Cloud Encryption in Transit — TLS, mTLS & Certificate Management
In this tutorial, you'll learn about Cloud Encryption in Transit. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud encryption in transit protects data moving between clients, services, and cloud regions using TLS and mTLS, with AWS ACM, Azure Key Vault, and GCP CAS managing the certificate lifecycle.
What You Will Learn
How to configure TLS termination, implement mTLS for service-to-service authentication, and automate certificate renewal across all three major clouds.
Why It Matters
Data in transit without encryption is plaintext on the wire. Attackers on the same network segment, rogue cloud employees, or compromised intermediary services can read, modify, or replay traffic.
Real-World Use
Doda Browser enforces TLS 1.3 for all cloud API calls and uses mTLS for internal service communication. Every certificate is managed through ACM with automated renewal 30 days before expiry.
TLS Termination Architecture
flowchart LR Client[User Browser] -->|TLS 1.3| LB[Load Balancer\nTLS Termination] LB -->|HTTP| App[Application Server] App -->|mTLS| API[Internal API] API -->|mTLS| DB[(Database Proxy)] Cert[Certificate Authority] -->|Issues Certs| LB Cert -->|Issues Certs| App Cert -->|Issues Certs| API style Cert fill:#f90,color:#fff
AWS Certificate Manager
ACM provisions and rotates SSL/TLS certificates for AWS services including CloudFront, ALB, and API Gateway. Certificates are free and renew automatically.
# Request a public certificate from ACM
aws acm request-certificate \
--domain-name api.dodatech.com \
--validation-method DNS \
--subject-alternative-names "*.api.dodatech.com"
# Output:
# {
# "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/aaaa-bbbb-cccc-dddd"
# }
# List certificates nearing expiry
aws acm list-certificates --query 'CertificateSummaryList[?Status==`EXPIRED`||Status==`FAILED`]'
# Output:
# []
Mutual TLS (mTLS)
mTLS authenticates both sides of a connection. The client presents a certificate, and the server validates it before responding.
# AWS: Configure mTLS on API Gateway
aws apigatewayv2 update-domain-name \
--domain-name api.dodatech.com \
--mutual-tls-authentication TruststoreUri=s3://cert-bucket/truststore.pem,TruststoreVersion=1
# Verify configuration
aws apigatewayv2 get-domain-name --domain-name api.dodatech.com
# Output:
# {
# "DomainName": "api.dodatech.com",
# "MutualTlsAuthentication": {
# "TruststoreUri": "s3://cert-bucket/truststore.pem",
# "TruststoreVersion": "1"
# }
# }
Azure Key Vault Certificates
Azure Key Vault can issue, store, and manage certificates with built-in renewal policies.
# Create a self-signed certificate in Key Vault
az keyvault certificate create \
--vault-name prod-keyvault-01 \
--name api-cert \
--policy "$(cat cert-policy.json)"
# cert-policy.json example structure:
# {
# "keyProperties": {"keyType": "RSA", "keySize": 2048},
# "secretProperties": {"contentType": "application/x-pkcs12"},
# "x509CertificateProperties": {
# "subject": "CN=api.dodatech.com",
# "validityInMonths": 12
# },
# "issuerParameters": {"name": "Self"}
# }
# List certificates and their expiry dates
az keyvault certificate list --vault-name prod-keyvault-01 --query "[].{Name:name, Expires:attributes.expires}" --output table
# Output:
# Name Expires
# api-cert 2027-06-24T00:00:00+00:00
GCP Certificate Authority Service
GCP CAS is a managed private CA for issuing and revoking TLS certificates within your organization.
# Create a Certificate Authority pool
gcloud privateca pools create prod-ca-pool --location us-central1 --tier enterprise
# Create and enable a CA
gcloud privateca roots create prod-root-ca \
--pool prod-ca-pool \
--location us-central1 \
--subject "CN=Root CA, O=DodaTech" \
--key-algorithm ec-p256-sha256
# Issue a TLS certificate
gcloud privateca certificates create \
--pool prod-ca-pool \
--location us-central1 \
--csr my-csr.pem \
--subject-alt-dns "api.dodatech.com"
TLS Version Enforcement
Always enforce TLS 1.2 or higher. TLS 1.0 and 1.1 are deprecated due to known vulnerabilities.
# AWS: Enforce minimum TLS version on CloudFront
aws cloudfront update-distribution \
--id E123456 \
--distribution-config '{
"ViewerCertificate": {
"MinimumProtocolVersion": "TLSv1.2_2021",
"SSLSupportMethod": "sni-only"
}
}'
Common Mistakes
- Using self-signed certificates in production: Self-signed certs bypass public trust but require manual distribution. Use ACM or a managed CA instead.
- Not renewing certificates before expiry: Expired certificates cause immediate connection failures. Automate renewal with 30-day lead time.
- Disabling certificate validation in development code: Code that skips validation in dev often ships to production with the same skip. Always validate.
- Using TLS 1.0 or 1.1: Both are deprecated. Enforce TLS 1.2 minimum across all services and load balancers.
- Ignoring mTLS for internal services: Internal traffic without encryption is a common blind spot. Encrypt every hop, not just the edge.
Practice Questions
- What is the difference between TLS termination and TLS passthrough?
- How does mTLS differ from standard TLS?
- Which AWS service automatically renews SSL certificates?
- Why should you enforce a minimum TLS version?
- How does Azure Key Vault handle certificate lifecycle management?
Challenge
Implement end-to-end TLS for a Microservices Architecture. The edge load balancer terminates TLS 1.3 for external clients. All internal services communicate over mTLS using certificates issued by a private CA. Write the configuration for AWS ACM, GCP CAS, and Azure Key Vault.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro