Classic Load Balancer

Risk level: Medium (should be achieved)

Rule ID: ELB-011

Ensure that your HTTP/HTTPS applications (monolithic or containerized) are using the Application Load Balancer (ALB) instead of Classic Load Balancer (ELB) for enhanced incoming traffic distribution, better performance and lower costs. Cloud Conformity recommends migrating the HTTP/HTTPS web apps and websites currently running behind an AWS Classic Load Balancer to a new Application Load Balancer.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Cost
optimisation

Performance
efficiency

Running your HTTP/HTTPS applications behind an AWS ALB will provide a number of advantages over the classic AWS ELB such as enhanced web traffic distribution, better flexibility over routing, improved health checks, monitoring and access logging, support for HTTP/2 and WebSocket protocols and deletion protection.

Audit

To determine the load balancer type currently used by your HTTP/HTTPS applications, perform the following:

Note: Verifying the load balancer type (ELB or ALB) using AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon:

05 Inside the Show/Hide Columns dialog box, in the Load Balancer Attributes column, select the Type checkbox then click Close to return to the ELB dashboard.

06 Select the load balancer that you want to examine, used by your HTTP/HTTPS application.

07 Verify the value available in the Type column of the selected load balancer. If the value displayed in this column is classic, the type of the selected load balancer is Classic Load Balancer (ELB), therefore your web application should be migrated to an Application Load Balancer (ALB).

08 Repeat steps no. 6 and 7 to verify the load balancer type used by your other HTTP/HTTPS web applications.

09 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Remediation / Resolution

Option 1: migrate your HTTP/HTTPS web application(s) from a Classic Load Balancer (ELB) to an Application Load Balancer (ALB) using the AWS Management Console and AWS CLI. To move your application(s) instances to the ALB, redirect the traffic and remove the ELB, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the AWS ELB that you want to replace with the ALB, used by your HTTP/HTTPS application (see Audit section part I to identify the right ELB resource). Once the load balancer is selected, gather the necessary configuration information by performing the following actions:

Select the Description tab from the dashboard bottom panel and note the resource configuration details and attributes. This information will be useful later when the AWS ALB will be created.
Select the Instances tab and note the IDs of the EC2 instances currently attached to the load balancer.
Select the Health Check tab and note the ELB health check configuration details.
Select the Listeners tab and note the listener(s) current configuration details.
Lastly, select the Tags tab and note all the tags defined for the load balancer.

05 Now it’s time to create the new Application Load Balancer that will replace the existing Classic Load Balancer. To start the ALB setup process, click the Create Load Balancer button from the dashboard top menu.

06 On the Select load balancer type page, choose Application Load Balancer then click Continue.

07 On the Step 1: Configure Load Balancer page, provide a unique name for your new AWS ALB then configure the load balancer scheme, listeners and availability zones based on the information gathered at step no. 4. Once all these are configured, use the Add tab button, available in the Tags section, to add the necessary tags from the existing (classic) load balancer. Click Next: Configure Security Settings to continue the setup process.

08 On the Step 2: Configure Security Settings page, configure the secure (HTTPS) listener using the information gathered at step no. 4 (i.e. the SSL certificate name and the security policy name). If your classic load balancer is not using an HTTPS listener just skip this page. Click Next: Configure Security Groups to continue.

09 On the Step 3: Configure Security Groups page, choose Select an existing security group option then select the required security group(s) used by the existing ELB. Click Next: Configure Routing.

10 On the Step 4: Configure Routing page, choose an existing Target Group (if there are any target groups already created in your AWS account) or set a new one based on your requirements. In the Health checks section, click Advanced health check settings and configure the new load balancer health checks using the information gathered at step no. 4. Click Next: Register Targets to continue the ALB setup process.

11 On the Step 5: Register Targets page, use the Add to registered button to attach the necessary backend instances to the new ALB. Use the information taken at step no. 4 to register the right instances with the load balancer. The ALB will start routing requests to the registered EC2 instances as soon as the setup process completes and the instances pass the initial health checks. Click the Next: Review button.

12 On the Step 6: Review page, examine all the necessary configuration details then click Create to build your new Application Load Balancer.

13 On the Load Balancer Creation status page, wait for the confirmation message then click Close to return to the EC2 dashboard.

14 Now test the new AWS Application Load Balancer by using its DNS name (e.g. MyWebAppALB-1554377808.us-east-1.elb.amazonaws.com) and make sure that the HTTP/HTTPS traffic is distributed properly between the registered instances.

15 As soon as the testing phase is complete, update the DNS record that associates your domain name with the load balancer by replacing the ELB DNS name with the ALB DNS name in order to redirect the incoming traffic to your new AWS Application Load Balancer.

