What is an Application Load Balancer?
AWS provides a service called an Application Load Balancer (ALB), which is a proxy that sits in front of the application servers to handle things like load balancing (as the name implies)
as well as supporting encrypted connections via Transport Layer Security (TLS) and, as of last May, authentication.
This means that you can put an ALB in front of an application and it will handle authentication before the request even hits the application server – so, for example, you can ensure that only authenticated users can access the application and anyone else gets blocked at the load balancer.
The authentication can be performed against Amazon Cognito or any OpenID Connect compliant identity provider.
When ALB authentication is used, an extra layer of defence is provided for applications that are meant to be used only by authenticated users – such as a SaaS intranet – since unauthenticated users do not even get to access the application to attempt to attack it unless they can first find a way through the load balancer.
When this is used, the load balancer adds a special HTTP header to pass the user’s identity and related properties through to the application.
We created a module that allows Drupal to pick up, understand and validate this header so that when the user has been successfully authenticated to the load balancer, they can automatically be authenticated to Drupal as well.