[kevinkeller]

>Azure can even configure mutual authentication between the LB & the underlying servers

You can achieve a similar effect in AWS, by declaring only the LB's security group as the source in servers' security group ingress rule.

Any requests sent directly to the servers simply wouldn't connect.

[ashtonkem]

That’s also a thing on Azure, but you can actually deploy certificates for mutual authentication as well. That way if somehow the network layer is pierced, you have another layer of protection.