|   Trend Micro Cloud One™
Open menu

Check for Auto Scaling Groups with integrated Elastic Load Balancers.

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: Medium (should be achieved)
Rule ID: ASG-012

Ensure that your Amazon Auto Scaling Groups (ASGs) have associated Elastic Load Balancers in order to maintain the availability of the compute resources in the event of a failure and provide an evenly distributed application load. There are three types of Elastic Load Balancers that can be used with your Auto Scaling Groups: Classic Load Balancers, Application Load Balancers and Network Load Balancers. With Classic Load Balancers, the EC2 instances are registered with the load balancer. With Application Load Balancers and Network Load Balancers, the instances are registered as targets with a target group.

This rule can help you with the following compliance standards:

  • APRA

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

Integrating Amazon Auto Scaling Groups with Classic, Application or Network Load Balancers helps provide high availability and improve application performance through EC2 instance scaling.

Audit

To determine if your Auto Scaling Groups are using Elastic Load Balancers (i.e. Classic, Application or Network Load Balancers) for efficient application scaling and high availability, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

04 Select the AWS Auto Scaling Group (ASG) that you want to examine.

05 Select the Details tab from the dashboard bottom panel to access the resource configuration details.

06 On the Details tab panel, check the value available for the Classic Load Balancers configuration attribute to identify the name of the Classic Load Balancer attached to the selected ASG, and the one available for the Target Groups attribute to verify the name of the Target Group attached to the selected Auto Scaling Group. If both Classic Load Balancers and Target Groups attributes are missing their values, there are no Classic, Application or Network Load Balancers associated with the selected Amazon Auto Scaling Group.

07 Repeat steps no. 4 – 6 for each Amazon ASG deployed within the selected region.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all AWS Auto Scaling Groups (ASGs) available in the selected region:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested AWS ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  cc-production-web-asg  |
|  cc-internal-web-asg    |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group that you want to examine as identifier parameter and custom query filters to get the identifiers (names or ARNs) of the Elastic Load Balancers and/or Target Groups associated with the selected ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-names cc-production-web-asg
	--query 'AutoScalingGroups[*].{"LoadBalancers":LoadBalancerNames, "TargetGroups":TargetGroupARNs}'

04 The command output should return the requested resource identifiers (if any):

[
    {
        "LoadBalancers": [],
        "TargetGroups": []
    }
]

If describe-auto-scaling-groups command output returns an empty array (i.e. []) for both LoadBalancers and TargetGroups configuration attributes, as shown in the example above, there are no Classic, Application or Network Load Balancers currently associated with the selected Auto Scaling Group.

05 Repeat step no. 3 and 4 for each Amazon ASG available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

Case A: To create and attach Classic Load Balancers to existing Amazon Auto Scaling Groups (ASGs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Click Create Load Balancer button from the dashboard top menu to initiate the load balancer setup process.

05 On the Select load balancer type page, within Classic Load Balancer section, click Create.

06 On the Step 1: Define Load Balancer page, perform the following operations:

  1. Inside the Load Balancer name box, enter a name for the new Classic Load Balancer.
  2. Select the VPC that will host the load balancer from the Create LB inside dropdown list. Both your load balancer and your ASG must share the same VPC network.
  3. Select Enable advanced VPC configuration checkbox and choose the Availability Zones where you wish traffic to be routed by the load balancer.
  4. In the Load Balancer Protocol section, use the Add button to add more protocols, based on your web application requirements.
  5. Click Next: Assign Security Groups to continue the setup process.

07 On the Step 2: Assign Security Groups page, select Create a new security group, provide a name and a description (optional) for the new security group, then add the necessary rules based on your application access requirements using the Add Rule button. Click Next: Configure Security Settings to continue.

08 On the Step 3: Configure Security Settings page, configure the HTTPS/SSL listeners if you want your traffic to be routed using HTTPS. Once you have configured the security settings available on this page click Next: Configure Health Check.

09 On the Step 4: Configure Health Check page, customize the load balancer health check or use the defaults settings, then click Next: Add EC2 Instances.

10 On the Step 5: Add EC2 Instances page, select Enable Cross-Zone Load Balancing and Enable Connection Draining, then click the Next: Add Tags button. Do not select any EC2 instances at this point as the load balancer will add them automatically once this is attached to your Auto Scaling Group.

