- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing
- ELB Instances Distribution Across AZs
Ensure that the instances registered to your Amazon Classic Load Balancer are evenly distributed across all Availability Zones (AZs) in order to improve the load balancer's configuration reliability. To route incoming requests evenly across the registered EC2 instances within the supported Availability Zones, the Cross-Zone Load Balancing feature must be enabled.
This rule can help you with the following compliance standards:
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Reliability Having a balanced distribution of Amazon EC2 instances across all Availability Zones will improve the availability and reliability of your load-balanced applications. The more Availability Zones (AZs) assigned and better the spread, the more redundancy and availability within your load balancing environment.
Audit
To determine if the EC2 instances registered to your Classic Load Balancer are distributed evenly across all assigned AZs, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
05 Select the Amazon Classic Load Balancer that you want to examine.
06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.
07 In the Attributes section, check the Cross-zone load balancing feature status. If the feature status is set to Disabled, follow the instructions outlined here to enable Cross-Zone Load Balancing for the selected load balancer, otherwise skip this step and continue the Audit process with the next step.
08 Select the Instances tab from the console bottom panel and under Edit Availability Zones check the value available in the Instance Count column for each Availability Zone (AZ) assigned. If the instance count value (number) is not even, the backend EC2 instances registered to the selected Classic Load Balancer are not evenly distributed across AZs.
09 Repeat steps no. 5 – 8 for each Classic Load Balancer provisioned within the current AWS region.
10 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:
aws elb describe-load-balancers --region us-east-1 --query 'LoadBalancerDescriptions[*].LoadBalancerName'
02 The command output should return an array with the requested load balancer name(s):
[
"cc-frontend-load-balancer",
"cc-project5-load-balancer"
]
03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to determine if Cross-Zone Load Balancing is enabled for the selected load balancer:
aws elb describe-load-balancer-attributes --load-balancer-name cc-frontend-load-balancer --query 'LoadBalancerAttributes.CrossZoneLoadBalancing.Enabled'
04 The command output should describe the Cross-Zone Load Balancing feature status (true for enabled, false for disabled). If the value returned by the describe-load-balancer-attributes command output is false, follow the instructions outlined here to enable Cross-Zone Load Balancing for the selected load balancer, otherwise skip this step and continue the Audit process with the next step:
true
05 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to examine as the identifier parameter, to list the Availability Zones (AZ) assigned to the selected load balancer:
aws elb describe-load-balancers --region us-east-1 --load-balancer-name cc-frontend-load-balancer --query 'LoadBalancerDescriptions[*].AvailabilityZones[]'
06 The command output should return the names of the assigned Availability Zones:
[
"us-east-1a",
"us-east-1b"
]
07 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to list the IDs of the registered EC2 instances:
aws elb describe-load-balancers --region us-east-1 --load-balancer-name cc-frontend-load-balancer --query 'LoadBalancerDescriptions[*].Instances[*].InstanceId[]'
08 The command output should return the IDs of the EC2 instances registered to the selected load balancer:
[
"i-0abcd1234abcd1234",
"i-01234abcd1234abcd",
"i-0abcdabcdabcdabcd"
]
09 Run describe-instances command (OSX/Linux/UNIX) using the instance IDs returned at the previous step as the identifier parameters, to describe the Availability Zones (AZ) associated with the specified instances:
aws ec2 describe-instances --region us-east-1 --instance-ids i-0abcd1234abcd1234 i-01234abcd1234abcd i-0abcdabcdabcdabcd --output table --query 'Reservations[*].Instances[*].[Placement.AvailabilityZone,InstanceId]'
10 The command output should return a table showing which EC2 instances are running in which Availability Zones:
----------------------------------------------------- | DescribeInstances | +---------------------------+-----------------------+ | us-east-1a | i-0abcd1234abcd1234 | | us-east-1a | i-01234abcd1234abcd | | us-east-1b | i-0abcdabcdabcdabcd | +---------------------------+-----------------------+
11 Based on the information returned at steps no. 6, 8, and 10, determine if the selected load balancer has more instances registered in one Availability Zone (AZ) than another. If this is true, the backend EC2 instances registered to the selected Classic Load Balancer are not evenly distributed across AZs.
