DEV Community

Wakeup Flower
Wakeup Flower

Posted on

ALB & SNI (Server Name Indication)

How to set it up in AWS

Option 1 — Using AWS Console

  1. Go to the EC2 DashboardLoad Balancers.
  2. Select your Application Load Balancer (ALB).
  3. Go to Listeners tab.
  4. Click View/edit certificates for your HTTPS listener (usually port 443).
  5. Click Add certificate to attach additional SSL/TLS certificates (managed via AWS Certificate Manager).
  6. ALB now uses SNI automatically to select the correct certificate.

Option 2 — Using AWS CLI

aws elbv2 add-listener-certificates \
    --listener-arn arn:aws:elasticloadbalancing:region:account-id:listener/app/my-load-balancer/xxxxxxxxxxxx \
    --certificates CertificateArn=arn:aws:acm:region:account-id:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

This attaches another certificate to your existing listener.
ALB uses SNI automatically when multiple certificates are bound.


Option 3 — Using AWS CloudFormation

Resources:
  MyListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref MyLoadBalancer
      Port: 443
      Protocol: HTTPS
      Certificates:
        - CertificateArn: arn:aws:acm:region:account-id:certificate/cert1
        - CertificateArn: arn:aws:acm:region:account-id:certificate/cert2
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref MyTargetGroup
Enter fullscreen mode Exit fullscreen mode

CloudFormation will configure your HTTPS listener with multiple certificates — SNI works automatically.


✅ Key point:

Just add multiple certificates to your ALB HTTPS listener — AWS enables SNI by default for you.

2 — What is SNI (Server Name Indication)?

SNI is an extension to TLS that allows the client (browser) to tell the server which hostname it wants before the SSL/TLS handshake completes.

This means the server (or load balancer) can choose the correct certificate for the hostname requested, even if multiple domains are served from the same IP/port.

Example without SNI:
Without SNI, a load balancer would have no way to know which certificate to send before the handshake — so it could only send one certificate.

Example with SNI:
With SNI, the client says:

"Hey server, I want to connect to app2.example.com"

and the server responds with the certificate for app2.example.com, even if it’s on the same IP/port as other apps.


3 — How AWS ALB uses SNI

AWS Application Load Balancer supports SNI so that:

  • You can bind multiple SSL certificates to a single HTTPS listener.
  • The ALB will automatically choose the correct certificate based on the hostname requested.

So if you have:

Listener: HTTPS 443
Certificates:
 - cert1: app1.example.com
 - cert2: app2.example.com
Enter fullscreen mode Exit fullscreen mode

When a client connects to app1.example.com, ALB sends cert1.
When a client connects to app2.example.com, ALB sends cert2.


4 — Why SNI matters for multi-domain hosting

Without SNI:

  • You’d need multiple load balancers or multiple IP addresses to host different TLS-secured domains.
  • That’s costly and harder to manage.

With SNI:

  • You can host multiple secure domains behind one load balancer using one IP.
  • This is simpler and cheaper.

5 — Wildcard & SAN Certificates vs SNI

Wildcard certificate:

  • Covers many subdomains of one domain (e.g., *.example.com → covers app1.example.com, app2.example.com).
  • Limitation: Only works for subdomains of a single domain.

SAN (Subject Alternative Name) certificate:

  • Covers multiple specific domains in one certificate (e.g., app1.example.com, app2.example.com, myapp.com).
  • Limitation: All domains must be validated by the same Certificate Authority, and adding new domains requires re-issuing the certificate.

SNI advantage:

  • Lets you use multiple certificates (wildcard, SAN, or normal) on the same load balancer without those limitations.
  • More flexible and scalable.

ASCII analogy:

Without SNI:
Client → Load Balancer (only one certificate) → SSL handshake → fail if domain mismatch

With SNI:
Client → Load Balancer (multiple certificates)
       → ALB chooses certificate based on hostname
       → handshake succeeds
Enter fullscreen mode Exit fullscreen mode

Key takeaway:
SNI allows AWS ALB to handle multiple TLS-secured applications on the same listener by choosing the correct certificate per request — without needing separate IPs or load balancers.


Top comments (0)