11 Define tags for the new load balancer on the Step 6: Add Tags page, then click Review and Create button to continue.

12 On the Step 7: Review page, review the load balancer configuration details then click Create to build the new load balancer. Once your AWS Classic Load Balancer is successfully created, click Close to return to the Amazon EC2 dashboard.

13 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

14 Select the Amazon ASG that you want to reconfigure (see Audit section part I to identify the right resource).

15 Select the Details tab from the dashboard bottom panel and click the Edit button to open the resource configuration panel for editing.

16 On the Edit details panel, click inside the Classic Load Balancers box and select the name of the newly created load balancer. Click Save to apply the configuration changes and integrate the new Classic Load Balancer with the selected Auto Scaling Group.

17 Repeat steps no. 3 – 16 to create and associate new Classic Load Balancer with other Amazon Auto Scaling Groups, available in the current region.

18 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Execute describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the ASG that you want to reconfigure as identifier parameter to describe its configuration details, required later when the new load balancer will be created and attached to the selected Auto Scaling Group:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-name cc-production-web-asg

02 The command output should return the requested ASG configuration details:

{
    "AutoScalingGroups": [
        {
            "AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:abcdabcd-1234-1234-1234-abcdabcdabcd:autoScalingGroupName/cc-production-web-asg",
            "ServiceLinkedRoleARN": "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
            "TargetGroupARNs": [],
            "SuspendedProcesses": [],
            "DesiredCapacity": 3,
            "Tags": [],
            "EnabledMetrics": [],
            "LoadBalancerNames": [],
            "AutoScalingGroupName": "cc-production-web-asg",
            "DefaultCooldown": 300,
 
            ...
            
            "MinSize": 1,
            "MaxSize": 3,
            "VPCZoneIdentifier": "subnet-abcdabcd,subnet-abcd1234,subnet-1234abcd,subnet-12341234",
            "HealthCheckGracePeriod": 297,
            "TerminationPolicies": [
                "Default"
            ],
            "LaunchConfigurationName": "cc-prod-asg-config",
            "CreatedTime": "2019-11-28T18:04:23.090Z",
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b",
                "us-east-1c",
                "us-east-1d"
            ],
            "HealthCheckType": "EC2",
            "NewInstancesProtectedFromScaleIn": false
        }
    ]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up the security group that will be used by the new Classic Load Balancer. The following command example creates a security group named "cc-elb-security-group" inside a VPC identified with the ID vpc-abcd1234, available within the US East (N. Virginia) region:

aws ec2 create-security-group
	--region us-east-1
	--group-name cc-elb-security-group
	--description "ASG Classic Load Balancer Security Group"
	--vpc-id vpc-abcd1234

04 The command output should return the ID of the new AWS security group:

{
    "GroupId": "sg-12345678"
} 

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier parameter, to set up the inbound rules based on your web application requirements (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-12345678
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as identifier parameter to configure the outbound rules based on your application needs (the command does not return an output):

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-12345678
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run create-load-balancer command (OSX/Linux/UNIX) using the configuration information returned at step no. 2 and 4 as input parameters, to create a new Classic Load Balancer that will be integrated later with your Auto Scaling Group:

aws elb create-load-balancer
	--region us-east-1
	--load-balancer-name cc-classic-load-balancer
	--listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80"
	--subnets "subnet-aaaa1234" "subnet-bbbb1234" "subnet-cccc1234" "subnet-dddd1234"
	--security-groups sg-12345678

08 The command output should return the DNS name for the new load balancer:

{
    "DNSName": "cc-classic-load-balancer-123456789012.us-east-1.elb.amazonaws.com"
}

09 Run attach-load-balancers command (OSX/Linux/UNIX) to attach the Classic Load Balancer created at the previous steps to the selected Amazon Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancers
	--region us-east-1
	--load-balancer-names cc-classic-load-balancer
	--auto-scaling-group-name cc-production-web-asg

10 Repeat steps no. 1 – 9 to create and attach new Classic Load Balancers to other Amazon Auto Scaling Groups, available within the selected region.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 10 to perform the process for other regions.

Case B: To create Application/Network Load Balancers and associate their Target Group with your existing Amazon Auto Scaling Groups (ASGs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Click Create Load Balancer button from the dashboard top menu to initiate the setup process.

