# Securing Multi-Domain SSL with ALB in SecureCart Using SNI-Based SSL

SecureCart, an **e-commerce platform**, operates multiple regional storefronts under different domains:

* `securecart-us.com`
* `securecart-eu.com`
* `securecart-asia.com`

To **improve security** and **SEO rankings**, SecureCart wants to: ✔ Migrate from **HTTP to HTTPS** for **all storefronts**\
✔ Securely serve **SSL traffic for multiple domains** without frequent certificate updates\
✔ **Minimize operational overhead** and **reduce costs**

***

### **🔹 Optimal Solution: ALB with SNI-Based SSL (Correct Answer: Option D)**

SecureCart should use an **Application Load Balancer (ALB) with Server Name Indication (SNI)** to handle SSL/TLS traffic for multiple domains.

✔ **Upload SSL certificates** for all storefront domains (`securecart-us.com`, `securecart-eu.com`, `securecart-asia.com`)\
✔ ALB **automatically selects the correct SSL certificate** for each request\
✔ New storefronts can be **added easily** without reissuing certificates

**🚀 Benefits for SecureCart:**

* **Cost-effective** – ACM manages multiple certificates at no extra charge
* **Scalability** – Easily supports new storefronts without manual certificate renewal
* **Automated certificate selection** – SNI ensures seamless TLS handling
* **Improved SEO & security** – HTTPS boosts search rankings & encrypts sensitive data

***

### **🔹 What is SNI-Based SSL?**

**Server Name Indication (SNI) is an extension of the TLS protocol** that allows multiple domain names to be **hosted on a single ALB** while using different SSL/TLS certificates.

#### **🔑 How SNI Works in SecureCart’s Setup**

1️⃣ A customer requests **`https://securecart-us.com`**\
2️⃣ The **ALB receives the request** and reads the **domain name (SNI field)**\
3️⃣ The **ALB uses SNI** to match the request to the correct **SSL certificate**\
4️⃣ The request is **secured and forwarded** to the **EC2 instances in an Auto Scaling Group**\
5️⃣ The user accesses **SecureCart’s storefront securely over HTTPS**

✅ **Why SNI?**

* Allows **multiple domains to share a single ALB** without needing dedicated IP addresses
* Eliminates the need for **costly static IP SSL certificates**
* Enables **automatic TLS certificate selection** based on the requested domain

***

### **❌ Why Other Options Don't Work for SecureCart**

| **Option**                                                | **Why It's Not Ideal**                                                                                                                   |
| --------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
| **A: Use a Wildcard Certificate**                         | ❌ Wildcards only cover **subdomains**, not multiple domains (e.g., `securecart-us.com` and `securecart-eu.com` are separate domains).    |
| **B: Add SAN (Subject Alternative Name) to Certificate**  | ❌ Managing SANs manually requires **reissuing the certificate** every time SecureCart adds a new storefront, making scaling inefficient. |
| **C: Use CloudFront with Dedicated IP Addresses for SSL** | ❌ **CloudFront with dedicated IP SSL costs $600/month per certificate**, while ACM with ALB/SNI is **free and scalable**.                |

***

### **🔹 How This Works in SecureCart's AWS Setup**

| **Step**                                             | **Description**                                                                                                     |
| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| **1️⃣ SecureCart uploads multiple SSL certificates** | SecureCart registers each storefront (`securecart-us.com`, `securecart-eu.com`) with AWS Certificate Manager (ACM). |
| **2️⃣ ALB is configured with HTTPS listeners**       | ALB listens on **port 443** and supports **multiple domain certificates**.                                          |
| **3️⃣ Customer requests a storefront page**          | A user accesses `https://securecart-us.com`.                                                                        |
| **4️⃣ ALB reads the SNI field from the request**     | ALB detects the requested domain and selects the correct SSL certificate from ACM.                                  |
| **5️⃣ SecureCart’s storefront is served via HTTPS**  | The request is encrypted and securely routed to the backend EC2 instances.                                          |

***

### **✅ AWS Services Used**

* **AWS Certificate Manager (ACM)** → **Manages free SSL certificates** and automatically renews them.
* **Application Load Balancer (ALB)** → Handles **SNI-based SSL** for multiple domains.
* **Auto Scaling Group (ASG) + EC2 Instances** → Ensures **high availability & scalability**.
* **Route 53** → Manages **DNS records** for SecureCart’s domains.

***

### **📌 Best Practices for SecureCart**

✔ **Use ACM for SSL certificate management** – Free & auto-renewing\
✔ **Enable HTTP-to-HTTPS redirection** – Improves security & SEO ranking\
✔ **Monitor SSL expiration dates** – ACM sends renewal notifications\
✔ **Use AWS WAF with ALB** – Protect against **DDoS & injection attacks**

***

### **🚀 Summary**

✅ SecureCart's **best approach** for securing multiple storefront domains is **ALB with SNI-based SSL**\
✅ This setup **reduces costs, improves scalability, and simplifies SSL management**\
✅ SecureCart can **easily add new storefronts** without manually updating SSL certificates

***

Yes, **SNI** stands for **Server Name Indication**. It is an **extension of the TLS (Transport Layer Security) protocol** that enables multiple domains to share the **same IP address and port while using different SSL/TLS certificates**.

#### **🔹 Key Benefits of SNI-Based SSL in AWS**

* **Supports multiple SSL/TLS certificates on a single ALB**
* **Eliminates the need for multiple dedicated IP addresses**
* **Dynamically selects the correct certificate based on the request's domain name**
* **Reduces cost compared to dedicated IP-based SSL certificates**
* **Simplifies certificate management for multi-domain applications**

Here's a **diagram** illustrating how **SNI-Based SSL** works in SecureCart’s architecture using **AWS Application Load Balancer (ALB)**:

1️⃣ **A user requests a SecureCart storefront over HTTPS**, such as `https://securecart-us.com`\
2️⃣ **The Application Load Balancer (ALB) receives the request** and inspects the **Server Name Indication (SNI) field** in the TLS handshake\
3️⃣ **ALB dynamically selects the correct SSL certificate** based on the requested domain (e.g., `securecart-us.com`, `securecart-eu.com`, or `securecart-asia.com`)\
4️⃣ **ALB securely forwards the request** to the Auto Scaling Group of EC2 instances serving SecureCart’s application\
5️⃣ **The response is returned securely over HTTPS**, ensuring **encrypted and authenticated** communication