# Securing Multi-Domain SSL with ALB in SecureCart Using SNI-Based SSL SecureCart, an **e-commerce platform**, operates multiple regional storefronts under different domains: * `securecart-us.com` * `securecart-eu.com` * `securecart-asia.com` To **improve security** and **SEO rankings**, SecureCart wants to: ✔ Migrate from **HTTP to HTTPS** for **all storefronts**\ ✔ Securely serve **SSL traffic for multiple domains** without frequent certificate updates\ ✔ **Minimize operational overhead** and **reduce costs** *** ### **🔹 Optimal Solution: ALB with SNI-Based SSL (Correct Answer: Option D)** SecureCart should use an **Application Load Balancer (ALB) with Server Name Indication (SNI)** to handle SSL/TLS traffic for multiple domains. ✔ **Upload SSL certificates** for all storefront domains (`securecart-us.com`, `securecart-eu.com`, `securecart-asia.com`)\ ✔ ALB **automatically selects the correct SSL certificate** for each request\ ✔ New storefronts can be **added easily** without reissuing certificates **🚀 Benefits for SecureCart:** * **Cost-effective** – ACM manages multiple certificates at no extra charge * **Scalability** – Easily supports new storefronts without manual certificate renewal * **Automated certificate selection** – SNI ensures seamless TLS handling * **Improved SEO & security** – HTTPS boosts search rankings & encrypts sensitive data *** ### **🔹 What is SNI-Based SSL?** **Server Name Indication (SNI) is an extension of the TLS protocol** that allows multiple domain names to be **hosted on a single ALB** while using different SSL/TLS certificates. #### **🔑 How SNI Works in SecureCart’s Setup** 1️⃣ A customer requests **`https://securecart-us.com`**\ 2️⃣ The **ALB receives the request** and reads the **domain name (SNI field)**\ 3️⃣ The **ALB uses SNI** to match the request to the correct **SSL certificate**\ 4️⃣ The request is **secured and forwarded** to the **EC2 instances in an Auto Scaling Group**\ 5️⃣ The user accesses **SecureCart’s storefront securely over HTTPS** ✅ **Why SNI?** * Allows **multiple domains to share a single ALB** without needing dedicated IP addresses * Eliminates the need for **costly static IP SSL certificates** * Enables **automatic TLS certificate selection** based on the requested domain *** ### **❌ Why Other Options Don't Work for SecureCart** | **Option** | **Why It's Not Ideal** | | --------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | | **A: Use a Wildcard Certificate** | ❌ Wildcards only cover **subdomains**, not multiple domains (e.g., `securecart-us.com` and `securecart-eu.com` are separate domains). | | **B: Add SAN (Subject Alternative Name) to Certificate** | ❌ Managing SANs manually requires **reissuing the certificate** every time SecureCart adds a new storefront, making scaling inefficient. | | **C: Use CloudFront with Dedicated IP Addresses for SSL** | ❌ **CloudFront with dedicated IP SSL costs $600/month per certificate**, while ACM with ALB/SNI is **free and scalable**. | *** ### **🔹 How This Works in SecureCart's AWS Setup** | **Step** | **Description** | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | | **1️⃣ SecureCart uploads multiple SSL certificates** | SecureCart registers each storefront (`securecart-us.com`, `securecart-eu.com`) with AWS Certificate Manager (ACM). | | **2️⃣ ALB is configured with HTTPS listeners** | ALB listens on **port 443** and supports **multiple domain certificates**. | | **3️⃣ Customer requests a storefront page** | A user accesses `https://securecart-us.com`. | | **4️⃣ ALB reads the SNI field from the request** | ALB detects the requested domain and selects the correct SSL certificate from ACM. | | **5️⃣ SecureCart’s storefront is served via HTTPS** | The request is encrypted and securely routed to the backend EC2 instances. | *** ### **✅ AWS Services Used** * **AWS Certificate Manager (ACM)** → **Manages free SSL certificates** and automatically renews them. * **Application Load Balancer (ALB)** → Handles **SNI-based SSL** for multiple domains. * **Auto Scaling Group (ASG) + EC2 Instances** → Ensures **high availability & scalability**. * **Route 53** → Manages **DNS records** for SecureCart’s domains. *** ### **📌 Best Practices for SecureCart** ✔ **Use ACM for SSL certificate management** – Free & auto-renewing\ ✔ **Enable HTTP-to-HTTPS redirection** – Improves security & SEO ranking\ ✔ **Monitor SSL expiration dates** – ACM sends renewal notifications\ ✔ **Use AWS WAF with ALB** – Protect against **DDoS & injection attacks** *** ### **🚀 Summary** ✅ SecureCart's **best approach** for securing multiple storefront domains is **ALB with SNI-based SSL**\ ✅ This setup **reduces costs, improves scalability, and simplifies SSL management**\ ✅ SecureCart can **easily add new storefronts** without manually updating SSL certificates *** Yes, **SNI** stands for **Server Name Indication**. It is an **extension of the TLS (Transport Layer Security) protocol** that enables multiple domains to share the **same IP address and port while using different SSL/TLS certificates**. #### **🔹 Key Benefits of SNI-Based SSL in AWS** * **Supports multiple SSL/TLS certificates on a single ALB** * **Eliminates the need for multiple dedicated IP addresses** * **Dynamically selects the correct certificate based on the request's domain name** * **Reduces cost compared to dedicated IP-based SSL certificates** * **Simplifies certificate management for multi-domain applications** Here's a **diagram** illustrating how **SNI-Based SSL** works in SecureCart’s architecture using **AWS Application Load Balancer (ALB)**: 1️⃣ **A user requests a SecureCart storefront over HTTPS**, such as `https://securecart-us.com`\ 2️⃣ **The Application Load Balancer (ALB) receives the request** and inspects the **Server Name Indication (SNI) field** in the TLS handshake\ 3️⃣ **ALB dynamically selects the correct SSL certificate** based on the requested domain (e.g., `securecart-us.com`, `securecart-eu.com`, or `securecart-asia.com`)\ 4️⃣ **ALB securely forwards the request** to the Auto Scaling Group of EC2 instances serving SecureCart’s application\ 5️⃣ **The response is returned securely over HTTPS**, ensuring **encrypted and authenticated** communication --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.2-design-secure-workloads-and-applications/use-cases/securing-multi-domain-ssl-with-alb-in-securecart-using-sni-based-ssl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.