16 Once the traffic is redirected entirely to the new ALB, go back to the EC2 dashboard and remove the Classic Load Balancer. To delete the ELB, perform the following:

Select the Classic Load Balancer that you want to delete.
Click the Actions dropdown button from the dashboard top menu and select Delete.
On the Delete Load Balancer confirmation page, review the resource details then click Yes, Delete to remove the selected ELB from your AWS account.

17 Repeat steps no. 4 - 16 to migrate other HTTP/HTTPS web application running behind ELBs to new AWS ALBs within the current region.

18 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) to describe the configuration information available for the selected AWS Classic Load Balancer (see Audit section part I to identify the right ELB resource):

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name MyWebAppLoadBalancer

02 The command output should return the requested configuration metadata which will be useful later when the new load balancer will be created:

{
    "LoadBalancerDescriptions": [
        {
            "Subnets": [
                "subnet-19e7cc6f",
                "subnet-2b394201"
            ],
            "CanonicalHostedZoneNameID": "Z35SXDOTRQ7X7K",
            "CanonicalHostedZoneName": "MyWebAppLoadBalancer-387005122.
                                        us-east-1.elb.amazonaws.com",
            "ListenerDescriptions": [
                {
                    "Listener": {
                        "InstancePort": 80,
                        "LoadBalancerPort": 80,
                        "Protocol": "HTTP",
                        "InstanceProtocol": "HTTP"
                    },
                    "PolicyNames": []
                }
            ],
            "HealthCheck": {
                "HealthyThreshold": 10,
                "Interval": 30,
                "Target": "HTTP:80/index.html",
                "Timeout": 5,
                "UnhealthyThreshold": 2
            },
            "VPCId": "vpc-2fb56548",
            "BackendServerDescriptions": [],
            "Instances": [
                {
                    "InstanceId": "i-045ce6fda405da1b3"
                },
                {
                    "InstanceId": "i-0f1a7517a463e674a"
                }
            ],
            "DNSName": "MyWebAppLoadBalancer-387005122.
                        us-east-1.elb.amazonaws.com",
            "SecurityGroups": [
                "sg-e454519e"
            ],
            "Policies": {
                "LBCookieStickinessPolicies": [],
                "AppCookieStickinessPolicies": [],
                "OtherPolicies": []
            },
            "LoadBalancerName": "MyWebAppLoadBalancer",
            "CreatedTime": "2015-11-12T09:29:41.140Z",
            "AvailabilityZones": [
                "us-east-1d",
                "us-east-1a"
            ],
            "Scheme": "internet-facing",
            "SourceSecurityGroup": {
                "OwnerAlias": "123456789012",
                "GroupName": "web-app-sg-production"
            }
        }
    ]
}

03 Run create-load-balancer command (OSX/Linux/UNIX) using the existing load balancer (ELB) configuration details returned at the previous step to launch a new AWS Application Load Balancer (ALB):

aws elbv2 create-load-balancer
	--region us-east-1
	--name MyWebAppALB
	--scheme internet-facing
	--subnets subnet-19e7cc6f subnet-2b394201
	--security-groups sg-e454519e
	--tags Key=Environment,Value=production

04 The command output should return the new ALB metadata:

{
    "LoadBalancers": [
        {
            "VpcId": "vpc-2fb56548",
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:
                                123456789012:loadbalancer/app/
                                MyWebAppALB/4cbe232aa162303a",
            "State": {
                "Code": "provisioning"
            },
            "DNSName": "MyWebAppALB-1554377808.
                        us-east-1.elb.amazonaws.com",
            "SecurityGroups": [
                "sg-e454519e"
            ],
            "LoadBalancerName": "MyWebAppALB",
            "CreatedTime": "2016-10-14T15:48:32.940Z",
            "Scheme": "internet-facing",
            "Type": "application",
            "CanonicalHostedZoneId": "Z35SXDOTRQ7X7K",
            "AvailabilityZones": [
                {
                    "SubnetId": "subnet-19e7cc6f",
                    "ZoneName": "us-east-1a"
                },
                {
                    "SubnetId": "subnet-2b394201",
                    "ZoneName": "us-east-1d"
                }
            ]
        }
    ]
}

05 Run create-target-group command (OSX/Linux/UNIX) using the existing ELB configuration details returned at step no. 2 to build the required target group for the newly created ALB:

aws elbv2 create-target-group
	--region us-east-1
	--name MyWebAppTargetGroup
	--protocol HTTP
	--port 80
	--vpc-id vpc-2fb56548
	--health-check-protocol HTTP
	--health-check-port traffic-port
	--health-check-path /index.html
	--health-check-interval-seconds 30
	--health-check-timeout-seconds 5
	--healthy-threshold-count 10
	--unhealthy-threshold-count 2

