Open menu
-->

Auto Scaling Group Referencing Missing ELB

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Operational
excellence

Risk level: High (act today)

Ensure that your AWS Auto Scaling Groups (ASGs) are referencing active Elastic Load Balancers (ELBs) in order to maintain the auto-scaling process healthy and the application load evenly distributed

This rule resolution is part of the Cloud Conformity Base Auditing Package

When your Auto Scaling Groups fail to launch new backend instances due to inactive (deleted) Elastic Load Balancers, the ASG scaling mechanism is unable to add compute power (instances) in order to handle the increased load and this will cause a serious negative impact on your application performance.

Audit

To identify any AWS ASGs that are missing load balancing capabilities due to inactive ELBs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the AWS ASG that you want to examine.

05 Select Details tab from the dashboard bottom panel and copy the Load Balancers attribute value.

06 Go back to the left navigation panel and select Load Balancers.

07 On the Elastic Load Balancers page, in the Filter search box, paste the name of the load balancer associated with the selected ASG (copied at step no. 5) and press Enter. If no results are returned, the associated Elastic Load Balancer is no longer available, therefore the selected AWS ASG will fail to distribute the traffic load and launch new instances during the auto-scaling process.

08 Repeat steps no. 4 – 7 to identify other ASGs with inactive ELBs, available in the selected region.

09 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups available within the selected AWS region:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

03 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|   CloudConformityASG    |
|   TestWebAppASG         |
|   AppBlogDynamicASG     |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the group returned at the previous step and custom query filters to get the name of the Elastic Load Balancer associated with the selected ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-names CloudConformityASG
	--query 'AutoScalingGroups[*].LoadBalancerNames[]'

04 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the group returned at the previous step and custom query filters to get the name of the Elastic Load Balancer associated with the selected ASG:

[
	"CloudConformityELB"
]

05 Now run describe-load-balancers command (OSX/Linux/UNIX) using the ELB identifier returned at the previous step to describe the configuration metadata for the selected load balancer:

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name CloudConformityELB

06 The command output should return the requested ELB metadata or an error message:

An error occurred (LoadBalancerNotFound) when calling the DescribeLoadBalancers operation: There is no ACTIVE Load Balancer named 'CloudConformityELB'

If the CLI command respond with an LoadBalancerNotFound error message (as shown in the example above), the requested ELB has been deleted at one point after creating the ASG, therefore any Auto Scaling Group associated with the selected load balancer will fail to launch new instances when needed.

07 Repeat steps no. 3 - 6 to identify other ASGs with inactive ELBs, available in the selected region.

08 Repeat steps no. 1 – 7 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To update any Amazon ASGs that are missing load balancing capabilities due to inactive ELBs, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Click Create Load Balancer button from the dashboard top menu to initiate the ELB setup.

05 On the Select load balancer type page, choose Classic Load Balancer then click Continue.

06 On the Step 1: Define Load Balancer page, perform the following actions:

  1. Enter a name for the ELB inside the Load Balancer name box.
  2. Select the VPC that will host the new ELB from the Create LB inside dropdown list. Both your ELB and ASG must share the same VPC.
  3. Select Enable advanced VPC configuration checkbox and choose the Availability Zones where you wish traffic to be routed by the load balancer.
  4. In the Load Balancer Protocol section, use the Add button to add more protocols, based on your application requirements.
  5. Click Next: Assign Security Groups to continue the setup process.

07 On the Step 2: Assign Security Groups page, select Create a new security group, provide a name and a description (optional) for the new security group then add the necessary rules based on your application requirements using the Add Rule button. Click Next: Configure Security Settings to continue.

08 On the Step 3: Configure Security Settings page, configure the HTTPS/SSL listeners if you want your traffic to be routed using HTTPS. Once you’re done with the security settings available on this page click Next: Configure Health Check.

09 On the Step 4: Configure Health Check page, customize the load balancer health check or leave the feature defaults settings then click Next: Add EC2 Instances.

10 On the Step 5: Add EC2 Instances page, select Enable Cross-Zone Load Balancing and Enable Connection Draining and then click the Next: Add Tags button. Do not select any EC2 instances at this point as the ELB will add them automatically once this is attached to the ASG.

