, the TrustStore doesn't appear, and via the API, you get an error message: 'Trust store arn:... not found'.
So, we are necessarily required to deploy a different TrustStore object for each region where we have an ALB, even if all these TrustStores have the same configuration and point to the same S3 bucket.
as you can see there, it’s mentioned that the Application Load Balancer (ALB) will import the Certificate Revocation List (CRL) from S3 once and perform all CRL checks locally. This means:
• No repeated fetching from S3: The ALB doesn’t continuously retrieve the CRL from S3, avoiding repeated latency and associated S3 access costs.
• No latency impact during client authentication: Since the ALB performs CRL checks locally, there is no added latency during the mTLS handshake process.
https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-mtls-for-application-load-balancer/