Zero-trust-security-configuration-for-ACME_688996466

Inefficient nginx->ALB network path: via Transit Gateway -> LZ CheckPoint FW -> LZ NAT GW -> LZ Internet GW
Nginx->ALB uses inefficient HTTP 1.0 protocol with no session keep-alive / no connection pooling
- required as connection pooling + dynamic IPs for ALB is only supported with Nginx Plus ($$$)
Long standing ⁠ PCS 490155 from Achmea [Timeout API call SMAX Saas]
- Customer is seeing intermittent API call timeouts (randomly, about once or twice every few hours) when using the "zero trust" API calls with mTLS. Issue was narrowed down to a random TCP-level network connectivity issue between nginx and ALB via Landing Zone Network account / Checkpoint firewall / NAT gateway.
  - PSDC case 5423472 [Intermittent egress connectivity issue to Internet] was opened, but no progress for a few weeks.

A change in the architecture to bypass LZ Network account using a new internal NLB with an ALB-type target group: https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer
Traffic does not flow over Internet: better performance
As NLB provides static IPs it allows the use of “free” nginx in HTTP 1.1 mode with connection pooling – much better performance

Related pages

Attachments: