|   Trend Micro Cloud One™
Open menu

Check app-tier ELB subnet connectivity to Internet Gateway

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial
Knowledge Base Amazon Web Services Check app-tier ELB subnet connectivity to Internet Gateway
Risk level: Medium (should be achieved)

- Ensure that the Amazon VPC route table associated with the app-tier ELB subnets has the default route set up to allow access to the Internet Gateway (IGW) in order to provide internet connectivity for the app-tier load balancer. A route table contains a set of rules that are used to determine where the network traffic is directed. The route table associated with the ELB subnets should contain a default route (i.e. 0.0.0.0/0) that points to an Internet Gateway. This conformity rule assumes that the subnets associated with the app-tier ELB are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be defined in the rule settings, on your Cloud Conformity account dashboard.

Security

To provide internet connectivity to your app-tier load balancer, the route table associated with the resource subnets should be configured to point to the Internet Gateway (IGW) created for the VPC.

Note: Ensure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To determine if the route table associated with your app-tier ELB subnets has the default route configured to allow connectivity to an Internet Gateway (IGW), perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check app-tier ELB subnet connectivity to Internet Gateway conformity rule settings, identify and copy the tag set defined for all AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under LOAD BALANCING, click Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering method will return only the ELBs tagged for the app tier. If no results are returned, there are no ELBs tagged within your app tier and the audit process ends here. If the AWS console lists one or more load balancers, continue the audit with the next step.

06 Select the app-tier load balancer that you want to examine.

07 Select the Description tab from the bottom panel to access the resource configuration details.

08 In the Basic Configuration section, search for the Availability Zones attribute. Click on the first value (i.e. subnet ID - AZ name link) set for the Availability Zones configuration attribute. The console will redirect you to the Subnets page on the VPC dashboard.

09 Click on the VPC subnet chosen at the previous step and select the Route Table tab from the dashboard bottom panel to access the routes configured for the selected subnet. Check the existing routes to determine if these contain the default route (i.e. the route with Destination set to 0.0.0.0/0) pointing to an AWS Internet Gateway (e.g. igw-abcd1234). If there is no such route available, the selected subnet configuration is not compliant.

10 Repeat step no. 8 and 9 to check the rest of the associated subnets for configured route tables. If none of the verified route tables have a route over the Internet Gateway (i.e. the destination is 0.0.0.0/0 and the target is the VPC’s Internet gateway), there is no connectivity between the subnets associated with the app-tier load balancer and the VPC’s Internet Gateway (IGW).

11 If required, change the AWS region from the navigation bar and repeat steps no. 5 – 10 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Check app-tier ELB subnet connectivity to Internet Gateway conformity rule settings, identify and copy the tag set defined for all AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs available in the selected AWS region: 

aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested ELB names: 

-------------------------
| DescribeLoadBalancers |
+-----------------------+
|   cc-front-app-elb    |
|   cc-project5-elb     |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource: 

aws elb describe-tags
	--region us-east-1
	--load-balancer-name cc-front-app-elb
	--query 'TagDescriptions[*].Tags[]'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified load balancer is not tagged, therefore the audit process for the selected resource ends here: 
    []
  2. If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified ELB does not belong to your app tier, hence the audit process for the selected resource ends here: 
    [
    {
        "Value": "DevTeam",
        "Key": "Melbourne"
    }
]
  3. If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified Amazon ELB is tagged as a app-tier resource, therefore the audit process continues with the next step: 
    [
    {
        "Value": "<app_tier_tag_value>",
        "Key": "<app_tier_tag>"
    }
]

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the app-tier ELB identified at the previous step to list the subnets associated with the selected load balancer: 

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name cc-front-app-elb
	--query 'LoadBalancerDescriptions[*].Subnets[]'

07 The command output should return the IDs of the associated subnets: 

[
    "subnet-1234abcd",
    "subnet-abcdabcd",
    "subnet-aaaabbbb"
]

08 Run describe-route-tables command (OSX/Linux/UNIX) to describe the routes configured for the route table associated with the VPC subnets returned at the previous step, available in the selected AWS region: 

aws ec2 describe-route-tables
	--region us-east-1
	--filters Name=association.subnet-id,Values=subnet-1234abcd,subnet-abcdabcd,subnet-aaaabbbb
	--query "RouteTables[*].{RouteTableId:RouteTableId, Routes:Routes}"

09 The command output should return the existing route(s) for the associated route table: 

[
    {
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "172.31.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            }
        ],
        "RouteTableId": "rtb-aabbccdd"
    }
]

Check the routes returned by the describe-subnets command output to determine if these contain a route with the "DestinationCidrBlock" attribute set to "0.0.0.0/0" and the "GatewayId" set to an AWS Internet Gateway (e.g. "igw-abcd1234"). If the command output does not describe such a route, there is no connectivity between the subnets associated with the app-tier ELB and the Internet Gateway (IGW) available within the VPC.

10 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 9 for other regions.

Remediation / Resolution

To create the required route (i.e. 0.0.0.0/0) with an IGW configured as gateway for the route table associated with the app-tier ELB subnets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud where the app-tier load balancer subnets are deployed from Select a VPC dropdown menu.

04 In the navigation panel, under Virtual Private Cloud, click Route Tables.

05 Select the route table that you want to reconfigure (see Audit section part I to identify the right VPC resource).

06 Select the Routes tab from the bottom panel to access the table routing configuration.

07 On the Routes panel, choose Edit, then click Add another rule button add a new route.

08 Type 0.0.0.0/0 in the Destination box then click inside the Target box and select the ID of the Internet Gateway (IGW) configured for the current VPC.

09 Click Save to create the route and apply it to the existing route table. The new route matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes it to the Internet Gateway available within the same VPC as the app-tier load balancer.

10 If required, change the AWS region from the navigation bar and repeat steps no. 3 – 9 for other regions.

Using AWS CLI

01 Run create-route command (OSX/Linux/UNIX) using the ID of the route table that you want to reconfigure (see Audit section part II to identify the right resource) as identifier to create a new route that matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes it to the Internet Gateway (IGW) available within the Virtual Private Cloud that hosts the app-tier ELB: 

aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-aabbccdd
	--destination-cidr-block 0.0.0.0/0
	--gateway-id igw-abcd1234

02 The command output should return true if the request succeeds, otherwise, it should return an error: 

{
    "Return": true
}

03 If required, change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 for other regions.

References

Publication date Jul 25, 2018

Related EC2 rules

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Check app-tier ELB subnet connectivity to Internet Gateway

Risk level: Medium