SSL/TLS Client Certificate Authentication

Answer - A and B.

Option A is correct because end instance will handle SSL Athentication.

TLS connection does not terminate on the ELB and on the backend servers its decrypted while passing through it.

Option B is correct because we can use Web Servers directly along with Route 53 and ELB can be removed.

Option C is incorrect because Client side certifciations is not supported by ELB with HTTPs.

Option D is incorrect because Cloudfront does not support Client side certification.

The SSL/TLS solution requires HTTPS clients to be authenticated by the Web server using client certificate authentication. The solution also needs to be resilient, which means it must be able to handle failure scenarios without disrupting the service.

Two options that can be considered for configuring the web server infrastructure are:

A. Configure ELB with TCP listeners on TCP/443. And place the Web servers behind it.

This option involves using the Elastic Load Balancer (ELB) to distribute traffic to the web servers. The ELB is configured with TCP listeners on port 443, which is the default HTTPS port. The web servers are placed behind the ELB, which acts as a proxy between the clients and the servers.

One advantage of using ELB is that it provides automatic scaling and high availability. ELB can scale up or down based on the incoming traffic, and it can distribute traffic across multiple instances, making the solution more resilient. However, ELB does not support client certificate authentication directly, which means an additional layer of authentication needs to be added.

B. Configure your Web servers with EIP's. Place the Web servers in a Route53 Record Set and configure health checks against all Web servers.

This option involves configuring Elastic IP (EIP) addresses on the web servers, which ensures that the IP addresses remain constant even if the instances are stopped and restarted. The web servers are then placed in a Route53 Record Set, which provides DNS resolution for the web server domain name. Health checks are configured against all web servers to ensure that they are up and running.

One advantage of this option is that it provides a simple and straightforward solution without requiring additional components. However, it may not be as resilient as the first option since there is no automatic scaling or load balancing.

C. Configure ELB with HTTPS listeners, and place the Web servers behind it.

This option is similar to the first option, except that the ELB is configured with HTTPS listeners instead of TCP listeners. This means that the ELB can terminate SSL/TLS connections from the clients, and the web servers do not need to handle SSL/TLS directly.

One advantage of this option is that it simplifies the SSL/TLS configuration on the web servers since they do not need to handle SSL/TLS directly. Additionally, ELB provides automatic scaling and load balancing, making the solution more resilient.

D. Configure your web servers as the origins for a CloudFront distribution. Use custom SSL certificates on your CloudFront distribution.

This option involves using CloudFront as a content delivery network to distribute traffic to the web servers. The web servers are configured as the origins for the CloudFront distribution, and custom SSL certificates are used to encrypt the traffic between the clients and the CloudFront edge locations.

One advantage of this option is that it provides a globally distributed solution that can improve performance and reduce latency. Additionally, CloudFront provides automatic scaling and high availability, making the solution more resilient. However, configuring CloudFront can be complex and may require additional resources.

In summary, options A and C are the recommended options for configuring the web server infrastructure since they provide automatic scaling, load balancing, and resilience. Option B may be suitable for simple solutions, but it does not provide automatic scaling or load balancing. Option D may be suitable for global solutions, but it requires additional configuration and resources.