Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ELB Cross-Zone Load Balancing Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ELB-002

By using at least two subnets in different Availability Zones (AZs) with the Cross-Zone Load Balancing feature enabled, your Classic Load Balancer can distribute your application traffic evenly across all registered instances. To use Cross-Zone Load Balancing at optimal level, AWS recommends maintaining an equal EC2 capacity distribution in each of the AZs registered with the load balancer.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Enabling Cross-Zone Load Balancing makes it easier to deploy and manage applications that run across multiple subnets in different Availability Zones (AZs). This would also guarantee better fault tolerance and more consistent traffic flow. If one of the AZs configured for the load balancer fails (as result of network outage or power loss), the load balancer with the Cross-Zone Load Balancing enabled would act as a traffic guard, stopping any request being sent to the unhealthy zone, and routing it to the other available zone(s).

Audit

To determine if Cross-Zone Load Balancing is enabled for your Classic Load Balancers, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to examine.

06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

07 In the Attributes section, check the Cross-zone load balancing feature status. If the feature status is set to Disabled, Cross-Zone Load Balancing is not enabled for the selected Amazon Classic Load Balancer.

08 Repeat steps no. 5 – 7 for each Classic Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region: 

aws elb describe-load-balancers
  --region us-east-1
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

02 The command output should return an array with the requested load balancer name(s): 

[
    "cc-frontend-load-balancer",
    "cc-project5-load-balancer"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to determine if Cross-Zone Load Balancing is enabled for the selected load balancer: 

aws elb describe-load-balancer-attributes
  --load-balancer-name cc-frontend-load-balancer
  --query 'LoadBalancerAttributes.CrossZoneLoadBalancing.Enabled'

04 The command output should return the reliability feature status (true for enabled, false for disabled): 

false

If the describe-load-balancer-attributes command output returns false, the Cross-Zone Load Balancing feature is not enabled for the selected Amazon Classic Load Balancer.

05 Repeat steps no. 3 and 4 for each Classic Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable Cross-Zone Load Balancing with at least two subnets in different Availability Zones (AZs), you need to perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Cross-Zone Load Balancing for Classic Load Balancers",
  "Resources": {
    "ClassicLoadBalancer": {
      "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties" : {
        "LoadBalancerName" : "cc-frontend-load-balancer",
        "Scheme" : "internet-facing",
        "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
        "Subnets" : [ "subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234" ],
        "Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd" ],
        "Listeners": [{
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "80",
            "Protocol": "HTTP",
            "PolicyNames": []
        }],
        "HealthCheck": {
            "Target": "HTTP:80/index.html",
            "HealthyThreshold": "10",
            "UnhealthyThreshold": "2",
            "Interval": "50",
            "Timeout": "5"
        },
        "CrossZone": "true"
      }
    }
  }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Cross-Zone Load Balancing for Classic Load Balancers
Resources:
  ClassicLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      LoadBalancerName: cc-frontend-load-balancer
      Scheme: internet-facing
      SecurityGroups:
        - sg-0abcdabcdabcdabcd
      Subnets:
        - subnet-0abcd1234abcd1234
        - subnet-0abcdabcdabcdabcd
        - subnet-01234abcd1234abcd
        - subnet-01234123412341234
      Instances:
        - i-0abcd1234abcd1234
        - i-0abcdabcdabcdabcd
      Listeners:
        - InstancePort: '80'
          InstanceProtocol: HTTP
          LoadBalancerPort: '80'
          Protocol: HTTP
          PolicyNames: []
      HealthCheck:
        Target: HTTP:80/index.html
        HealthyThreshold: '10'
        UnhealthyThreshold: '2'
        Interval: '50'
        Timeout: '5'
      CrossZone: 'true'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_elb" "classic-load-balancer" {
  name               = "cc-frontend-load-balancer"
  internal           = false
  security_groups    = ["sg-0abcdabcdabcdabcd"]
  subnets            = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd", "subnet-01234123412341234"]
  instances          = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd"]

  listener {
    instance_port     = 80
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }

  health_check {
    healthy_threshold   = 10
    unhealthy_threshold = 2
    timeout             = 5
    target              = "HTTP:80/index.html"
    interval            = 50
  }

  # Enable Cross-Zone Load Balancing for Classic Load Balancers
  cross_zone_load_balancing = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to reconfigure.

06 Select the Description tab from the console bottom panel to access the configuration information available for the selected load balancer.

07 In the Attributes section, choose Change cross-zone load balancing setting next to Cross-zone load balancing to modify the feature configuration.

08 In the Configure Cross-Zone Load Balancing box, select the Enable checkbox to enable the Cross-Zone Load Balancing feature for the selected Classic Load Balancer. Choose Save to apply the changes.

09 Select the Instances tab from the console bottom panel and choose Edit Availability Zones to update the subnets configuration available for the load balancer.

10 In the Add and Remove Subnets configuration box, under Available Subnets, click the add (+) button to add more VPC subnets to the load balancer configuration. Select at least two subnets in different Availability Zones (AZs) to provide higher availability for your load balancer. Choose Save to apply the changes.

11 Repeat steps no. 5 – 10 for each Classic Load Balancer that you want to reconfigure, available within the current AWS region.

12 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-load-balancer-policy command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to reconfigure as the identifier parameter, to enable the Cross-Zone Load Balancing feature for the selected Amazon Classic Load Balancer: 

aws elb modify-load-balancer-attributes
  --load-balancer-name cc-frontend-load-balancer
  --load-balancer-attributes "{\"CrossZoneLoadBalancing\":{\"Enabled\":true}}"

02 The command output should return the Cross-Zone Load Balancing configuration: 

{
    "LoadBalancerName": "cc-frontend-load-balancer",
    "LoadBalancerAttributes": {
        "CrossZoneLoadBalancing": {
            "Enabled": true
        }
    }
}

03 Run attach-load-balancer-to-subnets command (OSX/Linux/UNIX) to add more available VPC subnets to the existing load balancer configuration. Add at least two subnets in different Availability Zones (AZs) to provide higher availability for your Classic Load Balancer: 

aws elb attach-load-balancer-to-subnets
  --load-balancer-name cc-frontend-load-balancer
  --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd subnet-01234123412341234

04 The command output should return the VPC subnets configured for the selected load balancer: 

{
    "Subnets": [
        "subnet-0abcd1234abcd1234",
        "subnet-01234abcd1234abcd",
        "subnet-01234123412341234",
        "subnet-0abcdabcdabcdabcd"
    ]
}

05 Repeat steps no. 1 – 4 for each Classic Load Balancer that you want to reconfigure, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 1, 2016

Related ELB rules