Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Cross-Zone Load Balancing

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

By using at least two subnets in different Availability Zones (AZs) with the Cross-Zone Load Balancing feature enabled, your Amazon Gateway Load Balancers (GWLBs) can distribute the traffic evenly across all registered targets.

Security

By default, the Cross-Zone Load Balancing feature is disabled, therefore each Gateway Load Balancer node distributes traffic across the registered targets in its Availability Zone (AZ) only. If a target becomes unhealthy, the load balancer node continues to send existing requests to the unhealthy target and the traffic is nulled. The Gateway Load Balancer (GWLB) node sends new requests to healthy targets in the same Availability Zone. If no healthy targets are found, all traffic is nulled. Once the Cross-Zone Load Balancing feature is enabled and configured, if the load balancer node does not find a healthy target in the same Availability Zone, it can send new requests to healthy targets in a different Availability Zone. This provides fault tolerance and consistent traffic flow for your load balancers.

Audit

To determine if Cross-Zone Load Balancing is enabled for your Gateway Load Balancers (GWLBs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Select the Gateway Load Balancer that you want to examine. A Gateway Load Balancer (GWLB) has the Type attribute value set to gatewayin theTypecolumn.

05 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

06 In the Attributes section, check the Cross-zone load balancing attribute value. If the Cross-zone load balancing attribute value is set to Disabled, the Cross-Zone Load Balancing feature is not enabled for the selected Gateway Load Balancer (GWLB).

07 Repeat steps no. 4 – 6 for each Gateway Load Balancer available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Gateway Load Balancers (GWLBs) available in the selected AWS region: 

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `gateway`)].LoadBalancerArn'

02 The command output should return an array with the requested resource ARN(s): 

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-staging-gwlb/abcd1234abcd1234",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-production-gwlb/abcdabcdabcdabcd"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Gateway Load Balancer GWLB) that you want to examine as the identifier parameter and custom query filters to describe the Cross-Zone Load Balancing feature status available for the selected load balancer: 

aws elbv2 describe-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-staging-gwlb/abcd1234abcd1234
  --query 'Attributes[?(Key == `load_balancing.cross_zone.enabled`)].Value | []'

04 The command output should return the requested configuration status ("true"for enabled,"false"for disabled): 

[
	"false"
]

If the describe-load-balancer-attributes command output returns "false", as shown in the output example above, the Cross-Zone Load Balancing feature is not enabled for the selected Gateway Load Balancer (GWLB).

05 Repeat steps no. 3 and 4 for each Gateway Load Balancer available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Cross-Zone Load Balancing feature for your existing Amazon Gateway Load Balancers (GWLBs), perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"GatewayLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
			"Properties": {
				"Name": "cc-gateway-load-balancer",
				"Type": "gateway",
				"LoadBalancerAttributes": [
					{
						"Key": "load_balancing.cross_zone.enabled",
						"Value": "true"
					}
				],
				"SubnetMappings": [
					{
						"SubnetId": "subnet-01234abcd1234abcd"
					},
					{
						"SubnetId": "subnet-0abcd1234abcd1234"
					},
					{
						"SubnetId": "subnet-0abcdabcdabcdabcd"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Resources:
	GatewayLoadBalancer:
		Type: AWS::ElasticLoadBalancingV2::LoadBalancer
		Properties:
			Name: cc-gateway-load-balancer
			Type: gateway
		LoadBalancerAttributes:
			- Key: load_balancing.cross_zone.enabled
			Value: 'true'
		SubnetMappings:
			- SubnetId: subnet-01234abcd1234abcd
			- SubnetId: subnet-0abcd1234abcd1234
			- SubnetId: subnet-0abcdabcdabcdabcd

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_lb" "gateway-load-balancer" {
	name                             = "cc-gateway-load-balancer"
	load_balancer_type               = "gateway"
	enable_cross_zone_load_balancing = true
	subnet_mapping {
		subnet_id = "subnet-01234abcd1234abcd"
	}
	subnet_mapping {
		subnet_id = "subnet-0abcd1234abcd1234"
	}
	subnet_mapping {
		subnet_id = "subnet-0abcdabcdabcdabcd"
	}
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Select the Gateway Load Balancer that you want to examine. A Gateway Load Balancer (GWLB) has the Type attribute value set to gateway in the Type column.

05 Select the Description tab and click on the Edit attributes button available in the Attributes section.

06 In the Edit load balancer attributes configuration box, select Enable next to Cross-zone load balancing to enable the Cross-Zone Load Balancing feature for the selected Gateway Load Balancer (GWLB). Choose Save to apply the changes. Regional data transfer charges may apply when Cross-Zone Load Balancing is enabled.

07 Repeat steps no. 4 – 6 for each Gateway Load Balancer that you want to reconfigure, available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Gateway Load Balancer (GWLB) that you want to reconfigure as the identifier parameter, to enable the Cross-Zone Load Balancing feature for the selected load balancer: 

aws elbv2 modify-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-staging-gwlb/abcd1234abcd1234
  --attributes Key=load_balancing.cross_zone.enabled,Value=true

02 The command output should return the configuration attributes available for the modified load balancer: 

{
	"Attributes": [
		{
			"Key": "deletion_protection.enabled",
			"Value": "true"
		},
		{
			"Key": "load_balancing.cross_zone.enabled",
			"Value": "true"
		}
	]
}

03 Repeat steps no. 1 and 2 for each Gateway Load Balancer that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 6, 2021

Related ELBv2 rules