I'm configuring mutual TLS (mTLS) on multiple Application Load Balancers (ALBs) spread across different AWS regions, and I have a question about the truststore setup.
In AWS, the truststore is typically stored in S3 buckets. To minimize latency and optimize performance, would it be better to deploy a dedicated truststore in several buckets on each region, or is it sufficient to use a single global truststore stored in one region?
I'm concerned about potential performance issues or increased latency if all ALBs across different regions reference a single truststore in one S3 bucket. However, I couldn't find clear guidance in the AWS documentation regarding performance impacts or best practices for multi-region mTLS setups.
Any insights on whether AWS best practices favor regional truststores over a single global one in this scenario?
Actually, the question doesn't make sense, because it's not possible to associate a TrustStore with a LoadBalancer in a different region. If you try to do it from the AWS console, the TrustStore doesn't appear, and via the API, you get an error message: 'Trust store arn:... not found'.
So, we are necessarily required to deploy a different TrustStore object for each region where we have an ALB, even if all these TrustStores have the same configuration and point to the same S3 bucket.