How to set it up in AWS
Option 1 — Using AWS Console
- Go to the EC2 Dashboard → Load Balancers.
- Select your Application Load Balancer (ALB).
- Go to Listeners tab.
- Click View/edit certificates for your HTTPS listener (usually port 443).
- Click Add certificate to attach additional SSL/TLS certificates (managed via AWS Certificate Manager).
- ALB now uses SNI automatically to select the correct certificate.
Option 2 — Using AWS CLI
aws elbv2 add-listener-certificates \
--listener-arn arn:aws:elasticloadbalancing:region:account-id:listener/app/my-load-balancer/xxxxxxxxxxxx \
--certificates CertificateArn=arn:aws:acm:region:account-id:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
This attaches another certificate to your existing listener.
ALB uses SNI automatically when multiple certificates are bound.
Option 3 — Using AWS CloudFormation
Resources:
MyListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref MyLoadBalancer
Port: 443
Protocol: HTTPS
Certificates:
- CertificateArn: arn:aws:acm:region:account-id:certificate/cert1
- CertificateArn: arn:aws:acm:region:account-id:certificate/cert2
DefaultActions:
- Type: forward
TargetGroupArn: !Ref MyTargetGroup
CloudFormation will configure your HTTPS listener with multiple certificates — SNI works automatically.
✅ Key point:
Just add multiple certificates to your ALB HTTPS listener — AWS enables SNI by default for you.
2 — What is SNI (Server Name Indication)?
SNI is an extension to TLS that allows the client (browser) to tell the server which hostname it wants before the SSL/TLS handshake completes.
This means the server (or load balancer) can choose the correct certificate for the hostname requested, even if multiple domains are served from the same IP/port.
Example without SNI:
Without SNI, a load balancer would have no way to know which certificate to send before the handshake — so it could only send one certificate.
Example with SNI:
With SNI, the client says:
"Hey server, I want to connect to
app2.example.com
"
and the server responds with the certificate for app2.example.com
, even if it’s on the same IP/port as other apps.
3 — How AWS ALB uses SNI
AWS Application Load Balancer supports SNI so that:
- You can bind multiple SSL certificates to a single HTTPS listener.
- The ALB will automatically choose the correct certificate based on the hostname requested.
So if you have:
Listener: HTTPS 443
Certificates:
- cert1: app1.example.com
- cert2: app2.example.com
When a client connects to app1.example.com
, ALB sends cert1.
When a client connects to app2.example.com
, ALB sends cert2.
4 — Why SNI matters for multi-domain hosting
Without SNI:
- You’d need multiple load balancers or multiple IP addresses to host different TLS-secured domains.
- That’s costly and harder to manage.
With SNI:
- You can host multiple secure domains behind one load balancer using one IP.
- This is simpler and cheaper.
5 — Wildcard & SAN Certificates vs SNI
Wildcard certificate:
- Covers many subdomains of one domain (e.g.,
*.example.com
→ coversapp1.example.com
,app2.example.com
). - Limitation: Only works for subdomains of a single domain.
SAN (Subject Alternative Name) certificate:
- Covers multiple specific domains in one certificate (e.g.,
app1.example.com
,app2.example.com
,myapp.com
). - Limitation: All domains must be validated by the same Certificate Authority, and adding new domains requires re-issuing the certificate.
SNI advantage:
- Lets you use multiple certificates (wildcard, SAN, or normal) on the same load balancer without those limitations.
- More flexible and scalable.
ASCII analogy:
Without SNI:
Client → Load Balancer (only one certificate) → SSL handshake → fail if domain mismatch
With SNI:
Client → Load Balancer (multiple certificates)
→ ALB chooses certificate based on hostname
→ handshake succeeds
✅ Key takeaway:
SNI allows AWS ALB to handle multiple TLS-secured applications on the same listener by choosing the correct certificate per request — without needing separate IPs or load balancers.
Top comments (0)