Open menu
-->

App-Tier Auto Scaling Groups with Associated Elastic Load Balancers

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: High (not acceptable risk)

Ensure that your app-tier Auto Scaling Groups (ASGs) have associated Elastic Load Balancers (ELBs) in order to evenly distribute incoming traffic across all the EC2 instances available inside the ASG and help provide high availability for your applications. This conformity rule assumes that all AWS resources provisioned for your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

Adding Elastic Load Balancers (ELBs) to your app-tier Auto Scaling Groups (ASGs) configuration can help you maintain the availability of the EC2 compute resources in the event of a failure and improve scaling for the instances behind these load balancers.

Audit

To determine if your app-tier ASGs have associated ELBs, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check for app-tier Auto Scaling Groups with associated Elastic Load Balancers rule settings and identify the tags defined for all AWS resources available within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

05 Select the Auto Scaling Group that you want to examine.

06 Select the Tags tab from the dashboard bottom panel.

07 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <app_tier_tag> : <app_tier_tag_value>). If the two tag sets do not match, or the verified resource is not tagged, the selected ASG does not belong to your app tier and the audit process ends here. If the tag sets match, the selected resource is a app-tier Auto Scaling Group and the audit process continues with the next step.

08 Select Details tab from the dashboard bottom panel to view the resource configuration details.

09 Check the value set for the Load Balancers configuration attribute, listed on the Details panel. If the Load Balancers attribute has no value assigned, there are no AWS Elastic Load Balancers associated with the selected app-tier Auto Scaling Group.

10 Repeat steps no. 5 – 9 to verify other app-tier ASGs, available in the selected region, for associated ELBs.

11 Change the AWS region from the navigation bar and repeat steps no. 5 – 10 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Check for app-tier Auto Scaling Groups with associated Elastic Load Balancers rule settings and identify the tags defined for all AWS resources available within your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups provisioned in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

03 The command output should return a table with the requested resource name(s):

-----------------------------
| DescribeAutoScalingGroups |
+---------------------------+
| cc-mobile-application-asg |
| cc-web-auto-scaling-group |
+---------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the ASG that you want to examine as identifier and custom query filters to describe the tags defined for the selected Auto Scaling Group:

aws autoscaling describe-tags
	--region us-east-1
	--filters "Name=auto-scaling-group,Values=cc-mobile-application-asg"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified ASG is not tagged, therefore the audit process for the selected resource ends here:
    []
    
  2. If the command output returns a set of tags that is different than the one identified at step no. 1, as shown in the example below, the verified AWS Auto Scaling Group does not belong to your app tier, therefore the audit process for the selected resource ends here:
    [
        {
            "Value": "Type",
            "Key": "MobileApp"
        }
    ]
    
  3. If the describe-tags command output returns a set of tags that match the one identified at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified Amazon ASG is tagged as an app-tier resource, therefore the audit process continues with the next step:
    [
        {
            "Key": "<app_tier_tag>",
            "Value": "<app_tier_tag_value>"
        }
    ]
    
    

06 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the ASG resource that you want to examine as identifier and custom query filters to get the name(s) of the load balancer(s) associated with the selected app-tier ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-names cc-mobile-application-asg
	--query 'AutoScalingGroups[*].LoadBalancerNames[]'

07 The command output should return an array with the requested identifier(s):

[]

If the command output returns an empty array (i.e. []), as shown in the example above, there are no AWS Elastic Load Balancers associated with the selected app-tier Auto Scaling Group.

08 Repeat step no. 6 and 7 to verify other app-tier ASGs, created in the selected region, for associated ELBs.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the audit process for other regions.

Remediation / Resolution

To create an Amazon Elastic Load Balancer (ELB) and associate it with your app-tier Auto Scaling Group (ASG), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Click Create Load Balancer button from the dashboard top menu to initiate the setup process for your new ELB.

05 On Select load balancer type page, inside the Classic Load Balancer section, click Create.

06 On Step 1: Define Load Balancer page, perform the following:

  1. Provide a name for the new ELB inside the Load Balancer name box.
  2. Select the VPC where the load balancer will be deployed from the Create LB inside dropdown list.
  3. Select Enable advanced VPC configuration checkbox and choose the Availability Zones where you wish that the application traffic to be routed by the load balancer.
  4. In the Load Balancer Protocol section, use the Add button to add more protocols (if required by your application).
  5. Click Next: Assign Security Groups to continue the setup process.

