Open menu
-->

Connection Draining Enabled

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: Medium (should be achieved)

With Connection Draining feature enabled, if an EC2 backend instance fails health checks the Elastic Load Balancer will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to complete for the duration of the configured timeout.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Enabling this feature will allow better management of the resources behind the Elastic Load Balancer, such as replacing backend instances without impacting the user experience. For example, taking an instance out of service and replacing it with a fresh EC2 instance that contains updated software, while avoid breaking open network connections.

Audit

To determine if Connection Draining is enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Instances tab from the bottom panel.

06 Check if the Connection Draining status is enabled:

Checking if ELB Connection Draining is emabled on the AWS Console

Using AWS CLI

01 Run the following command (OSX/Linux/UNIX) to check if the Connection Draining feature is enabled:

aws elb describe-load-balancer-attributes \
	--load-balancer-name MyWebELB

02 The command output should reveal the Connection Draining status (disabled in this case):

{
   "LoadBalancerAttributes": {
      "ConnectionDraining": {
          "Enabled": false,
          "Timeout": 300
      },
      "CrossZoneLoadBalancing": {
          "Enabled": true
      },
      "ConnectionSettings": {
          "IdleTimeout": 60
      },
      "AccessLog": {
          "Enabled": false
      }
   }
}

Remediation / Resolution

To enable Connection Draining, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Instances tab from the bottom panel.

06 Find the Connection Draining status and click Edit

Edit in ELB Connection Draining status on the AWS Console

07 Select Enable Connection Draining checkbox

Selection of Enable Connection Draining on the AWS Console

08 In the Timeout field, enter the number of seconds (between 1 and 3600) required to allow existent traffic to continue flowing:

Edit timeout settings for Connection Draining on the AWS Console

09 Click Save.

Using AWS CLI

01 Run the modify-load-balancer-attributes command (OSX/Linux/UNIX) to enable Connection Draining feature via AWS CLI:

aws elb modify-load-balancer-attributes \
	--load-balancer-name MyWebELB \
	--load-balancer-attributes "{\"ConnectionDraining\":{\"Enabled\":true, \"Timeout\":300}}"

02 The command output should look like the following:

{
    "LoadBalancerAttributes": {
        "ConnectionDraining": {
            "Enabled": true,
            "Timeout": 300
        }
    },
    "LoadBalancerName": "MyWebELB"
}

References

Publication date Apr 1, 2016