12 Repeat steps no. 3 – 11 for each Classic Load Balancer provisioned in the selected AWS region.
13 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To equally distribute your registered EC2 instances across all Availability Zones within the selected AWS region, you need to add new Availability Zones (AZs) to the load balancer configuration and migrate the registered instances between these AZs. To implement this strategy, perform the following actions:
Note: As an example, this section will explain how to add a new AZ named us-east-1c to the existing load balancer configuration and migrate a Linux EC2 instance from us-east-1a to the newly added AZ, i.e. us-east-1c, within the US East (N. Virginia) region.Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Backend Instances Distribution Across Availability Zones",
"Resources": {
"ClassicLoadBalancer": {
"Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties" : {
"LoadBalancerName" : "cc-frontend-load-balancer",
"Scheme" : "internet-facing",
"SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
"AvailabilityZones" : [ "us-east-1a", "us-east-1b", "us-east-1c" ],
"Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd", "i-01234123412341234" ],
"Listeners": [{
"InstancePort": "80",
"InstanceProtocol": "HTTP",
"LoadBalancerPort": "80",
"Protocol": "HTTP",
"PolicyNames": []
}],
"HealthCheck": {
"Target": "HTTP:80/index.html",
"HealthyThreshold": "10",
"UnhealthyThreshold": "2",
"Interval": "50",
"Timeout": "5"
}
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09'
Description: Backend Instances Distribution Across Availability Zones
Resources:
ClassicLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
LoadBalancerName: cc-frontend-load-balancer
Scheme: internet-facing
SecurityGroups:
- sg-0abcdabcdabcdabcd
AvailabilityZones:
- us-east-1a
- us-east-1b
- us-east-1c
Instances:
- i-0abcd1234abcd1234
- i-0abcdabcdabcdabcd
- i-01234123412341234
Listeners:
- InstancePort: '80'
InstanceProtocol: HTTP
LoadBalancerPort: '80'
Protocol: HTTP
PolicyNames: []
HealthCheck:
Target: HTTP:80/index.html
HealthyThreshold: '10'
UnhealthyThreshold: '2'
Interval: '50'
Timeout: '5'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
region = "us-east-1"
}
resource "aws_elb" "classic-load-balancer" {
name = "cc-frontend-load-balancer"
internal = false
security_groups = ["sg-0abcdabcdabcdabcd"]
# Backend Instances Distribution Across Availability Zones
subnets = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd"]
instances = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd", "i-01234123412341234"]
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
health_check {
healthy_threshold = 10
unhealthy_threshold = 2
timeout = 5
target = "HTTP:80/index.html"
interval = 50
}
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
05 Select the Amazon Classic Load Balancer that you want to reconfigure.
06 Select the Instances tab from the console bottom panel and choose Edit Availability Zones to update the subnets configuration available for the load balancer.
07 In the Add and Remove Subnets configuration box, under Available Subnets, click on the add (+) button next to a subnet available in the us-east-1c Availability Zone to add the selected AZ to the load balancer configuration. Choose Save to apply the changes.
08 Now you can migrate one of the registered EC2 instances to the newly added Availability Zone by relaunching the instance within the new AZ. To start with the migration process, choose Instances from the main navigation panel.
09 Select the Amazon EC2 instance that you want to migrate to another Availability Zone.
10 Click on the Actions dropdown menu from the console top menu, select Image and templates, and choose Create image.
11 On the Create image setup page, provide the following information:
- In the Image name box, enter a unique name for the new AMI.
- (Optional) In the Image description box, provide a short description that reflects the usage of the selected EC2 instance.
- Deselect Enable under No reboot so that Amazon EC2 service can guarantee the file system integrity for the new AMI.
- (Optional) For Tags, choose Tag image and snapshots together and use the Add tag button to create and apply user-defined tags to the new image.
- Choose Create image to create your new AMI.
