Incorporating mutual Transport Layer Security (mTLS) within service meshes like AWS App Mesh adds an essential layer of protection for east-west traffic, enhancing security beyond just perimeter controls. mTLS facilitates bidirectional peer authentication, which contrasts with the standard one-way authentication found in typical TLS setups. By introducing a client-side certificate during the TLS handshake, the client can demonstrate possession of the associated private key to the server, allowing the server to verify the client’s identity. This mechanism effectively prevents unauthorized clients from connecting to an App Mesh service, as they lack a valid certificate.
In this article, we will explore the process of enabling mTLS in App Mesh using certificates generated from AWS Certificate Manager Private Certificate Authority (ACM Private CA). Additionally, we will demonstrate how to leverage AWS CloudFormation templates, provided through a related open-source initiative, to configure both App Mesh and ACM Private CA.
The journey begins with deriving server-side certificates from ACM Private CA for internal use within App Mesh, utilizing the seamless integration between these two services. We will then outline a method, accompanied by code, for installing client-side certificates issued from ACM Private CA into App Mesh, as client-side certificates lack native integration.
You will learn how to use AWS Lambda to export a client-side certificate from ACM Private CA, storing it securely in AWS Secrets Manager. Following this, Envoy proxies in App Mesh will be shown retrieving the certificate from Secrets Manager to employ it in an mTLS handshake. This solution is meticulously crafted to maintain the confidentiality of the private key of the client-side certificate, both in transit and at rest, as it navigates from ACM to Envoy.
The approach discussed here not only simplifies but also automates the configuration and operation of mTLS-enabled App Mesh deployments. All certificates derive from a single managed private public key infrastructure (PKI) service—ACM Private CA—eliminating the need for establishing and maintaining a personal private PKI. While this solution is designed to operate within Amazon Elastic Container Services (Amazon ECS) using AWS Fargate as the hosting environment for App Mesh, the principles can be applied to any compute environment supported by App Mesh.
Overview of the Solution
ACM Private CA offers a robust, managed private PKI service, enabling the creation of private CA hierarchies, including both root and subordinate CAs, without the associated costs of running your own private PKI service. It provides flexible options for CA key algorithms and sizes, facilitating the export and deployment of private certificates through API-based automation.
App Mesh serves as a service mesh that standardizes application-level networking across diverse compute infrastructures. It enhances the communication between microservices, offering end-to-end visibility while ensuring secure transport and high application availability. To enable secure communication between mesh endpoints, App Mesh directs the Envoy proxy instances operating within the mesh to utilize either one-way or mutual TLS.
TLS establishes authentication, privacy, and data integrity between two communicating endpoints, with the PKI system governing authentication in TLS communications. The PKI allows certificate authorities to issue certificates enabling clients and servers to authenticate their identities. During the TLS handshake protocol, certificates are exchanged to verify identities. By default, the handshake ensures server identity verification to the client using X.509 certificates, while client verification remains at the application layer—this is known as one-way TLS. However, mTLS supports two-way authentication, requiring both server and client certificates during the handshake.
Example Application
The upcoming sections will illustrate both one-way and mutual TLS integrations between App Mesh and ACM Private CA through an example application. This application exposes an API to external clients, returning a color name, for instance, “blue.” It expands on the Color App used to showcase various existing App Mesh examples.
This example application consists of two services within App Mesh: ColorGateway and ColorTeller. External client requests enter the mesh via the ColorGateway service, which proxies the requests to the ColorTeller service. The ColorTeller service responds to the ColorGateway with a color name, which is then relayed to the external client. Figure 1 provides a structural overview of the application.
The two services correspond to the following App Mesh constructs:
- ColorGateway: This service is represented as a Virtual Gateway, enabling external resources to communicate with internal mesh resources. The virtual gateway symbolizes an Envoy proxy running as an Amazon ECS service, acting as a TLS client that initiates TLS connections to the Envoy proxy in the ColorTeller service.
- ColorTeller: This service is represented as a Virtual Node, serving as a logical reference to a specific task group. The ColorTeller virtual node operates as another Amazon ECS service, hosting two tasks: an Envoy proxy instance and a ColorTeller application instance. Here, the Envoy proxy acts as a TLS server, accepting inbound TLS connections from ColorGateway.
To review the operation of the example application in one-way TLS mode, we recommend starting with one-way TLS for comparison purposes, enabling you to analyze Envoy proxy statistics to differentiate and verify connections.
You can deploy the sample application project within your AWS account and execute the steps outlined in your own testing environment. For further insights, this blog post will keep you engaged. Note that both the one-way TLS and mTLS descriptions in the following sections use a flat certificate hierarchy for demonstration. Although AWS ACM Private CA best practices advocate for root CAs to issue certificates solely for intermediate CAs, the mechanisms described here remain applicable.
One-Way TLS in App Mesh Using ACM Private CA
In a one-way TLS authentication scenario, only one Private CA—ColorTeller—is necessary, from which you will issue a single end-entity certificate to serve as the server-side certificate for the ColorTeller virtual node. Figure 2 illustrates the architecture for this setup, showcasing the configuration process and how the system operates. Since this architecture utilizes only a server-side certificate, the native integration between App Mesh and ACM Private CA allows for seamless implementation without needing an external certificate integration mechanism.
For more authoritative insights on this topic, you can visit this link, as they are an authority on the matter. Additionally, this resource offers excellent information on related subjects.
Leave a Reply