Open menu
-->

Minimum Number of EC2 Target Instances

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Reliability

Risk level: High (not acceptable risk)

Ensure there are at least two healthy EC2 target instances registered to each Amazon Application Load Balancer (ALB) and Network Load Balancer (NLB) in order to provide a fault-tolerant load balancing configuration for your applications.

To achieve fault tolerance and minimize the risk of downtime, even if the load balancer is attached to an AWS Auto Scaling Group that has max and desired capacity set to 1, always register at least two target instances to the target group(s) associated with your ELBv2 load balancers.

Audit

To determine if your AWS ELBv2 load balancers distribute the traffic to at least two healthy target instances, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Target Groups.

04 Select the target group associated with the AWS ELBv2 load balancer that you want to examine. To check the resources association, verify the Load balancer attribute value available on the Description tab.

05 Select Targets tab from the dashboard bottom panel to view the registered targets.

06 Under Registered targets, check for healthy target instances with the current status set to healthy. If the number of healthy instances registered to the selected target group is less than two, e.g.

Set to healthy

the selected Amazon ELBv2 load balancer does not have a fault-tolerant configuration.

07 Repeat steps no. 4 – 6 to check other AWS ELBv2 load balancers for healthy target instances, available within the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all existing AWS ELBv2 load balancers available in the selected region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[*].LoadBalancerArn'

02 The command output should return a table with the requested Amazon Resource Names (ARNs):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/ cc-web-prod-alb/aaaabbbbccccdddd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/ cc-web-prod-nlb/bbbbccccddddeeee"
 
]

03 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as identifier and custom query filters to describe the ARN of the target group associated with the selected ELBv2 resource:

aws elbv2 describe-target-groups
	--region us-east-1
	--load-balancer-arnarn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/ cc-web-prod-alb/aaaabbbbccccdddd
	--query 'TargetGroups[*].TargetGroupArn'

04 The command output should return the ARN of the associated target group:

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd"
 
]

05 Run describe-target-health command (OSX/Linux/UNIX) using the ARN of the target group returned at the previous step as identifier and custom query filters to list the current health status for each EC2 target instance registered to the target group associated with the selected ELBv2 load balancer:

aws elbv2 describe-target-health
	--region us-east-1
	--target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
	--query 'TargetHealthDescriptions[*].Target.Id'

06 The command output should return an array that contains the ID of each registered EC2 target instance and its health status:

[
    [
        "i-034b0f1ec1673090b",
        "healthy"
    ],
    [
        "i-018dfe1ec017b8744",
        "unhealthy"
    ]
]

If the number of healthy EC2 instances registered to the selected target group is less than two, as shown in the example above, the selected AWS ELBv2 load balancer does not have a fault-tolerant configuration.

07 Repeat steps no. 3 – 6 to verify other AWS ELBv2 load balancers for healthy target instances, available in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire audit process for other regions.

Remediation / Resolution

To register additional healthy EC2 instances to the target group(s) associated with your ELBv2 load balancers, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 If the selected load balancer is attached to an AWS Auto Scaling Group (ASG), you need to update the ASG configuration to increase the number of EC2 target instances. If the load balancer is not currently attached to an ASG, continue the audit with the step no. 4:

  1. In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.
  2. Select the Auto Scaling Group that integrates the selected load balancer.
  3. Select Details tab from the bottom panel and click the Edit button from the right side to edit the ASG configuration.
  4. Change the values available in the Desired, Min and Max fields to reflect the number of instances that will be registered to the specified target group (in this case, the value must be at least 2 for each field).
  5. Click Save to apply the changes.

04 In the left navigation panel, under LOAD BALANCING section, choose Target Groups.

05 Select the target group associated with the AWS ELBv2 load balancer that you want to reconfigure (see Audit section part I to identify the right resource).

06 Select Targets tab from the dashboard bottom panel, then click Edit to edit the registered targets configuration.

07 Within Register and deregister targets dialog box, perform the following actions:

  1. To remove unhealthy target instances, select the registered instances from the Registered targets list then click Remove button to remove them from the selected target group.
  2. To register new healthy EC2 instances, select the necessary instances from the Instances list and click Add to registered button to add the new healthy instance to the Registered targets list.
  3. Click Save to apply the new configuration changes. Once all target instances are successfully registered with the ELBv2 load balancer, these should respond positive to the health checks and change their status from initial to healthy.

08 Repeat steps no. 3 – 7 to register healthy target instances with other AWS ELBv2 load balancers available in the current region.

09 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 If your load balancer is attached to an AWS Auto Scaling Group (ASG), you need to update the ASG configuration in order to increase the number of EC2 target instances (in this case to 2 instances) by executing update-auto-scaling-group command (OSX/Linux/UNIX). If the selected load balancer is not currently attached to an ASG, continue the audit with the next step (the command does not produce an output):

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name cc-prod-asg
	--launch-configuration-name cc-web-launch-config
	--min-size 2
	--max-size 2
	--desired-capacity 2                                                

02 To remove unhealthy target instances and register new healthy EC2 instances to the target group associated with the selected AWS ELBv2 load balancer, perform the following commands:

  1. Run deregister-targets command (OSX/Linux/UNIX) to remove the unhealthy target instance, identified by the ID i-018dfe1ec017b8744, from the target group associated with the selected load balancer (the command does not produce an output):
    aws elbv2 deregister-targets
    	--region us-east-1
    	--target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
    	--targets Id=i-018dfe1ec017b8744
    
  2. Run register-targets command (OSX/Linux/UNIX) to register a new target instance, identified by the ID i-0e673c972dc07c360, to the target group associated with the selected ELBv2 load balancer (the command does not produce an output):
    aws elbv2 register-targets
    	--region us-east-1
    	--target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
    	--targets Id=i-0e673c972dc07c360
    

03 Repeat step no. 1 and 2 to register healthy target instances with other Amazon ELBv2 load balancers available within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 –3 to perform the entire process for other regions.

References

Publication date Feb 5, 2018