12 Once the new image is ready, use it to re-create your Amazon EC2 instance into the required AZ (in this case, us-east-1c). On the Instances listing page, choose Launch instances and perform the following actions:
- For Step 1: Choose an Amazon Machine Image (AMI), choose My AMIs tab, and select the Amazon Machine Image (AMI) created at step no. 6.
- For Step 2: Choose an Instance Type, select the required instance type (must match the instance type used by the source instance). Choose Next: Configure Instance Details to continue the setup process.
- For Step 3: Configure Instance Details, perform the following actions:
- Choose the Availability Zone where you want to launch your new instance from the Subnet dropdown list.
- Configure the network, identity management, behavior, and metadata settings. The new instance configuration must match the source instance configuration. Choose Next: Add Storage to continue the setup process.
- For Step 4: Add Storage, configure the storage device settings. Choose Next: Add Tags to set up the instance tags.
- For Step 5: Add Tags, use the Add tag button to create and apply user-defined tags to the new EC2 instance. You can track compute cost and other criteria by tagging your instance. Choose Configure Security Group to continue the setup process.
- For Step 6: Configure Security Group, choose Select an existing security group and select the security group(s) associated with the source Amazon EC2 instance. Choose Review and Launch to continue.
- For Step 7: Review Instance Launch, review your EC2 instance configuration details, then choose Launch.
- In the Select an existing key pair or create a new key pair configuration box, select Choose an existing key pair and use the same key pair as the source instance. Select the I acknowledge that I have access to the selected private key file (<key-name>.pem), and that without this file, I won't be able to log into my instance checkbox for confirmation, then choose Launch Instances to launch your new Amazon EC2 instance.
- Choose View Instances to return to the Instances page.
13 After you have verified and tested your new Amazon EC2 instance, you can transfer the Elastic IP (EIP) from the source instance to the new instance. If the source instance does not have an EIP attached, you must update the domain DNS record(s) or any other application settings that point to the source instance, in order to switch to the new instance IP. To transfer the Elastic IP, perform the following actions:
- In the navigation panel, under Network & Security, select Elastic IPs.
- Select the Elastic IP address attached to the source instance, choose Actions, and select Disassociate Elastic IP address.
- In the Dissociate Elastic IP address confirmation box, review the EIP details, then choose Disassociate.
- Select the same IP address, choose Actions and select Associate Elastic IP address.
- In the Associate Elastic IP address configuration box, perform the following:
- For Resource type, choose Instance.
- For Instance, select the ID of the newly created EC2 instance created at step no. 7.
- Choose Associate to attach the Elastic IP.
14 Now you can register the new EC2 instance to your load balancer and remove the source backend instance from the load balancer configuration:
- In the main navigation panel, under Load Balancing, choose Load Balancers.
- Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
- Select the Amazon Classic Load Balancer that you want to reconfigure.
- Select the Instances tab from the console bottom panel and choose Edit Instances.
- In the Add and Remove Instances configuration box, under Add or Remove Instances, select to add the new EC2 instance and deselect to remove the old one (i.e. source instance) from the load balancer configuration. Choose Save to apply the changes. Once all EC2 instances are successfully registered with your load balancer, the instance count between the assigned Availability Zones should be equal.
15 Repeat steps no. 5 – 14 for each Classic Load Balancer that you want to reconfigure, available within the current AWS region.
