Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Support for gRPC Protocol

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon Application Load Balancers (ALBs) are configured to send requests to targets using the gRPC protocol. gRPC uses HTTP/2 for the transfer protocol and is becoming the protocol of choice for inter-service communication for applications built on microservice-based architectures. It provides the inherent benefits of HTTP/2 such as lighter network footprint and compression, along with features like efficient binary serialization, support for numerous programming languages, and bidirectional streaming. Due its performance benefits, you can use gRPC for client to service communication as well.

Performance
efficiency

With support for gRPC protocol enabled, you can use your Application Load Balancer to route and load balance efficiently your gRPC traffic between microservices or between gRPC-enabled clients and services. This will allow you to seamlessly introduce gRPC traffic management in your cloud architecture without changing any of the underlying infrastructure on your clients or services.


Audit

To determine if the support for gRPC protocol is enabled for your Application Load Balancers (ALBs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to examine.

06 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

07 Click on the name (link) of the target group associated with the selected load balancer, listed in the Rules column.

08 Select the associated target group, choose the Details tab, and check the Protocol version attribute value. If the Protocol version attribute value is different than gRPC, the selected Application Load Balancer (ALB) is not configured to send requests to targets using the gRPC protocol.

09 Repeat steps no. 5 – 8 for each Application Load Balancer (ALB) available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Application Load Balancers (ALBs) available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn'

02 The command output should return an array with the requested ALB ARN(s):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-app-alb/abcd1234abcd1234"
]

03 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to examine as the identifier parameter and custom query filters to describe the protocol version used by the target group(s) associated with the selected load balancer:

aws elbv2 describe-target-groups
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd
  --query 'TargetGroups[*].ProtocolVersion'

04 The command output should return the requested configuration information:

[
	"HTTP2"
]

If the describe-target-groups command output does not return "GRPC"as the protocol version configured for the associated target group(s), the selected Application Load Balancer (ALB) is not configured to send requests to targets using the gRPC protocol.

05 Repeat steps no. 3 and 4 for each Application Load Balancer (ALB) available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To implement the gRPC protocol for your existing Amazon Application Load Balancers (ALBs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"ApplicationLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
			"Properties": {
				"Name": "cc-app-load-balancer",
				"Type": "application",
				"Scheme": "internet-facing",
				"IpAddressType": "ipv4",
				"Subnets": [
					"subnet-01234abcd1234abcd",
					"subnet-0abcd1234abcd1234"
				],
				"SecurityGroups": [
					"sg-0abcd1234abcd1234",
					"sg-01234abcd1234abcd"
				]
			}
		},
		"LoadBalancerTargetGroup": {
			"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
			"Properties": {
				"Name": "cc-new-web-target-group",
				"VpcId": "vpc-01234abcd1234abcd",
				"Port": 443,
				"Protocol": "HTTPS",
				"ProtocolVersion": "GRPC"
			}
		},
		"LoadBalancerListener": {
			"Type": "AWS::ElasticLoadBalancingV2::Listener",
			"Properties": {
				"Protocol": "HTTPS",
				"Port": 443,
				"LoadBalancerArn": {
					"Ref": "ApplicationLoadBalancer"
				},
				"Certificates": [
					{
						"CertificateArn": "arn:aws:iam::123412341234:server-certificate/domain.com"
					}
				],
				"DefaultActions": [
					{
						"Type": "forward",
						"TargetGroupArn": {
							"Ref": "LoadBalancerTargetGroup"
						}
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
		ApplicationLoadBalancer:
		Type: AWS::ElasticLoadBalancingV2::LoadBalancer
		Properties:
			Name: cc-app-load-balancer
			Type: application
			Scheme: internet-facing
			IpAddressType: ipv4
			Subnets:
			- subnet-01234abcd1234abcd
			- subnet-0abcd1234abcd1234
			SecurityGroups:
			- sg-0abcd1234abcd1234
			- sg-01234abcd1234abcd
		LoadBalancerTargetGroup:
		Type: AWS::ElasticLoadBalancingV2::TargetGroup
		Properties:
			Name: cc-new-web-target-group
			VpcId: vpc-01234abcd1234abcd
			Port: 443
			Protocol: HTTPS
			ProtocolVersion: GRPC
		LoadBalancerListener:
		Type: AWS::ElasticLoadBalancingV2::Listener
		Properties:
			Protocol: HTTPS
			Port: 443
			LoadBalancerArn: !Ref 'ApplicationLoadBalancer'
			Certificates:
			- CertificateArn: arn:aws:iam::123412341234:server-certificate/domain.com
			DefaultActions:
			- Type: forward
				TargetGroupArn: !Ref 'LoadBalancerTargetGroup'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
	name                       = "cc-app-load-balancer"
	load_balancer_type         = "application"
	internal                   = false
	ip_address_type            = "ipv4"
	subnets                    = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
	security_groups            = ["sg-0abcd1234abcd1234","sg-01234abcd1234abcd"]
}

resource "aws_lb_target_group" "load-balancer-target-group" {
	name             = "cc-new-web-target-group"
	vpc_id           = "vpc-01234abcd1234abcd"
	port             = 443
	protocol         = "HTTPS"
	protocol_version = "GRPC"
}

resource "aws_lb_listener" "load-balancer-listener" {
	port               = "443"
	protocol           = "HTTPS"
	certificate_arn    = "arn:aws:iam::123412341234:server-certificate/domain.com"
	load_balancer_arn  = aws_lb.application-load-balancer.arn
	default_action {
		type             = "forward"
		target_group_arn = aws_lb_target_group.load-balancer-target-group.arn
	}
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Target Groups.

