ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
171d4b5d3ea956e8df7c3ced27eec248d2d623f4
nexus/knowledgebase/csd-wiki/ICSD/Zero-trust-security-configuration-for-ACME_688996466.md
weishen 3f2e1765d8 Auto-sync: 2026-04-18 17:09
2026-04-18 17:09:43 +08:00

47 lines
2.9 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Zero-trust-security-configuration-for-ACME_688996466
### This is the solution for ACME zero trust security configuration.
### Background & Motivation
- Inefficient nginx->ALB network path: via Transit Gateway -> LZ CheckPoint FW -> LZ NAT GW -> LZ Internet GW
- Nginx->ALB uses inefficient HTTP 1.0 protocol with no session keep-alive / no connection pooling
- required as connection pooling + dynamic IPs for ALB is only supported with Nginx Plus ($$$)
- Long standing [PCS 490155](https://us2-smax.saas.microfocus.com/saw/Request/490155/general?TENANTID=488503157) from Achmea \[Timeout API call SMAX Saas\]
- Customer is seeing intermittent API call timeouts (randomly, about once or twice every few hours) when using the "zero trust" API calls with mTLS. Issue was narrowed down to a random TCP-level network connectivity issue between nginx and ALB via Landing Zone Network account / Checkpoint firewall / NAT gateway.
- PSDC case 5423472 \[Intermittent egress connectivity issue to Internet\] was opened, but no progress for a few weeks.
### Architecture Highlights
- A change in the architecture to bypass LZ Network account using a new internal NLB with an ALB-type target group: [https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer](https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/)
- Traffic does not flow over Internet: better performance
- As NLB provides static IPs it allows the use of “free” nginx in HTTP 1.1 mode with connection pooling much better performance
![](attachments/688996466/688996465.png)
### This section includes the following topics.
1. [Configure Nginx through network load balancer](Configure-Nginx-through-network-load-balancer_688996474.html)
2. [Enable TLS 1.3 in AWS ALB](Enable-TLS-1.3-in-AWS-ALB_688996484.html)
3. [Prevent unverified IP addresses from accessing tenant](Prevent-unverified-IP-addresses-from-accessing-tenants_688996491.html)
**Related pages**
- Page:
[ESM Cloud Farm Version Tracking](/display/ICSD/ESM+Cloud+Farm+Version+Tracking)
- Page:
[How to get an Opentext Confluence account](/display/ICSD/How+to+get+an+Opentext+Confluence+account)
- Page:
[ITOM APM AppPluse Cloud Farm Information](/display/ICSD/ITOM+APM+AppPluse+Cloud+Farm+Information)
- Page:
[ITOM Cloud Service Ops Doc Management Process](/display/ICSD/ITOM+Cloud+Service+Ops+Doc+Management+Process)
- Page:
[ITOM ESM Cloud Service Catalog](/display/ICSD/ITOM+ESM+Cloud+Service+Catalog)
- Page:
[ITOM OpsB NOM Cloud Service Catalog](/display/ICSD/ITOM+OpsB+NOM+Cloud+Service+Catalog)
- Page:
[OpsB and NOM Cloud Deployments Version Tracking](/display/ICSD/OpsB+and+NOM+Cloud+Deployments+Version+Tracking)
## Attachments:
[image-2025-2-8\_16-6-56.png](attachments/688996466/688996465.png) (image/png)
Reference in New Issue View Git Blame Copy Permalink