16 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run enable-availability-zones-for-load-balancer command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to reconfigure as the identifier parameter, to add a new Availability Zone (us-east-1c) to the load balancer configuration:
aws elb enable-availability-zones-for-load-balancer --region us-east-1 --load-balancer-name cc-frontend-load-balancer --availability-zones us-east-1c
02 The command output should list all Availability Zones assigned to the selected load balancer:
{
"AvailabilityZones": [
"us-east-1a",
"us-east-1b",
"us-east-1c"
]
}
03 Migrate one of the registered EC2 instances to the newly added Availability Zone by relaunching the instance within the new AZ. To start with the migration process, run create-image command (OSX/Linux/UNIX) to create an image from the source EC2 instance (the one that you want to migrate to another AZ). Include the --no-reboot command parameter to guarantee the file system integrity for your new AMI:
aws ec2 create-image --region us-east-1 --instance-id i-01234abcd1234abcd --name "AZ Migration AMI" --description "Registered Backend Instance AMI for AZ Migration" --no-reboot
04 The command output should return the ID of the new Amazon Machine Image (AMI):
{
"ImageId": "ami-0abcdabcdabcdabcd"
}
05 Run describe-instances command (OSX/Linux/UNIX) to list the configuration information available for the Amazon EC2 instance that you want to migrate to another Availability Zone (AZ):
aws ec2 describe-instances --region us-east-1 --instance-ids i-01234abcd1234abcd --query 'Reservations[*].Instances[]'
06 The command output should return an array with the requested configuration information:
[
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0abcd1234abcd1234",
"InstanceId": "i-01234abcd1234abcd",
"InstanceType": "t2.micro",
"KeyName": "conformity",
"LaunchTime": "2021-03-10T10:00:00+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-east-1a",
"GroupName": "",
"Tenancy": "dedicated"
},
"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
"PrivateIpAddress": "10.0.0.15",
"ProductCodes": [],
"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
"PublicIpAddress": "10.0.1.20",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "subnet-abcd1234",
"VpcId": "vpc-1234abcd",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"AttachTime": "2021-03-10T10:00:00+00:00",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0abcd1234abcd1234"
}
}
],
"ClientToken": "",
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
"Id": "ABCDABCDABCDABCDABCDA"
},
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
"PublicIp": "10.0.1.20"
},
"Attachment": {
"AttachTime": "2021-03-10T10:00:00+00:00",
"AttachmentId": "eni-attach-0abcd1234abcd1234",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
"NetworkCardIndex": 0
},
"Description": "Primary network interface",
"Groups": [
{
"GroupName": "cc-prod-security-group",
"GroupId": "sg-01234abcd1234abcd"
}
],
"Ipv6Addresses": [],
"MacAddress": "0e:53:19:7b:62:6b",
"NetworkInterfaceId": "eni-0abcd1234abcd1234",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
"PrivateIpAddress": "10.0.0.15",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-10-0-1-20.compute-1.amazonaws.com",
"PublicIp": "10.0.1.20"
},
"Primary": true,
"PrivateDnsName": "ip-10-0-0-15.ec2.internal",
"PrivateIpAddress": "10.0.0.15"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-abcd1234",
"VpcId": "vpc-1234abcd",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "cc-prod-security-group",
"GroupId": "sg-01234abcd1234abcd"
}
],
"SourceDestCheck": true,
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 2,
"ThreadsPerCore": 4
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled"
},
"EnclaveOptions": {
"Enabled": false
}
}
]
07 Execute run-instances command (OSX/Linux/UNIX) using the configuration information returned at the previous step for the instance configuration parameters, to launch a new Amazon EC2 instance from the AMI created at step no. 3. Set the --subnet-id parameter value to the ID of the subnet to launch the instance into. The chosen subnet must be associated with the target Availability Zone:
aws ec2 run-instances --region us-east-1 --image-id ami-0abcdabcdabcdabcd --count 1 --instance-type t2.micro --key-name conformity --security-group-ids sg-01234abcd1234abcd --iam-instance-profile Name="ec2-manager-role" --subnet-id subnet-01234abcd1234abcd
08 The command output should return the configuration metadata for the newly created EC2 instance:
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0abcdabcdabcdabcd",
"InstanceId": "i-01234123412341234",
"InstanceType": "t2.micro",
"KeyName": "conformity.aws",
