- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing V2
- Enable TLS ALPN Policy for Network Load Balancers
Ensure that your Amazon Network Load Balancers (NLBs) are configured to use ALPN policies for the TLS listeners. Application-Layer Protocol Negotiation (ALPN) is a TLS extension supported by all major web browsers, that enables the application layer to negotiate which protocols should be used over a secure connection, such as HTTP/2.
Security With Application-Layer Protocol Negotiation (ALPN) policies, you can offload your application's TLS HTTP/2 traffic encryption/decryption process to your Network Load Balancer (NLB), improving your service security posture and reducing operational complexity.
Note: ALPN policies can be applied only when forwarding requests to TLS target groups.
Audit
To determine if your Network Load Balancers (NLBs) are configured to use TLS ALPN policies, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose network to list the Network Load Balancers available in the current AWS region.
05 Select the Network Load Balancer (NLB) that you want to examine.
06 Select the Listeners tab from the console bottom panel to access the load balancer listeners.
07 Select the TLS : 443 listener and choose Edit to access the TLS listener configuration.
08 In the Listener details section, check the name of the policy selected for ALPN Policy. If there is no TLS ALPN policy configured for the selected listener and the ALPN Policy is set to None, the selected Network Load Balancer (NLB) is not configured to use a TLS ALPN policy.
10 Repeat steps no. 5 – 8 for each Network Load Balancer available within the current region.
11 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Network Load Balancers available in the selected AWS region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[?(Type == `network`)].LoadBalancerArn | []'
02 The command output should return an array with the requested NLB ARN(s):
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd", "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internal-load-balancer/abcd1234abcd1234" ]
03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the Network Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the name of the ALPN policy configured for the TLS listener(s) associated with the selected load balancer:
aws elbv2 describe-listeners --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd --query 'Listeners[?(Protocol == `TLS`)].AlpnPolicy | []'
04 The command output should return the name of the configured TLS ALPN policy:
[]
If the describe-listeners command output returns an empty array (i.e. []), as shown in the example above, the selected Network Load Balancer (NLB) is not configured to use a TLS ALPN policy.
05 Repeat steps no. 3 and 4 for each Network Load Balancer available in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
Application-Layer Protocol Negotiation (ALPN) is a TLS extension that includes the protocol negotiation within the exchange of hello messages. To update your Network Load Balancer listeners configuration in order to implement TLS ALPN policies, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"NetworkLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "cc-net-load-balancer",
"Type": "network",
"Scheme": "internet-facing",
"IpAddressType": "ipv4",
"SubnetMappings": [
{
"SubnetId": "subnet-01234abcd1234abcd"
},
{
"SubnetId": "subnet-0abcd1234abcd1234"
}
]
}
},
"LoadBalancerTargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"Name": "cc-net-target-group",
"VpcId": "vpc-01234abcd1234abcd",
"Protocol": "TLS"
}
},
"LoadBalancerListener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"Protocol": "TLS",
"LoadBalancerArn": {
"Ref": "NetworkLoadBalancer"
},
"Certificates": [
{
"CertificateArn": "arn:aws:iam::123412341234:server-certificate/domain.com"
}
],
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": {
"Ref": "LoadBalancerTargetGroup"
}
}
],
"AlpnPolicy" : ["HTTP2Preferred"]
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: NetworkLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: cc-net-load-balancer Type: network Scheme: internet-facing IpAddressType: ipv4 SubnetMappings: - SubnetId: subnet-01234abcd1234abcd - SubnetId: subnet-0abcd1234abcd1234 LoadBalancerTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: cc-net-target-group VpcId: vpc-01234abcd1234abcd Protocol: TLS LoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: Protocol: TLS LoadBalancerArn: !Ref 'NetworkLoadBalancer' Certificates: - CertificateArn: arn:aws:iam::123412341234:server-certificate/domain.com DefaultActions: - Type: forward TargetGroupArn: !Ref 'LoadBalancerTargetGroup' AlpnPolicy: - HTTP2Preferred
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "aws_lb" "network-load-balancer" {
name = "cc-net-load-balancer"
load_balancer_type = "network"
internal = false
ip_address_type = "ipv4"
subnet_mapping {
subnet_id = "subnet-01234abcd1234abcd"
}
subnet_mapping {
subnet_id = "subnet-0abcd1234abcd1234"
}
}
resource "aws_lb_target_group" "load-balancer-target-group" {
name = "cc-net-target-group"
vpc_id = "vpc-01234abcd1234abcd"
protocol = "TLS"
}
resource "aws_lb_listener" "load-balancer-listener" {
protocol = "TLS"
certificate_arn = "arn:aws:iam::123412341234:server-certificate/domain.com"
load_balancer_arn = aws_lb.network-load-balancer.arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.load-balancer-target-group.arn
}
alpn_policy = "HTTP2Preferred"
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose network to list the Network Load Balancers available in the current AWS region.