04 Click on the name (link) of the target group associated with your Application Load Balancer and collect all the configuration information available for the resource, including the information available for the registered targets.

05 Navigate back to the Target Groupslisting page,**and choose Create target group**to create a new target group for your load balancer.

06 On the Create target group setup page, perform the following actions:

  1. For Step 1 Specify group details, provide a unique name for the new target group, select the required target type, choose the VPC network with the instances that you want to include in the target group, and configure the health checks. For Protocol version choose gRPC to enable support for the gRPC protocol. This will allow the associated load balancer to send requests to targets using the gRPC protocol. Choose Next to continue.
  2. For Step 2 Register targets, register the group targets identified at step no. 4, and choose Create target group to create your new, compliant target group.

07 In the main navigation panel, under Load Balancing, choose Load Balancers.

08 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

09 Select the Application Load Balancer (ALB) that you want to examine.

10 Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.

11 Select the listener that you want to reconfigure and choose Edit.

12 On the Edit listener configuration page, under Default actions, update the listener's default action to route requests to the new target group created at step no. 6. Choose Save changes to apply the changes. If required, repeat this step for each listener defined for your Application Load Balancer (ALB).

13 Repeat steps no. 3 – 12 for each Application Load Balancer (ALB) available within the current AWS region.

14 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to reconfigure as the identifier parameter, to describe the configuration of the associated target group(s):

aws elbv2 describe-target-groups
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd

02 The command output should return the requested configuration information:

{
	"TargetGroups": [
		{
			"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-web-target-group/1234abcd1234abcd",
			"TargetGroupName": "cc-web-target-group",
			"Protocol": "HTTPS",
			"Port": 443,
			"VpcId": "vpc-abcd1234",
			"HealthCheckProtocol": "HTTPS",
			"HealthCheckPort": "traffic-port",
			"HealthCheckEnabled": true,
			"HealthCheckIntervalSeconds": 30,
			"HealthCheckTimeoutSeconds": 5,
			"HealthyThresholdCount": 5,
			"UnhealthyThresholdCount": 2,
			"HealthCheckPath": "/",
			"Matcher": {
				"HttpCode": "200"
			},
			"LoadBalancerArns": [
				"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd"
			],
			"TargetType": "instance",
			"ProtocolVersion": "HTTP2"
		}
	]
}

03 Run create-target-group command (OSX/Linux/UNIX) to create a new target group that supports the gRPC protocol, using the configuration information returned at the previous step:

aws elbv2 create-target-group
  --region us-east-1
  --name cc-new-web-target-group
  --protocol HTTPS
  --protocol-version GRPC
  --port 443
  --target-type instance
  --vpc-id vpc-abcd1234
  --health-check-enabled
  --health-check-protocol HTTPS
  --health-check-port "traffic-port"
  --health-check-path "/"
  --health-check-interval-seconds 30
  --health-check-timeout-seconds 5
  --healthy-threshold-count 5
  --unhealthy-threshold-count 2

04 The command output should return the configuration information available for the new target group:

{
	"TargetGroups": [
		{
			"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd",
			"TargetGroupName": "cc-new-web-target-group",
			"Protocol": "HTTPS",
			"Port": 443,
			"VpcId": "vpc-abcd1234",
			"HealthCheckProtocol": "HTTPS",
			"HealthCheckPort": "traffic-port",
			"HealthCheckEnabled": true,
			"HealthCheckIntervalSeconds": 30,
			"HealthCheckTimeoutSeconds": 5,
			"HealthyThresholdCount": 5,
			"UnhealthyThresholdCount": 2,
			"HealthCheckPath": "/",
			"Matcher": {
				"GrpcCode": "12"
			},
			"TargetType": "instance",
			"ProtocolVersion": "GRPC"
		}
	]
}

05 Run register-targets command (OSX/Linux/UNIX) to register the specified targets with the newly created target group (the command does not produce an output):

aws elbv2 register-targets
  --region us-east-1
  --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd
  --targets Id=i-01234abcd1234abcd Id=i-0abcd1234abcd1234

06 Run describe-listeners command (OSX/Linux/UNIX) to describe the Amazon Resource Name (ARN) of each listener configured for your Application Load Balancer (ALB):

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd
  --query 'Listeners[*].ListenerArn'

07 The command output should return the requested listener ARN(s):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-frontend-web-alb/abcdabcdabcdabcd/1234123412341234"
]

08 Run modify-listener command (OSX/Linux/UNIX) to associate the new target group with your Application Load Balancer (ALB) by updating the default action for the specified listener:

aws elbv2 modify-listener
  --region us-east-1
  --listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-frontend-web-alb/abcdabcdabcdabcd/1234123412341234
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd

09 The command output should return the information available for the modified listener:

{
	"Listeners": [
		{
			"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-frontend-web-alb/abcdabcdabcdabcd/1234123412341234",
			"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd",
			"Port": 443,
			"Protocol": "HTTPS",
			"Certificates": [
				{
					"CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
				}
			],
			"SslPolicy": "ELBSecurityPolicy-2016-08",
			"DefaultActions": [
				{
					"Type": "forward",
					"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd",
					"ForwardConfig": {
						"TargetGroups": [
							{
								"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-new-web-target-group/1234abcd1234abcd",
								"Weight": 1
							}
						],
						"TargetGroupStickinessConfig": {
							"Enabled": false
						}
					}
				}
			]
		}
	]
}

10 Repeat steps no. 1 – 9 for each Application Load Balancer (ALB) available in the selected AWS region.

11 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 10 to perform the Remediation process for other regions.

References

Publication date Feb 6, 2021