Enable TLS ALPN Policy for Network Load Balancers

Risk Level: Medium (should be achieved)

Ensure that your Amazon Network Load Balancers (NLBs) are configured to use ALPN policies for the TLS listeners. Application-Layer Protocol Negotiation (ALPN) is a TLS extension supported by all major web browsers, that enables the application layer to negotiate which protocols should be used over a secure connection, such as HTTP/2.

Security

With Application-Layer Protocol Negotiation (ALPN) policies, you can offload your application's TLS HTTP/2 traffic encryption/decryption process to your Network Load Balancer (NLB), improving your service security posture and reducing operational complexity.

Note: ALPN policies can be applied only when forwarding requests to TLS target groups.

Audit

To determine if your Network Load Balancers (NLBs) are configured to use TLS ALPN policies, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose network to list the Network Load Balancers available in the current AWS region.

05 Select the Network Load Balancer (NLB) that you want to examine.

06 Select the Listeners tab from the console bottom panel to access the load balancer listeners.

07 Select the TLS : 443 listener and choose Edit to access the TLS listener configuration.

08 In the Listener details section, check the name of the policy selected for ALPN Policy. If there is no TLS ALPN policy configured for the selected listener and the ALPN Policy is set to None, the selected Network Load Balancer (NLB) is not configured to use a TLS ALPN policy.

10 Repeat steps no. 5 – 8 for each Network Load Balancer available within the current region.

11 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Network Load Balancers available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `network`)].LoadBalancerArn | []'

02 The command output should return an array with the requested NLB ARN(s):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internal-load-balancer/abcd1234abcd1234"
]

03 Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the Network Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the name of the ALPN policy configured for the TLS listener(s) associated with the selected load balancer:

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd
  --query 'Listeners[?(Protocol == `TLS`)].AlpnPolicy | []'

04 The command output should return the name of the configured TLS ALPN policy:

[]

If the describe-listeners command output returns an empty array (i.e. []), as shown in the example above, the selected Network Load Balancer (NLB) is not configured to use a TLS ALPN policy.

05 Repeat steps no. 3 and 4 for each Network Load Balancer available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

Application-Layer Protocol Negotiation (ALPN) is a TLS extension that includes the protocol negotiation within the exchange of hello messages. To update your Network Load Balancer listeners configuration in order to implement TLS ALPN policies, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"NetworkLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
			"Properties": {
				"Name": "cc-net-load-balancer",
				"Type": "network",
				"Scheme": "internet-facing",
				"IpAddressType": "ipv4",
				"SubnetMappings": [
					{
						"SubnetId": "subnet-01234abcd1234abcd"
					},
					{
						"SubnetId": "subnet-0abcd1234abcd1234"
					}
				]
			}
		},
		"LoadBalancerTargetGroup": {
			"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
			"Properties": {
				"Name": "cc-net-target-group",
				"VpcId": "vpc-01234abcd1234abcd",
				"Protocol": "TLS"
			}
		},
		"LoadBalancerListener": {
			"Type": "AWS::ElasticLoadBalancingV2::Listener",
			"Properties": {
				"Protocol": "TLS",
				"LoadBalancerArn": {
					"Ref": "NetworkLoadBalancer"
				},
				"Certificates": [
					{
						"CertificateArn": "arn:aws:iam::123412341234:server-certificate/domain.com"
					}
				],
				"DefaultActions": [
					{
						"Type": "forward",
						"TargetGroupArn": {
							"Ref": "LoadBalancerTargetGroup"
						}
					}
				],
				"AlpnPolicy" : ["HTTP2Preferred"]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	NetworkLoadBalancer:
		Type: AWS::ElasticLoadBalancingV2::LoadBalancer
		Properties:
		Name: cc-net-load-balancer
		Type: network
		Scheme: internet-facing
		IpAddressType: ipv4
		SubnetMappings:
			- SubnetId: subnet-01234abcd1234abcd
			- SubnetId: subnet-0abcd1234abcd1234
	LoadBalancerTargetGroup:
		Type: AWS::ElasticLoadBalancingV2::TargetGroup
		Properties:
		Name: cc-net-target-group
		VpcId: vpc-01234abcd1234abcd
		Protocol: TLS
	LoadBalancerListener:
		Type: AWS::ElasticLoadBalancingV2::Listener
		Properties:
		Protocol: TLS
		LoadBalancerArn: !Ref 'NetworkLoadBalancer'
		Certificates:
			- CertificateArn: arn:aws:iam::123412341234:server-certificate/domain.com
		DefaultActions:
			- Type: forward
			TargetGroupArn: !Ref 'LoadBalancerTargetGroup'
		AlpnPolicy:
			- HTTP2Preferred