05 On the Select load balancer type page, choose one of the following options based on your application requirements:

  1. For Application Load Balancers (ALBs):
    • Select Application Load Balancer to set up a new load balancer, then click Create to start the process.
    • On the Step 1: Configure Load Balancer page, provide a unique name for your new ALB, then set the load balancer scheme type from the Scheme configuration setting. Configure the right IP address type and the necessary listeners, then select the required Availability Zones. (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags section. Click Next: Configure Security Settings to continue the setup process.
    • On the Step 2: Configure Security Settings page, create the necessary HTTPS listener for your new Amazon ALB. If your application does not require an HTTPS listener just skip this page and click Next: Configure Security Groups to continue the setup.
    • On the Step 3: Configure Security Groups page, select Create a new security group and provide a name and a short description for the new AWS security group. This security group should contain a rule that allows traffic to the port that you configured your ALB to use. Click Next: Configure Routing to set the target group and the health checks configuration.
    • On the Step 4: Configure Routing page, choose an existing Target Group from the Available dropdown list or set a new one based on your application needs. Make sure that the Target type is set to Instance. In the Health checks section, click Advanced health check settings and configure the required health checks. Click Next: Register Targets to continue.
    • On the Step 5: Register Targets page, just click Next: Review. Do not add any target instances at this point as the load balancer will add them automatically once this is attached to your Auto Scaling Group.
    • On the Step 6: Review page, examine the configuration details then click Create to build your new Application Load Balancer.
    • On the Load Balancer Creation status page, wait for the confirmation message then click Close to return to the Amazon EC2 dashboard.
  2. For Network Load Balancers (NLBs):
    • Select Network Load Balancer to set up a new load balancer, then click Create to start the process.
    • On the Step 1: Network Load Balancer page, provide a unique name for your new NLB, then set the load balancer scheme type. Configure the listeners, choose the right VPC, then select the required Availability Zones. (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags section. Click Next: Configure Security Settings to continue the setup process.
    • On the Step 2: Configure Security Settings page, configure the necessary SSL certificate and choose the newest security policy provided by AWS. If your setup does not require a TLS (Secure TCP) listener, just skip the settings available on the page and click Next: Configure Routing to continue.
    • On the Step 4: Configure Routing page, choose an existing Target Group from the Available dropdown list or set a new one based on your application requirements. Make sure that the Target type is set to Instance. In the Health checks section select the right protocol type, then click Advanced health check settings and configure the necessary health checks. Click Next: Register Targets to continue.
    • On the Step 5: Register Targets page, just click the Next: Review button. Do not add any target instances at this point as the load balancer will add them automatically once this is associated with your Auto Scaling Group (ASG).
    • On the Step 6: Review page, examine the configuration details, then click Create to build your new Network Load Balancer.
    • On the Load Balancer Creation status page, wait for the confirmation message then click Close to return to the AWS EC2 dashboard.

06 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

07 Select the Amazon ASG that you want to reconfigure (see Audit section part I to identify the right resource).

08 Select the Details tab from the dashboard bottom panel and click the Edit button to open the resource configuration panel for editing.

09 On the Edit details panel, click inside the Target Groups box and select the name of the Target Group deployed with the Application/Network Load Balancer. Click Save to apply the configuration changes and attach the new ALB/NLB Target Group to the selected Auto Scaling Group.

10 Repeat steps no. 3 – 9 to create new Application/Network Load Balancers and associate their Target Group with other Amazon Auto Scaling Groups, available in the current region.

11 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Execute describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the ASG that you want to reconfigure as identifier parameter to describe its configuration details, required later when the required ALB/NLB will be created and attached to the selected Auto Scaling Group:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-name cc-production-web-asg

02 The command output should return the requested ASG configuration details:

{
    "AutoScalingGroups": [
        {
            "AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:abcdabcd-1234-1234-1234-abcdabcdabcd:autoScalingGroupName/cc-production-web-asg",
            "ServiceLinkedRoleARN": "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
            "TargetGroupARNs": [],
            "SuspendedProcesses": [],
            "DesiredCapacity": 3,
            "Tags": [],
            "EnabledMetrics": [],
            "LoadBalancerNames": [],
            "AutoScalingGroupName": "cc-production-web-asg",
            "DefaultCooldown": 300,
 
            ...
            
