Courses

Securing Multi-Domain SSL with ALB in SecureCart Using SNI-Based SSL

SecureCart, an e-commerce platform, operates multiple regional storefronts under different domains:

  • securecart-us.com

  • securecart-eu.com

  • securecart-asia.com

To improve security and SEO rankings, SecureCart wants to: ✔ Migrate from HTTP to HTTPS for all storefronts ✔ Securely serve SSL traffic for multiple domains without frequent certificate updates ✔ Minimize operational overhead and reduce costs

🔹 Optimal Solution: ALB with SNI-Based SSL (Correct Answer: Option D)

SecureCart should use an Application Load Balancer (ALB) with Server Name Indication (SNI) to handle SSL/TLS traffic for multiple domains.

Upload SSL certificates for all storefront domains (securecart-us.com, securecart-eu.com, securecart-asia.com) ✔ ALB automatically selects the correct SSL certificate for each request ✔ New storefronts can be added easily without reissuing certificates

🚀 Benefits for SecureCart:

  • Cost-effective – ACM manages multiple certificates at no extra charge

  • Scalability – Easily supports new storefronts without manual certificate renewal

  • Automated certificate selection – SNI ensures seamless TLS handling

  • Improved SEO & security – HTTPS boosts search rankings & encrypts sensitive data

🔹 What is SNI-Based SSL?

Server Name Indication (SNI) is an extension of the TLS protocol that allows multiple domain names to be hosted on a single ALB while using different SSL/TLS certificates.

🔑 How SNI Works in SecureCart’s Setup

1️⃣ A customer requests https://securecart-us.com 2️⃣ The ALB receives the request and reads the domain name (SNI field) 3️⃣ The ALB uses SNI to match the request to the correct SSL certificate 4️⃣ The request is secured and forwarded to the EC2 instances in an Auto Scaling Group 5️⃣ The user accesses SecureCart’s storefront securely over HTTPS

Why SNI?

  • Allows multiple domains to share a single ALB without needing dedicated IP addresses

  • Eliminates the need for costly static IP SSL certificates

  • Enables automatic TLS certificate selection based on the requested domain

❌ Why Other Options Don't Work for SecureCart

Option

Why It's Not Ideal

A: Use a Wildcard Certificate

❌ Wildcards only cover subdomains, not multiple domains (e.g., securecart-us.com and securecart-eu.com are separate domains).

B: Add SAN (Subject Alternative Name) to Certificate

❌ Managing SANs manually requires reissuing the certificate every time SecureCart adds a new storefront, making scaling inefficient.

C: Use CloudFront with Dedicated IP Addresses for SSL

CloudFront with dedicated IP SSL costs $600/month per certificate, while ACM with ALB/SNI is free and scalable.

🔹 How This Works in SecureCart's AWS Setup

Step

Description

1️⃣ SecureCart uploads multiple SSL certificates

SecureCart registers each storefront (securecart-us.com, securecart-eu.com) with AWS Certificate Manager (ACM).

2️⃣ ALB is configured with HTTPS listeners

ALB listens on port 443 and supports multiple domain certificates.

3️⃣ Customer requests a storefront page

A user accesses https://securecart-us.com.

4️⃣ ALB reads the SNI field from the request

ALB detects the requested domain and selects the correct SSL certificate from ACM.

5️⃣ SecureCart’s storefront is served via HTTPS

The request is encrypted and securely routed to the backend EC2 instances.

✅ AWS Services Used

  • AWS Certificate Manager (ACM)Manages free SSL certificates and automatically renews them.

  • Application Load Balancer (ALB) → Handles SNI-based SSL for multiple domains.

  • Auto Scaling Group (ASG) + EC2 Instances → Ensures high availability & scalability.

  • Route 53 → Manages DNS records for SecureCart’s domains.

📌 Best Practices for SecureCart

Use ACM for SSL certificate management – Free & auto-renewing ✔ Enable HTTP-to-HTTPS redirection – Improves security & SEO ranking ✔ Monitor SSL expiration dates – ACM sends renewal notifications ✔ Use AWS WAF with ALB – Protect against DDoS & injection attacks

🚀 Summary

✅ SecureCart's best approach for securing multiple storefront domains is ALB with SNI-based SSL ✅ This setup reduces costs, improves scalability, and simplifies SSL management ✅ SecureCart can easily add new storefronts without manually updating SSL certificates

Yes, SNI stands for Server Name Indication. It is an extension of the TLS (Transport Layer Security) protocol that enables multiple domains to share the same IP address and port while using different SSL/TLS certificates.

🔹 Key Benefits of SNI-Based SSL in AWS

  • Supports multiple SSL/TLS certificates on a single ALB

  • Eliminates the need for multiple dedicated IP addresses

  • Dynamically selects the correct certificate based on the request's domain name

  • Reduces cost compared to dedicated IP-based SSL certificates

  • Simplifies certificate management for multi-domain applications

Here's a diagram illustrating how SNI-Based SSL works in SecureCart’s architecture using AWS Application Load Balancer (ALB):

1️⃣ A user requests a SecureCart storefront over HTTPS, such as https://securecart-us.com 2️⃣ The Application Load Balancer (ALB) receives the request and inspects the Server Name Indication (SNI) field in the TLS handshake 3️⃣ ALB dynamically selects the correct SSL certificate based on the requested domain (e.g., securecart-us.com, securecart-eu.com, or securecart-asia.com) 4️⃣ ALB securely forwards the request to the Auto Scaling Group of EC2 instances serving SecureCart’s application 5️⃣ The response is returned securely over HTTPS, ensuring encrypted and authenticated communication

PreviousIncreasing Fault Tolerance for AWS Direct Connect in SecureCart’s Multi-VPC NetworkNextConfiguring a Custom Domain Name for API Gateway with AWS Certificate Manager and Route 53

Last updated