11 Define your custom tags for the new load balancer on the Step 6: Add Tags page then click Review and Create button to continue the process.

12 On the Step 7: Review page, review your ELB configuration details then click Create to build the new load balancer. Once your AWS ELB is successfully created, click Close to return to the EC2 dashboard.

13 Go back to the navigation panel and under AUTO SCALING section, choose Auto Scaling Groups.

14 Select the Auto Scaling Group that you want to update (see Audit section part I to identify the right resource).

15 Select the Details tab from the dashboard bottom panel and click the Edit button:

Edit button

to edit the selected ASG configuration.

16 Click inside the Load Balancers box then select the name of the newly created ELB.

17 Click Save to attach your new ELB to the selected AWS ASG.

18 Repeat steps no. 3 – 17 to create new Elastic Load Balancers and update other Auto Scaling Groups that are missing load balancing capabilities, available in the current region.

19 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group that you want to update to describe its attributes, required later when the new ELB will be created and attached to the ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-name CloudConformityASG

02 The command output should return the requested configuration details:

{
	"AutoScalingGroups": [
		{
			"AutoScalingGroupARN": "arn:aws: ... ",
			"TargetGroupARNs": [],
			"SuspendedProcesses": [],
			"DesiredCapacity": 2,
			"Tags": [],
			"EnabledMetrics": [],
			"LoadBalancerNames": [],
			"AutoScalingGroupName": "CloudConformityASG",
			"DefaultCooldown": 300,
			"MinSize": 1,
			"MaxSize": 2,
			...
			"VPCZoneIdentifier": "subnet-2b394201,subnet-7fb89542,subnet-19e7cc6f,subnet-4c377014",
			"HealthCheckGracePeriod": 300,
			"TerminationPolicies": [
				"Default"
			],
			"LaunchConfigurationName": "ASGLaunchConfig",
			"CreatedTime": "2016-04-25T11:03:43.740Z",
			"AvailabilityZones": [
				"us-east-1a",
				"us-east-1b",
				"us-east-1d",
				"us-east-1e"
			],
			"HealthCheckType": "EC2",
			"NewInstancesProtectedFromScaleIn": false
		}
	]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up the security group that will be assigned to the new ELB. The following command example creates a security group called MyCustomELBSecurityGroup inside a VPC identified with the ID vpc-5cd56bd7 available within the US East region:

aws ec2 create-security-group
	--region us-east-1
	--group-name MyCustomELBSecurityGroup
	--description "Custom ELB Security Group"
	--vpc-id vpc-5cd56bd7

04 The command output should return the new security group ID:

{
	"GroupId": "sg-c96fc1b5"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier, to set up the inbound rules based on your application requirements (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-c96fc1b5
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

06 No run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the custom security group as identifier to configure the outbound rules based on your application requirements (the command does not return an output):

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-c96fc1b5
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run create-load-balancer command (OSX/Linux/UNIX) using the metadata returned at step no. 2 and 4 (i.e. subnet and security group IDs) to create a new Elastic Load Balancer that will be attached to your AWS ASG:

aws elb create-load-balancer
	--region us-east-1
	--load-balancer-name CloudConformityELB
	--listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80"
	--subnets "subnet-2b394201" "subnet-7fb89542" "subnet-19e7cc6f" "subnet-4c377014"
	--security-groups sg-c96fc1b5

08 The command output should return the DNS name of the load balancer:

{
	"DNSName": "CloudConformityELB-4011411065.us-east-1.elb.amazonaws.com"
}

09 Now run attach-load-balancers command (OSX/Linux/UNIX) to attach the new Elastic Load Balancer created earlier to the existing AWS Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancers
	--region us-east-1
	--load-balancer-names CloudConformityELB
	--auto-scaling-group-name CloudConformityASG

10 Repeat steps no. 1 – 9 to create new Elastic Load Balancers and update other Auto Scaling Groups that are missing load balancing capabilities, available in the current region.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 10 to perform the entire process for other regions.

References

Publication date Feb 6, 2017