05 Select the Network Load Balancer (NLB) that you want to examine.
06 Select the Listeners tab from the console bottom panel to access the load balancer listeners.
07 Select the TLS : 443 listener and choose Edit to access the TLS listener configuration.
08 On the Edit listener configuration page, perform the following actions:
- Select HTTP2Preferred from the ALPN Policy dropdown list. The HTTP2Preferred policy is suitable when HTTP/2 connections are preferred but allows failing back to HTTP/1. If you need to test your load balancer using HTTP/2, choose the HTTP2Optional policy. If you need to configure your load balancer to negotiate only HTTP/2, choose the HTTP2Only ALPN policy.
- To ensure that the selected ALPN policy takes effect, the action configured for the Default action, must forward to a TLS target group.
- Choose Save changes to apply the changes and attach the selected TLS ALPN policy to the selected Network Load Balancer (NLB).
09 Repeat steps no. 5 – 8 for each Network Load Balancer that you want to reconfigure, available within the current AWS region.
10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run describe-listeners command (OSX/Linux/UNIX) with custom query filters to describe the ARN of the TLS listener associated with the Network Load Balancer that you want to reconfigure:
aws elbv2 describe-listeners --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd --query 'Listeners[?(Protocol == `TLS`)].ListenerArn | []'
02 The command output should return the requested Amazon Resource Name (ARN):
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-internet-facing-nlb/abcdabcdabcdabcd/1234abcd1234abcd" ]
03 Run modify-listenercommand (OSX/Linux/UNIX) using the ARN of the TLS listener returned at the previous step as the identifier parameter, to update the listener configuration in order to attach a TLS ALPN policy. The following command example implements the HTTP2Preferred ALPN policy. The HTTP2Preferred ALPN policy is suitable when HTTP/2 connections are preferred but allows to fail back to HTTP/1. If you need to test your load balancer using HTTP/2, choose the HTTP2Optional policy. If you need to negotiate only HTTP/2, choose the HTTP2Only ALPN policy:
aws elbv2 modify-listener --region us-east-1 --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-internet-facing-nlb/abcdabcdabcdabcd/1234abcd1234abcd --alpn-policy HTTP2Preferred
04 The command output should return the configuration information available for the modified TLS listener. To ensure that the selected ALPN policy takes effect, the listener default action must forward to a TLS target group (identified by the "TargetGroupArn"attribute):
{
"Listeners": [
{
"Protocol": "TLS",
"DefaultActions": [
{
"ForwardConfig": {
"TargetGroups": [
{
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-main-target-group/abcd1234abcd1234"
}
]
},
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-main-target-group/abcd1234abcd1234",
"Type": "forward",
"Order": 1
}
],
"SslPolicy": "ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
"AlpnPolicy": [
"HTTP2Preferred"
],
"Certificates": [
{
"CertificateArn": "arn:aws:iam::123456789012:server-certificate/FrontendSSLCertificate"
}
],
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd",
"Port": 443,
"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-internet-facing-nlb/abcdabcdabcdabcd/1234abcd1234abcd"
}
]
}
05 Repeat steps no. 1 – 4 for each Network Load Balancer that you want to reconfigure, available in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Listeners for your Network Load Balancers
- TLS listeners for your Network Load Balancer
- AWS Command Line Interface (CLI) Documentation
- describe-load-balancers
- describe-listeners
- modify-listener
Related ELBv2 rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable TLS ALPN Policy for Network Load Balancers
Risk Level: Medium