"LaunchTime": "2021-03-22T17:29:43+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-east-1c",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
"PrivateIpAddress": "10.0.0.5",
"ProductCodes": [],
"PublicDnsName": "",
"State": {
"Code": 0,
"Name": "pending"
},
"StateTransitionReason": "",
"SubnetId": "subnet-abcdabcd",
"VpcId": "vpc-1234abcd",
"Architecture": "x86_64",
"BlockDeviceMappings": [],
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::123456789012:instance-profile/ec2-manager-role",
"Id": "ABCDABCDABCDABCDABCD"
},
"NetworkInterfaces": [
{
"Attachment": {
"AttachTime": "2021-03-22T17:29:43+00:00",
"AttachmentId": "eni-attach-0abcd1234abcd1234",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attaching",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupName": "cc-prod-security-group",
"GroupId": "sg-01234abcd1234abcd"
}
],
"Ipv6Addresses": [],
"MacAddress": "06:00:c7:12:51:99",
"NetworkInterfaceId": "eni-0abcd1234abcd1234",
"OwnerId": "123456789012",
"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
"PrivateIpAddress": "10.0.0.5",
"PrivateIpAddresses": [
{
"Primary": true,
"PrivateDnsName": "ip-10-0-0-5.ec2.internal",
"PrivateIpAddress": "10.0.0.5"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-1234abcd",
"VpcId": "vpc-1234abcd",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "cc-prod-security-group",
"GroupId": "sg-01234abcd1234abcd"
}
],
"SourceDestCheck": true,
"StateReason": {
"Code": "pending",
"Message": "pending"
},
"VirtualizationType": "hvm",
"HibernationOptions": {
"Configured": true
},
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"MetadataOptions": {
"State": "pending",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled"
},
"EnclaveOptions": {
"Enabled": false
}
}
],
"OwnerId": "123456789012",
"ReservationId": "r-0abcd1234abcd1234"
}
09 After you have verified and tested your new Amazon EC2 instance, you can transfer the Elastic IP (EIP) from the source instance to the new instance. If the source instance does not have an EIP attached, you must update the domain DNS record(s) or any other application settings that point to the source instance, in order to switch to the new instance IP. To transfer the Elastic IP, perform the following commands:
- Run disassociate-address command (OSX/Linux/UNIX) to detach the Elastic IP (EIP) address from the source Amazon EC2 instance (the command does not produce an output):
aws ec2 disassociate-address --association-id eipassoc-0abcd1234abcd1234
- Run associate-address command (OSX/Linux/UNIX) to associate the EIP address detached at the previous step with the new EC2 instance:
aws ec2 associate-address --instance-id i-01234123412341234 --allocation-id eipalloc-0abcd1234abcd1234
- The command output should return the EIP association ID:
{ "AssociationId": "eipassoc-01234abcd1234abcd" }
10 Now you can register the new EC2 instance to your load balancer and remove the source backend instance from the load balancer configuration:
- Run register-instances-with-load-balancer command (OSX/Linux/UNIX) to register the new EC2 instance to the selected load balancer (the command does not produce an output):
aws elb register-instances-with-load-balancer --region us-east-1 --load-balancer-name cc-frontend-load-balancer --instances i-01234123412341234
- Run deregister-instances-from-load-balancer command (OSX/Linux/UNIX) to deregister the appropriate EC2 instance (source instance) from the selected load balancer (the command does not return an output):
aws elb deregister-instances-from-load-balancer --region us-east-1 --load-balancer-name cc-frontend-load-balancer --instances i-01234abcd1234abcd
11 Repeat steps no. 1 – 10 for each Classic Load Balancer that you want to reconfigure, available in the selected AWS region.
12 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Regions and Zones
- Registered instances for your Classic Load Balancer
- Add or remove subnets for your Classic Load Balancer in a VPC
- Add or remove Availability Zones for your load balancer in EC2-Classic
- Register or deregister EC2 instances for your Classic Load Balancer
- AWS Command Line Interface (CLI) Documentation
- elb
- describe-load-balancers
- describe-load-balancer-attributes
- enable-availability-zones-for-load-balancer
- register-instances-with-load-balancer
- deregister-instances-from-load-balancer
- ec2
- create-image
- describe-instances
- run-instances
- disassociate-address
- associate-address
- CloudFormation Documentation
- AWS::ElasticLoadBalancing::LoadBalancer
- Terraform Documentation
- AWS Provider
Related ELB rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
ELB Instances Distribution Across AZs
Risk Level: Medium