Ensure that all internet-facing Application Load Balancers (ALBs) and Network Load Balancers (NLBs) available within your AWS account are regularly reviewed for security purposes. An internet-facing load balancer has a publicly resolvable DNS name (identified by an A record), required to route requests/connections from clients over the Internet to the target instances registered with the ELBv2 load balancer. On the other hand, an internal ELBv2 load balancer is commonly used within a multi-tier architecture, where you have front-end web servers that perform requests to an internal load balancer, using private IP addresses that are resolved from the internal load balancer's DNS name. Cloud Conformity strongly recommends reviewing your Application Load Balancers and Network Load Balancers on a regular basis to ensure that the scheme used by each ELBv2 resource fits the necessary requirements from the security standpoint.
Using the right scheme (internal or internet-facing) for your Amazon Application Load Balancers (ALBs) and Network Load Balancers (NLBs) is crucial for maintaining your AWS load balancing architecture security.
To identify the scheme used by the ELBv2 load balancers provisioned in your AWS account, perform the following actions:
Case A: Review your ELBv2 internet-facing load balancers and change the scheme configuration for any ALB/NLB resource that is not following the regulatory security requirements. To change the scheme for your AWS load balancers you need to re-create them with the internal scheme configuration. To create internal Amazon ELBv2 load balancers, perform the following actions: