# Zero-trust-security-configuration-for-ACME_688996466 ### This is the solution for ACME zero trust security configuration. ### Background & Motivation - Inefficient nginx->ALB network path: via Transit Gateway -> LZ CheckPoint FW -> LZ NAT GW -> LZ Internet GW - Nginx->ALB uses inefficient HTTP 1.0 protocol with no session keep-alive / no connection pooling - required as connection pooling + dynamic IPs for ALB is only supported with Nginx Plus ($$$) - Long standing ⁠ [PCS 490155](https://us2-smax.saas.microfocus.com/saw/Request/490155/general?TENANTID=488503157) from Achmea \[Timeout API call SMAX Saas\] - Customer is seeing intermittent API call timeouts (randomly, about once or twice every few hours) when using the "zero trust" API calls with mTLS. Issue was narrowed down to a random TCP-level network connectivity issue between nginx and ALB via Landing Zone Network account / Checkpoint firewall / NAT gateway. - PSDC case 5423472 \[Intermittent egress connectivity issue to Internet\] was opened, but no progress for a few weeks. ### Architecture Highlights - A change in the architecture to bypass LZ Network account using a new internal NLB with an ALB-type target group: [https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer](https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/) - Traffic does not flow over Internet: better performance - As NLB provides static IPs it allows the use of “free” nginx in HTTP 1.1 mode with connection pooling – much better performance ![](attachments/688996466/688996465.png) ### This section includes the following topics. 1. [Configure Nginx through network load balancer](Configure-Nginx-through-network-load-balancer_688996474.html) 2. [Enable TLS 1.3 in AWS ALB](Enable-TLS-1.3-in-AWS-ALB_688996484.html) 3. [Prevent unverified IP addresses from accessing tenant](Prevent-unverified-IP-addresses-from-accessing-tenants_688996491.html) **Related pages** - Page: [ESM Cloud Farm Version Tracking](/display/ICSD/ESM+Cloud+Farm+Version+Tracking) - Page: [How to get an Opentext Confluence account](/display/ICSD/How+to+get+an+Opentext+Confluence+account) - Page: [ITOM APM AppPluse Cloud Farm Information](/display/ICSD/ITOM+APM+AppPluse+Cloud+Farm+Information) - Page: [ITOM Cloud Service Ops Doc Management Process](/display/ICSD/ITOM+Cloud+Service+Ops+Doc+Management+Process) - Page: [ITOM ESM Cloud Service Catalog](/display/ICSD/ITOM+ESM+Cloud+Service+Catalog) - Page: [ITOM OpsB NOM Cloud Service Catalog](/display/ICSD/ITOM+OpsB+NOM+Cloud+Service+Catalog) - Page: [OpsB and NOM Cloud Deployments Version Tracking](/display/ICSD/OpsB+and+NOM+Cloud+Deployments+Version+Tracking) ## Attachments: [image-2025-2-8\_16-6-56.png](attachments/688996466/688996465.png) (image/png)