            "MinSize": 1,
            "MaxSize": 3,
            "VPCZoneIdentifier": "subnet-abcdabcd,subnet-abcd1234,subnet-1234abcd,subnet-12341234",
            "HealthCheckGracePeriod": 297,
            "TerminationPolicies": [
                "Default"
            ],
            "LaunchConfigurationName": "cc-prod-asg-config",
            "CreatedTime": "2019-11-28T18:04:23.090Z",
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b",
                "us-east-1c",
                "us-east-1d"
            ],
            "HealthCheckType": "EC2",
            "NewInstancesProtectedFromScaleIn": false
        }
    ]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up the security group that will be used by the new Application/Network Load Balancer. The following command example creates a security group named "cc-elbv2-security-group" inside a VPC network identified by the ID vpc-abcd1234:

aws ec2 create-security-group
	--region us-east-1
	--group-name cc-elbv2-security-group
	--description "ASG Classic Load Balancer Security Group"
	--vpc-id vpc-abcd1234

04 The command output should return the ID of the new AWS security group:

{
    "GroupId": "sg-12345678"
} 

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier parameter, to set up the inbound rules based on your application needs (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-12345678
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as identifier parameter to configure the outbound rules based on your application requirements (the command does not return an output):

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-12345678
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Based on the type of the load balancer that you want to create, perform one of the following sets of commands:

  1. For Application Load Balancers (ALBs):
    • Run create-load-balancer command (OSX/Linux/UNIX) using the configuration information returned at step no. 2 and 4 as parameter values, to create the Application Load Balancer that will be integrated later with your AWS Auto Scaling Group:
      aws elbv2 create-load-balancer
      	--region us-east-1
      	--name cc-application-load-balancer
      	--type application
      	--ip-address-type ipv4
      	--subnets subnet-aaaa1234 subnet-bbbb1234 subnet-cccc1234 subnet-dddd1234
      	--security-groups sg-12345678
      
    • The command output should return the new Amazon ALB metadata:
      {
          "LoadBalancers": [
              {
                  "VpcId": "vpc-12345678",
                  "State": {
                      "Code": "provisioning"
                  },
                  "LoadBalancerName": "cc-application-load-balancer",
                  "Type": "application",
       
      		  ...
       
                  "AvailabilityZones": [
                      {
                          "SubnetId": "subnet-aaaa1234",
                          "ZoneName": "us-east-1a"
                      },
                      {
                          "SubnetId": "subnet-bbbb1234",
                          "ZoneName": "us-east-1b"
                      },
      		      {
                          "SubnetId": "subnet-cccc1234",
                          "ZoneName": "us-east-1c"
                      },
                      {
                          "SubnetId": "subnet-dddd1234",
                          "ZoneName": "us-east-1d"
                      }
                  ]
              }
          ]
      }
      
    • Run create-target-group command (OSX/Linux/UNIX) to build the required target group for the newly created Application Load Balancer:
      aws elbv2 create-target-group
      	--region us-east-1
      	--name cc-alb-target-group
      	--protocol HTTP
      	--port 80
      	--vpc-id vpc-12345678
      	--health-check-protocol HTTP
      	--health-check-port traffic-port
      	--health-check-path /index.html
      	--health-check-interval-seconds 30
      	--health-check-timeout-seconds 5
      	--healthy-threshold-count 10
      	--unhealthy-threshold-count 2
      	--target-type instance
      
    • The command output should return the new ALB Target Group metadata:
      [
          "TargetGroups": [
              {
                  "HealthCheckPath": "/index.html",
                  "HealthCheckIntervalSeconds": 30,
                  "VpcId": "vpc-12345678",
                  "Protocol": "HTTP",
                  "HealthCheckTimeoutSeconds": 5,
       
                  ... 
       
                  "Matcher": {
                      "HttpCode": "200"
                  },
                  "HealthCheckPort": "traffic-port",
                  "Port": 80,
                  "TargetGroupName": "cc-alb-target-group"
              }
          ]
      }
      
    • Run create-listener command (OSX/Linux/UNIX) to create, configure and attach the necessary HTTP(S) listener to the newly created Application Load Balancer:
      aws elbv2 create-listener
      	--region us-east-1
      	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-application-load-balancer/aaaabbbbccccdddd
      	--protocol HTTP
      	--port 80
      	--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
      
