Open menu
-->

Auto Scaling Groups with integrated Elastic Load Balancers.

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: Medium (should be achieved)

Ensure that each AWS Auto Scaling Group (ASG) has an associated Elastic Load Balancer (ELB) in order to maintain the availability of the EC2 compute resources in the event of a failure and provide an evenly distributed application load.

Integrating Amazon Auto Scaling Groups with Elastic Load Balancers will help provide high availability and improve application performance through scaling.

Audit

To determine if your AWS Auto Scaling Groups are using Elastic Load Balancers for application scaling and high availability, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the AWS Auto Scaling Group that you want to examine.

05 Select Details tab from the dashboard bottom panel to access the resource configuration details.

06 Check the value of the Load Balancers configuration attribute available on the Details tab panel. If the attribute has no value assigned, there are no Elastic Load Balancers (ELBs) associated with the selected Amazon Auto Scaling Group (ASG).

07 Repeat steps no. 4 – 6 to verify other AWS ASGs for associated ELBs, provisioned in the selected region.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups available in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|    cc-web-env-asg       |
|    cc-test-app-asg      |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the ASG resource that you want to examine as identifier and custom query filters to get the name(s) of the Elastic Load Balancer(s) associated with the selected AWS ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-names cc-web-env-asg
	--query 'AutoScalingGroups[*].LoadBalancerNames[]'

04 The command output should return the requested identifier(s) (if any):

[]

If the command output returns an empty array (i.e. []), as shown in the example above, there are no Elastic Load Balancers associated with the selected Amazon Auto Scaling Group.

05 Repeat step no. 3 and 4 to check other AWS ASGs for associated ELBs, available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To create and attach an Elastic Load Balancer to each Auto Scaling Group available in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Click Create Load Balancer button from the dashboard top menu to initiate the ELB setup process.

05 On the Select load balancer typeS page, within Classic Load Balancer section, click Create.

06 On the Step 1: Define Load Balancer page, perform the following:

  1. Enter a name for the new ELB inside the Load Balancer name box.
  2. Select the VPC that will host the load balancer from the Create LB inside dropdown list. Both your ELB and ASG must share the same Virtual Private Cloud (VPC).
  3. Select Enable advanced VPC configuration checkbox and choose the Availability Zones where you wish traffic to be routed by the load balancer.
  4. In the Load Balancer Protocol section, use the Add button to add more protocols, based on your web application requirements.
  5. Click Next: Assign Security Groups to continue the setup process.

07 On the Step 2: Assign Security Groups page, select Create a new security group, provide a name and a description (optional) for the new security group then add the necessary rules based on your application requirements using the Add Rule button. Click Next: Configure Security Settings to continue.

08 On the Step 3: Configure Security Settings page, configure the HTTPS/SSL listeners if you want your traffic to be routed using HTTPS. Once you have configured the security settings available on this page, click Next: Configure Health Check.

09 On the Step 4: Configure Health Check page, customize the load balancer health check or use the defaults settings, then click Next: Add EC2 Instances.

10 On the Step 5: Add EC2 Instances page, select Enable Cross-Zone Load Balancing and Enable Connection Draining and then click the Next: Add Tags button. Do not select any EC2 instances at this point as the load balancer will add them automatically once this is attached to your Auto Scaling Group.

11 Define tags for the new load balancer on the Step 6: Add Tags page, then click Review and Create button to continue the setup process.

12 On the Step 7: Review page, review your ELB configuration details then click Create to build the new load balancer. Once your AWS ELB is successfully created, click Close to return to the EC2 dashboard.

13 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

14 Select the AWS ASG that you want to reconfigure (see Audit section part I to identify the right resource).

15 Select the Details tab from the dashboard bottom panel and click Edit to update the group configuration.

16 Click inside the Load Balancers box then select the name of the newly created load balancer.

17 Click Save to apply the configuration changes and integrate the new ELB with the selected ASG.

18 Repeat steps no. 3 – 17 to create new ELBs and integrate them with other AWS ASGs, provisioned in the current region.

19 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groupsd command (OSX/Linux/UNIX) using the name of the ASG that you want to reconfigure as identifier to describe its configuration details, required later when the required load balancer will be created and attached to the selected ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-name cc-web-env-asg

02 The command output should return the requested configuration details:

{
    "AutoScalingGroups": [
        {
            "AutoScalingGroupName": "cc-web-asg",
            "LoadBalancerNames": [],
            "DefaultCooldown": 300,
            "HealthCheckGracePeriod": 300,
            "TerminationPolicies": [
                "Default"
            ],

            ...

            "LaunchConfigurationName": "cc-web-launch-configuration",
            "CreatedTime": "2017-09-20T12:09:27.541Z",
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b",
                "us-east-1c",
                "us-east-1d",
            ],
            "HealthCheckType": "EC2",
            "NewInstancesProtectedFromScaleIn": false
        }
    ]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up the security group that will used by the new ELB. The following command example creates a security group named "cc-asg-elb-sg" inside a VPC identified by the ID vpc-abcd1234, available in the US East region:

aws ec2 create-security-group
	--region us-east-1
	--group-name cc-asg-elb-sg
	--description "ASG ELB Security Group"
	--vpc-id vpc-abcd1234

04 The command output should return the new security group ID:

{
    "GroupId": "sg-12345678"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier, to set up the inbound rules based on your web application requirements (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-12345678
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the custom security group as identifier to configure the outbound rules based on your application requirements (the command does not return an output):

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-12345678
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run create-load-balancer command (OSX/Linux/UNIX) using the configuration information returned at step no. 2 and 4, to create a new Elastic Load Balancer that will be integrated later with your Auto Scaling Group:

aws elb create-load-balancer
	--region us-east-1
	--load-balancer-name cc-asg-load-balancer
	--listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80"
	--subnets "subnet-aaaa1234" "subnet-bbbb1234" "subnet-cccc1234" "subnet-dddd1234"
	--security-groups sg-12345678

08 The command output should return the DNS name of the new load balancer:

{
   "DNSName": "cc-asg-load-balancer-123456789012.us-east-1.elb.amazonaws.com"
}

09 Run attach-load-balancers command (OSX/Linux/UNIX) to attach the new Elastic Load Balancer created at the previous steps to the specified AWS Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancers
	--region us-east-1
	--load-balancer-names cc-asg-load-balancer
	--auto-scaling-group-name cc-web-env-asg

10 Repeat steps no. 1 – 9 to create new AWS ELBs and integrate them with other ASGs, available in the current region.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 10 to perform the process for other regions.

References

Publication date Apr 22, 2018