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_lb" "network-load-balancer" {
	name               = "cc-net-load-balancer"
	load_balancer_type = "network"
	internal           = false
	ip_address_type    = "ipv4"
	subnet_mapping {
		subnet_id = "subnet-01234abcd1234abcd"
	}
	subnet_mapping {
	subnet_id = "subnet-0abcd1234abcd1234"
	}
}

resource "aws_lb_target_group" "load-balancer-target-group" {
	name             = "cc-net-target-group"
	vpc_id           = "vpc-01234abcd1234abcd"
	protocol         = "TLS"
}

resource "aws_lb_listener" "load-balancer-listener" {
	protocol           = "TLS"
	certificate_arn    = "arn:aws:iam::123412341234:server-certificate/domain.com"
	load_balancer_arn  = aws_lb.network-load-balancer.arn
	default_action {
		type             = "forward"
		target_group_arn = aws_lb_target_group.load-balancer-target-group.arn
	}
	alpn_policy        = "HTTP2Preferred"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose network to list the Network Load Balancers available in the current AWS region.

05 Select the Network Load Balancer (NLB) that you want to examine.

06 Select the Listeners tab from the console bottom panel to access the load balancer listeners.

07 Select the TLS : 443 listener and choose Edit to access the TLS listener configuration.

08 On the Edit listener configuration page, perform the following actions:

Select HTTP2Preferred from the ALPN Policy dropdown list. The HTTP2Preferred policy is suitable when HTTP/2 connections are preferred but allows failing back to HTTP/1. If you need to test your load balancer using HTTP/2, choose the HTTP2Optional policy. If you need to configure your load balancer to negotiate only HTTP/2, choose the HTTP2Only ALPN policy.
To ensure that the selected ALPN policy takes effect, the action configured for the Default action, must forward to a TLS target group.
Choose Save changes to apply the changes and attach the selected TLS ALPN policy to the selected Network Load Balancer (NLB).

09 Repeat steps no. 5 – 8 for each Network Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-listeners command (OSX/Linux/UNIX) with custom query filters to describe the ARN of the TLS listener associated with the Network Load Balancer that you want to reconfigure:

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd
  --query 'Listeners[?(Protocol == `TLS`)].ListenerArn | []'

02 The command output should return the requested Amazon Resource Name (ARN):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-internet-facing-nlb/abcdabcdabcdabcd/1234abcd1234abcd"
]

03 Run modify-listenercommand (OSX/Linux/UNIX) using the ARN of the TLS listener returned at the previous step as the identifier parameter, to update the listener configuration in order to attach a TLS ALPN policy. The following command example implements the HTTP2Preferred ALPN policy. The HTTP2Preferred ALPN policy is suitable when HTTP/2 connections are preferred but allows to fail back to HTTP/1. If you need to test your load balancer using HTTP/2, choose the HTTP2Optional policy. If you need to negotiate only HTTP/2, choose the HTTP2Only ALPN policy:

aws elbv2 modify-listener
  --region us-east-1
  --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-internet-facing-nlb/abcdabcdabcdabcd/1234abcd1234abcd
  --alpn-policy HTTP2Preferred

04 The command output should return the configuration information available for the modified TLS listener. To ensure that the selected ALPN policy takes effect, the listener default action must forward to a TLS target group (identified by the "TargetGroupArn"attribute):

{
	"Listeners": [
		{
			"Protocol": "TLS",
			"DefaultActions": [
				{
					"ForwardConfig": {
						"TargetGroups": [
							{
								"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-main-target-group/abcd1234abcd1234"
							}
						]
					},
					"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-main-target-group/abcd1234abcd1234",
					"Type": "forward",
					"Order": 1
				}
			],
			"SslPolicy": "ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
			"AlpnPolicy": [
				"HTTP2Preferred"
			],
			"Certificates": [
				{
					"CertificateArn": "arn:aws:iam::123456789012:server-certificate/FrontendSSLCertificate"
				}
			],
			"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-internet-facing-nlb/abcdabcdabcdabcd",
			"Port": 443,
			"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/cc-internet-facing-nlb/abcdabcdabcdabcd/1234abcd1234abcd"
		}
	]
}

05 Repeat steps no. 1 – 4 for each Network Load Balancer that you want to reconfigure, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Documentation
Elastic Load Balancing FAQs
Listeners for your Network Load Balancers
TLS listeners for your Network Load Balancer

AWS Command Line Interface (CLI) Documentation
describe-load-balancers
describe-listeners
modify-listener

Publication date Nov 28, 2023

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELBv2 rules