    • The command output should return the new load balancer listener metadata:
      {
         "Listeners": [
            {
               "Protocol": "HTTP",
               "DefaultActions": [
                   {
                      "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd",
                      "Type": "forward"
                   }
               ],
               "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-application-load-balancer/aaaabbbbccccdddd”,                                            
               "Port": 80,
               "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-application-load-balancer/aaaabbbbccccdddd/bbbbccccddddeeee"
            }
         ]
      }
      
  2. For Network Load Balancers (NLBs):
    • Run create-load-balancer command (OSX/Linux/UNIX) using the configuration information returned at step no. 2 and 4 as parameter values, to create the Network Load Balancer that will be integrated later with your AWS Auto Scaling Group:
      aws elbv2 create-load-balancer
      	--region us-east-1
      	--name cc-network-load-balancer
      	--type network
      	--ip-address-type ipv4
      	--subnets subnet-aaaa1234 subnet-bbbb1234 subnet-cccc1234 subnet-dddd1234 
      
    • The command output should return the new Amazon NLB metadata:
      {
          "LoadBalancers": [
              {
                  "VpcId": "vpc-12345678",
                  "State": {
                      "Code": "provisioning"
                  },
                  "LoadBalancerName": "cc-network-load-balancer",
                  "Type": "network",
       
                ...
       
                  "AvailabilityZones": [
                      {
                          "SubnetId": "subnet-aaaa1234",
                          "ZoneName": "us-east-1a"
                      },
                      {
                          "SubnetId": "subnet-bbbb1234",
                          "ZoneName": "us-east-1b"
                      },
                    {
                          "SubnetId": "subnet-cccc1234",
                          "ZoneName": "us-east-1c"
                      },
                      {
                          "SubnetId": "subnet-dddd1234",
                          "ZoneName": "us-east-1d"
                      }
                  ]
              }
          ]
      }
      
    • Run create-target-group command (OSX/Linux/UNIX) to build the Target Group required for the newly created AWS Network Load Balancer:
      aws elbv2 create-target-group
      	--region us-east-1
      	--name cc-nlb-target-group
      	--protocol TCP
      	--port 80
      	--vpc-id vpc-12345678
      	--health-check-protocol TCP
      	--health-check-port traffic-port
      	--health-check-interval-seconds 30
      	--health-check-timeout-seconds 10
      	--healthy-threshold-count 3
      	--unhealthy-threshold-count 3
      	--target-type instance
      
    • The command output should return the new Target Group metadata:
      [
          "TargetGroups": [
              {
                  "TargetType": "instance",
                  "HealthCheckIntervalSeconds": 30,
                  "VpcId": "vpc-12345678",
                  "Protocol": "TCP",
                  "HealthCheckTimeoutSeconds": 10,
                  "HealthCheckProtocol": "TCP",
       
                  ...
                  
                  "UnhealthyThresholdCount": 3,
                  "HealthyThresholdCount": 3,
                  "Matcher": {},
                  "HealthCheckPort": "traffic-port",
                  "Port": 80,
                  "TargetGroupName": "cc-nlb-target-group"
              }
          ]
      }
      
    • Run create-listener command (OSX/Linux/UNIX) to create, configure and attach the necessary TCP listener to the newly created load balancer:
      aws elbv2 create-listener
      	--region us-east-1
      	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd
      	--protocol TCP
      	--port 80
      	--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd
      
    • The command output should return the new listener metadata:
      {
         "Listeners": [
            {
               "Protocol": "TCP",
               "DefaultActions": [
                   {
                      "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd",
                      "Type": "forward"
                   }
               ],
               "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd”,                                            
               "Port": 80,
               "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-network-load-balancer/aaaabbbbccccdddd/bbbbccccddddeeee"
            }
         ]
      }
      

08 Run attach-load-balancer-target-groups command (OSX/Linux/UNIX) to attach the ALB/NLB Target Group created and configured at the previous steps to the selected Amazon Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancer-target-groups
	--region us-east-1
	--auto-scaling-group-name cc-production-web-asg
	--target-group-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb/nlb-target-group/aaaabbbbccccdddd

09 Repeat steps no. 1 – 7 to create new Application/Network Load Balancers and associate their Target Group with other AWS Auto Scaling Groups, available in the selected region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire process for other regions.

References

Publication date Apr 22, 2018

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Check for Auto Scaling Groups with integrated Elastic Load Balancers.

Risk level: Medium