Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Support for HTTP/2

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that HTTP/2 support (i.e. "routing.http2.enabled" configuration flag) is enabled for your Amazon Application Load Balancers (ALBs) in order to benefit from the performance enhancements introduced by the HTTP/2 protocol.

Performance
efficiency

Hypertext Transfer Protocol Version 2 (HTTP/2) is a significant improvement of the HTTP 1.1 protocol that uses a single, multiplexed connection to allow multiple requests to be sent on the same connection, compresses header data before sending it out in binary format, and supports SSL/TLS connections to clients. For Application Load Balancer (ALB) clients, multiplexing multiple requests across a single connection and only needing to negotiate SSL/TLS once can have huge performance benefits, depending on the website or the web application behind the load balancer.


Audit

To determine if the HTTP/2 support is enabled for your Application Load Balancers (ALBs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to examine.

06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

07 In the Attributes section, check the HTTP/2 configuration attribute value. If the HTTP/2 attribute value is set to Disabled, the support for the HTTP/2 protocol is not enabled for the selected Application Load Balancer (ALB).

08 Repeat steps no. 5 – 7 for each Application Load Balancer deployed within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Application Load Balancers (ALBs) available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn'

02 The command output should return an array with the requested ALB ARN(s):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-app-alb/abcd1234abcd1234"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to examine as the identifier parameter and custom query filters, to describe the HTTP/2 support status available for the selected load balancer:

aws elbv2 describe-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd
  --query 'Attributes[?(Key == `routing.http2.enabled`)].Value | []'

04 The command output should return the requested configuration status ("true"for enabled,"false"for disabled):

[
	"false"
]

If the describe-load-balancer-attributes command output returns false, as shown in the output example above, the support for the HTTP/2 protocol is not enabled for the selected Application Load Balancer (ALB).

05 Repeat steps no. 3 and 4 for each Application Load Balancer deployed in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the HTTP/2 support for your existing Amazon Application Load Balancers (ALBs), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"ApplicationLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
			"Properties": {
				"Name": "cc-net-load-balancer",
				"Type": "network",
				"Scheme": "internet-facing",
				"IpAddressType": "ipv4",
				"SubnetMappings": [
					{
						"SubnetId": "subnet-01234abcd1234abcd"
					},
					{
						"SubnetId": "subnet-0abcd1234abcd1234"
					}
				],
				"LoadBalancerAttributes": [
					{
						"Key": "routing.http2.enabled",
						"Value": "true"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	ApplicationLoadBalancer:
		Type: AWS::ElasticLoadBalancingV2::LoadBalancer
		Properties:
		Name: cc-net-load-balancer
		Type: network
		Scheme: internet-facing
		IpAddressType: ipv4
		SubnetMappings:
			- SubnetId: subnet-01234abcd1234abcd
			- SubnetId: subnet-0abcd1234abcd1234
		LoadBalancerAttributes:
			- Key: routing.http2.enabled
			Value: 'true'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
	name                             = "cc-net-load-balancer"
	load_balancer_type               = "network"
	internal                         = false
	ip_address_type                  = "ipv4"
	subnet_mapping {
		subnet_id = "subnet-01234abcd1234abcd"
	}
	subnet_mapping {
		subnet_id = "subnet-0abcd1234abcd1234"
	}
	enable_http2 = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.

05 Select the Application Load Balancer (ALB) that you want to reconfigure.

06 Select the Description tab and click on the Edit attributes button available in the Attributes section.

07 In the Edit load balancer attributes configuration box, select Enable next to HTTP/2 to enable the HTTP/2 support for the selected Application Load Balancer (ALB). Choose Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each Application Load Balancer that you want to reconfigure, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-load-balancer-attributes command (OSX/Linux/UNIX) using the ARN of the Application Load Balancer (ALB) that you want to reconfigure as the identifier parameter, to enable the HTTP/2 support for the selected load balancer:

aws elbv2 modify-load-balancer-attributes
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-web-alb/abcdabcdabcdabcd
  --attributes Key=routing.http2.enabled,Value=true

02 The command output should return the configuration attributes for the modified load balancer:

{
	"Attributes": [
		{
			"Value": "true",
			"Key": "routing.http2.enabled"
		},
		{
			"Value": "false",
			"Key": "access_logs.s3.enabled"
		},
		{
			"Value": "",
			"Key": "access_logs.s3.bucket"
		},
		{
			"Value": "",
			"Key": "access_logs.s3.prefix"
		},
		{
			"Value": "60",
			"Key": "idle_timeout.timeout_seconds"
		},
		{
			"Value": "true",
			"Key": "deletion_protection.enabled"
		},
		{
			"Value": "true",
			"Key": "routing.http.drop_invalid_header_fields.enabled"
		},
		{
			"Value": "defensive",
			"Key": "routing.http.desync_mitigation_mode"
		}
	]
}

03 Repeat steps no. 1 and 2 for each Application Load Balancer that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Nov 24, 2023