- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing V2
- ELBv2 Minimum Number of EC2 Target Instances
Ensure there are at least two healthy EC2 target instances registered to each Amazon Application Load Balancer (ALB) and Network Load Balancer (NLB) in order to provide a fault-tolerant load balancing configuration for your applications.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
To achieve fault tolerance and minimize the risk of downtime, always register at least two target Amazon EC2 instances to the target group(s) associated with your ELBv2 load balancers.
Audit
To determine if your Amazon ELBv2 load balancers distribute the traffic to at least two healthy target instances, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Target groups.
04 Select the target group associated with the Amazon ELBv2 load balancer that you want to examine. To confirm the target group-load balancer association, check the Load balancer attribute value listed in the Details section.
05 Select the Targets tab from the console bottom panel to access the list with the registered targets.
06 In the Registered targets section, check for healthy EC2 instances (i.e. instances with the Health status set to healthy) registered to the target group. If the number of healthy instances registered to the selected target group is less than two, the associated Amazon ELBv2 load balancer is not using a fault-tolerant configuration.
07 Repeat steps no. 4 – 6 for each ELBv2 load balancer that you want to examine, available within the current AWS region.
08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each load balancer available in the selected AWS region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[*].LoadBalancerArn'
02 The command output should return an array with the requested load balancer ARN(s):
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd", "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd" ]
03 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the target group associated with the selected load balancer:
aws elbv2 describe-target-groups --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd --query 'TargetGroups[*].TargetGroupArn'
04 The command output should return the ARN of the associated target group:
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd" ]
05 Run describe-target-health command (OSX/Linux/UNIX) using the ARN of the target group returned at the previous step as the identifier parameter and custom query filters to describe the health status of each Amazon EC2 instance within the target group associated with the selected load balancer:
aws elbv2 describe-target-health --region us-east-1 --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd --query 'TargetHealthDescriptions[*].[Target.Id,TargetHealth.State]'
06 The command output should return an array with the ID of each registered EC2 instance and the instance health status:
[ [ "i-01234abcd1234abcd", "healthy" ], [ "i-0abcd1234abcd1234", "unhealthy" ] ]
If the number of healthy Amazon EC2 instances registered to the selected target group is less than two, as shown in the output example above, the associated Amazon ELBv2 load balancer is not using a fault-tolerant configuration.
07 Repeat steps no. 3 – 6 for each ELBv2 load balancer that you want to examine, available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To register additional healthy Amazon EC2 instances to the target groups associated with your ELBv2 load balancers, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Configure Target Group to Register Additional Healthy Instances",
"Resources": {
"ApplicationLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties" : {
"Name" : "cc-internet-facing-load-balancer",
"Type" : "application",
"Scheme" : "internet-facing",
"IpAddressType" : "ipv4",
"SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
"Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
}
},
"TargetGroup": {
"Type" : "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties" : {
"Name" : "cc-mvp-target-group",
"Protocol" : "HTTPS",
"Port" : 443,
"TargetType" : "instance",
"Targets" : [ "i-0abcdabcdabcdabcd" ],
"VpcId" : "vpc-0abcdabcdabcdabcd"
}
},
"HTTPSListener": {
"Type" : "AWS::ElasticLoadBalancingV2::Listener",
"Properties" : {
"Protocol" : "HTTPS",
"Port" : 443,
"LoadBalancerArn": {
"Ref" : "ApplicationLoadBalancer"
},
"DefaultActions": [
{
"Type" : "forward",
"TargetGroupArn" : {
"Ref" : "TargetGroup"
}
}
],
"Certificates" : [
{
"CertificateArn" : "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
}
],
"SslPolicy" : "ELBSecurityPolicy-FS-1-2-Res-2020-10"
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Configure Target Group to Register Additional Healthy Instances
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: cc-internet-facing-load-balancer
Type: application
Scheme: internet-facing
IpAddressType: ipv4
SecurityGroups:
- sg-0abcdabcdabcdabcd
Subnets:
- subnet-01234abcd1234abcd
- subnet-0abcd1234abcd1234
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: cc-mvp-target-group
Protocol: HTTPS
Port: 443
TargetType: instance
Targets:
- i-0abcdabcdabcdabcd
VpcId: vpc-0abcdabcdabcdabcd
HTTPSListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
Protocol: HTTPS
Port: 443
LoadBalancerArn: !Ref 'ApplicationLoadBalancer'
DefaultActions:
- Type: forward
TargetGroupArn: !Ref 'TargetGroup'
Certificates:
- CertificateArn: arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate
SslPolicy: ELBSecurityPolicy-FS-1-2-Res-2020-10
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_lb" "application-load-balancer" {
name = "cc-internet-facing-load-balancer"
load_balancer_type = "application"
internal = false
ip_address_type = "ipv4"
security_groups = ["sg-0abcdabcdabcdabcd"]
subnets = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}
# Configure Target Group to Register Additional Healthy Instances
resource "aws_lb_target_group" "target-group" {
name = "cc-mvp-target-group"
protocol = "HTTPS"
port = 443
target_type = "instance"
vpc_id = "vpc-0abcdabcdabcdabcd"
}
# Add HTTPS Listener to Application Load Balancer
resource "aws_lb_listener" "https-listener" {
load_balancer_arn = aws_lb.application-load-balancer.arn
protocol = "HTTPS"
port = "443"
ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.target-group.arn
}
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Target groups.
04 Select the target group associated with the Amazon ELBv2 load balancer that you want to reconfigure.
05 Select the Targets tab from the console bottom panel to access the list with the registered targets.
06 On the Targets panel, perform the following actions:
- To remove all the unhealthy EC2 instances, select the registered instances from the Registered targets section, then choose Deregister to remove them from the selected target group.
- To register new, healthy EC2 instances, choose Register targets from the Registered targets section, select and include all the instances that you want to register, then choose Registered pending targets.
07 Repeat steps no. 4 – 6 to register healthy target instances with other Amazon ELBv2 load balancers available within the current AWS region.
08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 To remove the unhealthy target instances and register new, healthy EC2 instances to the target group associated with your Amazon ELBv2 load balancer, perform the following commands:
- Run deregister-targets command (OSX/Linux/UNIX) to remove the unhealthy EC2 instances, identified by the --targets parameter, from the target group associated with your load balancer (the command does not produce an output):
aws elbv2 deregister-targets --region us-east-1 --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd --targets Id=i-0abcd1234abcd1234
- Run register-targets command (OSX/Linux/UNIX) to register a new target EC2 instance, identified by the ID i-0abcdabcdabcdabcd, to the target group associated with your Amazon ELBv2 load balancer (the command does not produce an output):
aws elbv2 register-targets --region us-east-1 --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd --targets Id=i-0abcdabcdabcdabcd
02 Repeat step no. 1 to register healthy target instances with other Amazon ELBv2 load balancers available in the selected AWS region.
03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Elastic Load Balancing FAQs
- Application Load Balancers
- Network Load Balancers
- Target Groups for Your Application Load Balancers
- Register Targets with Your Target Group
- AWS Command Line Interface (CLI) Documentation
- elbv2
- describe-load-balancers
- describe-target-groups
- describe-target-health
- deregister-targets
- register-targets
- CloudFormation Documentation
- Elastic Load Balancing V2 resource type reference
- Terraform Documentation
- AWS Provider