Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Create Web-Tier ELB Subnets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that subnets for the web-tier Elastic Load Balancers (ELBs) are created. Each web-tier ELB subnet must reside entirely in one Availability Zone and cannot span zones. Availability Zones (AZs) are distinct locations that are engineered to be isolated from failures occurred in other zones. There must be at least 2 web-tier subnets in 2 different Availability Zones where you want traffic to be routed by your ELB in order to provide higher availability for the web applications behind the load balancer. This conformity rule assumes that all AWS resources (ELBs, subnets, etc) provisioned inside your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

Security

At least two subnets in two different Availability Zones should be created in order to provide high availability and fault tolerance for your web-tier Elastic Load Balancer.

Note: Ensure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.


Audit

To determine if your web-tier ELB has at least two web-tier subnets attached, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create Web-Tier ELB Subnets conformity rule settings, identify and copy the tag set defined for all AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under LOAD BALANCING, click Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>) and press Enter. This filtering method will return only the ELBs tagged for the web tier. If no results are returned, there are no ELBs tagged within your web tier and the audit process ends here. If the AWS console lists one or more load balancers, continue the audit with the next step.

06 Select the web-tier load balancer that you want to examine.

07 Select the Description tab from the bottom panel to access the resource configuration details.

08 In the Basic Configuration section, search for the Availability Zones attribute. Click on the first value (i.e. subnet ID - AZ name link) set for the Availability Zones configuration attribute. The console will redirect you to the Subnets page on the VPC dashboard.

09 Select the VPC subnet chosen at the previous step and select the Tags tab from the dashboard bottom panel.

10 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <web_tier_tag>:<web_tier_tag_value>). If these two tag sets do not match, or the verified resource is not tagged at all, the selected subnet is not a component of your web tier.

11 Repeat steps no. 8 – 10 to check the other subnets associated with the selected ELB for web-tier tags. If none of the verified subnets were tagged with <web_tier_tag>:<web_tier_tag_value>, the selected web-tier Elastic Load Balancer has no web-tier subnets currently attached.

12 Change the AWS region from the navigation bar and repeat steps no. 3 – 11 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create Web-Tier ELB Subnets conformity rule settings, identify and copy the tag set defined for all AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs available in the selected AWS region:

aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested ELB names:

-------------------------
| DescribeLoadBalancers |
+-----------------------+
|   cc-load-balancer    |
|   cc-front-web-elb    |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource:

aws elb describe-tags
	--region us-east-1
	--load-balancer-name cc-load-balancer
	--query 'TagDescriptions[*].Tags[]'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified load balancer is not tagged, therefore the audit process for the selected resource ends here:
    []
    
  2. If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified ELB does not belong to your web tier, hence the audit process for the selected resource ends here:
    [
        {
            "Value": "Env",
            "Key": "Staging"
        }
    ]
    
  3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified Amazon ELB is tagged as a web-tier resource, therefore the audit process continues with the next step:
    [
        {
            "Value": "<web_tier_tag_value>",
            "Key": "<web_tier_tag>"
        }
    ]
    

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the web-tier ELB identified at the previous step to list the subnets associated with the selected load balancer:

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name cc-load-balancer
	--query 'LoadBalancerDescriptions[*].Subnets[]'

07 The command output should return the IDs of the associated subnets:

[
    "subnet-1234abcd",
    "subnet-aaaabbbb",
    "subnet-abcd1234"
]    

08 Run describe-subnets command (OSX/Linux/UNIX) using the subnet IDs returned at the previous step as input parameters and query filters to determine if the VPC subnets associated with the selected ELB are web-tier subnets:

aws ec2 describe-subnets
	--region us-east-1
	--subnet-ids subnet-1234abcd subnet-aaaabbbb subnet-abcd1234
	--filters Name=tag:<web_tier_tag>,Values=<web_tier_tag_value>
	--query "Subnets[*]"

09 The command output should return the metadata available for the attached web-tier subnets (if applicable):

[]

If describe-subnets command output returns an empty array (i.e. []), as shown in the example above, there are no web-tier subnets associated with the selected web-tier ELB.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 9 for other regions.