07 On Step 2: Assign Security Groups page, select Create a new security group, provide a name and a description for the new security group then add the necessary rules based on your application requirements using the Add Rule button. Once configured, click Next: Configure Security Settings.

08 On Step 3: Configure Security Settings page, configure the HTTPS/SSL listeners if you want your traffic to be routed using HTTPS/SSL. Once you have configured the security settings available on this page, click Next: Configure Health Check.

09 On Step 4: Configure Health Check page, customize the load balancer health check or use the defaults settings then click Next: Add EC2 Instances.

10 On Step 5: Add EC2 Instances page, select Enable Cross-Zone Load Balancing and Enable Connection Draining then click the Next: Add Tags button. Do not select any backend instances at this point as the load balancer will add them automatically once the resource is attached to your app-tier ASG.

11 Define the necessary app-tier tags (e.g. <app_tier_tag>:<app_tier_tag_value>) for the new load balancer on Step 6: Add Tags page, then click Review and Create button to continue the process.

12 On Step 7: Review page, review your ELB configuration details then click Create to build the new load balancer. Once your AWS Elastic Load Balancer is successfully created, click Close to return to the EC2 dashboard.

13 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

14 Select the app-tier Auto Scaling Group that you want to reconfigure (see Audit section part I to identify the right resource).

15 Select the Details tab from the dashboard bottom panel and click Edit to update the group configuration.

16 Click inside the Load Balancers box and select the name of the load balancer created earlier.

17 Click Save to apply the configuration changes and associate the new ELB with the selected app-tier ASG.

18 Repeat steps no. 3 – 17 to create new AWS Elastic Load Balancers (if required) and integrate them with other app-tier Auto Scaling Groups, available in the current region.

19 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the app-tier ASG that you want to reconfigure as identifier to describe its configuration details, required later when the new ELB will be created and attached to the selected ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-name cc-mobile-application-asg

02 The command output should return the requested configuration details:

{
    "AutoScalingGroups": [
        {
            "AutoScalingGroupName": "cc-mobile-application-asg",
            "LoadBalancerNames": [],
            "DefaultCooldown": 300,
            "HealthCheckGracePeriod": 300,
            "TerminationPolicies": [
                "Default"
            ],

            ...

            "LaunchConfigurationName": "cc-app-app-launch-config",
            "CreatedTime": "2017-11-10T25:13:27.541Z",
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b",
                "us-east-1c",
                "us-east-1d",
            ],
            "HealthCheckType": "EC2",
            "NewInstancesProtectedFromScaleIn": false
        }
    ]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up the security group required by the new AWS Elastic Load Balancer. The following command example creates a security group named "cc-load-balancer-sg" inside a VPC identified by the ID vpc-aaaabbbb, available in the US East region:

aws ec2 create-security-group
	--region us-east-1
	--group-name cc-load-balancer-sg
	--description "AWS ELB Security Group"
	--vpc-id vpc-aaaabbbb

04 The command output should return the ID of the new security group:

{
    "GroupId": "sg-abcd1234"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the security group ID returned at the previous step as identifier, to configure the inbound rules based on your application requirements (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-abcd1234
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the new security group as identifier to configure the outbound rules based on your application requirements (the command does not return an output):

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-abcd1234
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run create-load-balancer command (OSX/Linux/UNIX) using the configuration information returned at step no. 2 and 4 as input for command parameters, to create a new AWS Elastic Load Balancer that will be associated with your app-tier Auto Scaling Group (replace <app_tier_tag>:<app_tier_tag_value> with your own tags):

aws elb create-load-balancer
	--region us-east-1
	--load-balancer-name cc-application-load-balancer
	--listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80"
	--subnets "subnet-aaaa1234" "subnet-cccc1234" "subnet-bbbb1234" "subnet-dddd1234"
	--security-groups sg-abcd1234
	--tags Key=<app_tier_tag>,Value=<app_tier_tag_value>

08 The command output should return the DNS name of the new AWS ELB:

{
   "DNSName": "cc-application-load-balancer-123456789012.us-east-1.elb.amazonaws.com"
}

09 Run attach-load-balancers command (OSX/Linux/UNIX) to attach the new AWS Elastic Load Balancer created at the previous steps to the specified app-tier Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancers
	--region us-east-1
	--load-balancer-names cc-application-load-balancer
	--auto-scaling-group-name cc-mobile-application-asg

10 Repeat steps no. 1 – 9 to create new AWS Elastic Load Balancers (if required) and associate them with other app-tier Auto Scaling Groups, provisioned in the current region.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 10 to perform the process for other regions.

References

Publication date Mar 22, 2018