Remediation / Resolution

To create web-tier subnets (at least two subnets in different AZs) and associate them with your web-tier Elastic Load Balancer, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Create Web-Tier ELB Subnets conformity rule settings and copy the tags defined for the AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

04 Select the VPC where your web-tier ELB is provisioned from the Select a VPC dropdown menu.

05 In the navigation panel, under Virtual Private Cloud, click Subnets.

06 Click Create Subnet button from the dashboard top menu to initiate the subnet setup process.

07 Inside Create Subnet dialog box, perform the following:

  1. Select the ID of the current VPC from the VPC dropdown list.
  2. Select the Availability Zone (AZ) where the new web-tier subnet will reside from the Availability Zone dropdown list.
  3. Enter the CIDR block (e.g. 10.0.35.0/24) for the new subnet in the IPv4 CIDR block box. The CIDR block of a subnet should not be the same as the CIDR block for the selected VPC (for a single subnet in the VPC). The allowed block size is between a /28 netmask and a /16 netmask. Since you need to create more than one subnet, make sure that the CIDR blocks of the new subnets do not overlap. Click Yes, Create to create the new web-tier subnet.

08 Choose the newly created web-tier subnet and select the Tags tab from the dashboard bottom panel.

09 On the Tags panel, click Edit button to add the tags that will help organize the identity of the selected subnet within the web tier. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and ensure that the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier resources, copied at step no. 1. Click Save to apply the changes.

10 Repeat steps no. 6 – 9 to create more web-tier subnets (at least one more in a different AZ), inside the selected VPC.

11 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

12 In the navigation panel, under LOAD BALANCING, click Load Balancers.

13 Select the web-tier load balancer that you want to reconfigure (see Audit section part I to identify the right resource).

14 Select the Instances tab from the bottom panel to access the configuration settings for the EC2 instances and their AZs registered to the ELB.

15 Click Edit availability zones to change the AZs and subnets configuration for the selected web-tier load balancer.

16 Inside Add and Remove Subnets dialog box, attach the web-tier subnets created at steps no. 6 – 9 by moving (adding) each necessary subnet from the Available subnets list to the Selected subnets list. Once added, click Save to apply the configuration changes and attach the new web-tier subnets to the selected web-tier ELB.

17 If required, change the AWS region from the navigation bar and repeat steps no. 3 – 16 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Create Web-Tier ELB Subnets conformity rule settings and copy the tags defined for the AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run create-subnet command (OSX/Linux/UNIX) to create a new web-tier subnet within the selected VPC. The following command example creates a web-tier subnet with a CIDR block set to "10.0.35.0/24", inside an AWS VPC identified by the ID "vpc-12345678", available in the US East (N. Virginia) region:

aws ec2 create-subnet
	--region us-east-1
	--availability-zone us-east-1a
	--vpc-id vpc-12345678
	--cidr-block 10.0.35.0/24

03 The command output should return the new VPC subnet metadata:

{
    "Subnet": {
        "AvailabilityZone": "us-east-1a",
        "AvailableIpAddressCount": 251,
        "DefaultForAz": false,
        "Ipv6CidrBlockAssociationSet": [],
        "VpcId": "vpc-12345678",
        "State": "pending",
        "MapPublicIpOnLaunch": false,
        "SubnetId": "subnet-abcd1234",
        "CidrBlock": "10.0.35.0/24",
        "AssignIpv6AddressOnCreation": false
    }
} 

04 Run create-tags command (OSX/Linux/UNIX) using the ID of the newly created web-tier subnet as identifier to create tags for managing the identity of the new resource. Use the following format when you define your own tag set: <web_tier_tag>:<web_tier_tag_value> and make sure the tag name (<web_tier_tag>) and the tag value (<web_tier_tag_value>) match the tag set used to organize your web-tier resources, copied at step no. 1. Replace <web_tier_tag> and <web_tier_tag_value> with your own values (the command does not produce an output):

aws ec2 create-tags
	--region us-east-1
	--resources subnet-abcd1234
	--tags Key=<web_tier_tag>,Value=<web_tier_tag_value>

05 Repeat steps no. 2 – 4 to create more web-tier subnets (at least one more in a different AZ), inside the selected VPC.

06 Run attach-load-balancer-to-subnets command (OSX/Linux/UNIX) to attach the web-tier subnets created at the previous steps to the web-tier ELB that you want to reconfigure (see Audit section part II to identify the right load balancer):

aws elb attach-load-balancer-to-subnets
	--region us-east-1
	--load-balancer-name cc-load-balancer
	--subnets subnet-abcd1234 subnet-1234abcd  

07 The command output should return the IDs of the subnets attached to the load balancer:

{
    "Subnets": [
        "subnet-abcd1234",
        "subnet-1234abcd"
    ]
}

08 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 7 for other regions.

References

Publication date May 5, 2018