06 The command output should return the new target group metadata:

[
    "TargetGroups": [
        {
            "HealthCheckPath": "/index.html",
            "HealthCheckIntervalSeconds": 30,
            "VpcId": "vpc-2fb56548",
            "Protocol": "HTTP",
            "HealthCheckTimeoutSeconds": 5,
            "HealthCheckProtocol": "HTTP",
            "UnhealthyThresholdCount": 2,
            "HealthyThresholdCount": 10,
            "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:
                               123456789012:targetgroup/
                               MyWebAppTargetGroup/1400a30941f6df98",
            "Matcher": {
                "HttpCode": "200"
            },
            "HealthCheckPort": "traffic-port",
            "Port": 80,
            "TargetGroupName": "MyWebAppTargetGroup"
        }
    ]
}

07 Now run register-targets command (OSX/Linux/UNIX) to add the necessary targets, i.e. the EC2 instances running behind the existing Classic Load Balancer, to the new target group created at the previous step (the command does not produce an output):

aws elbv2 register-targets
	--region us-east-1
	--target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/MyWebAppTargetGroup/1400a30941f6df98
	--targets Id=i-045ce6fda405da1b3 Id=i-0f1a7517a463e674a

08 Run create-listener command (OSX/Linux/UNIX) to create, configure and attach the necessary HTTP/HTTPS listener to the newly created AWS ALB:

aws elbv2 create-listener
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/MyWebAppALB/4cbe232aa162303a
	--protocol HTTP
	--port 80
	--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/MyWebAppTargetGroup/1400a30941f6df98

09 The command output should return the target group metadata:

{
   "Listeners": [
      {
         "Protocol": "HTTP",
         "DefaultActions": [
             {
                "TargetGroupArn": "arn:aws:elasticloadbalancing:
                                   us-east-1:123456789012:targetgroup/
                                   MyWebAppTargetGroup/1400a30941f6df98",
                "Type": "forward"
             }
         ],
         "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:
                             123456789012:loadbalancer/app/MyWebAppALB/
                             4cbe232aa162303a",
         "Port": 80,
         "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:
                         123456789012:listener/app/MyWebAppALB/
                         4cbe232aa162303a/5f7261424793c94a"
      }
   ]
}

10 Lastly, run describe-load-balancers command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the resource as identifier and custom query filters to describe the DNS name of your new AWS Application Load Balancer, information that will be useful later to update your web application domain name A record:

aws elbv2 describe-load-balancers
	--region us-east-1
	--load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/MyWebAppALB/4cbe232aa162303a
	--query 'LoadBalancers[*].DNSName'

11 The command output should return the requested DNS name:

[
    "MyWebAppALB-1554377808.us-east-1.elb.amazonaws.com"
]

12 Now test your Application Load Balancer by using the DNS name returned at the previous step to make sure that the HTTP/HTTPS traffic is distributed properly between the registered instances within the ALB target group.

13 As soon as the testing phase is complete, update the DNS record that associates your domain name with the load balancer by replacing the ELB DNS name with the ALB DNS name in order to redirect the traffic to your new AWS Application Load Balancer.

14 Once the traffic is redirected entirely to the new ALB run delete-load-balancer command (OSX/Linux/UNIX) to delete your Classic Load Balancer (the command does not produce an output):

aws elb delete-load-balancer
	--region us-east-1
	--load-balancer-name MyWebAppLoadBalancer

15 Repeat steps no. 1 - 14 to migrate other HTTP/HTTPS web application running behind ELBs to new AWS ALBs within the current region.

16 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 15 for other regions.

Option 2: migrate automatically your HTTP/HTTPS web application(s) from an AWS ELB to a new AWS ALB using the Classic Load Balancer to Application Load Balancer Copy Utility developed by Amazon. With this utility tool you can copy the configuration of your existing ELB to create a new ALB with the same configuration and register the existing backend EC2 instances with the newly created Application Load Balancer. All the necessary instructions to install, configure and use the Copy Utility tool can be found at this URL.

References

AWS Documentation
Classic Load Balancer FAQs
What Is Elastic Load Balancing?
Migrate from a Classic Load Balancer to an Application Load Balancer

AWS Command Line Interface (CLI) Documentation
elb
delete-load-balancer
elbv2
describe-load-balancers
register-targets
create-listener
describe-load-balancers
create-load-balancer
create-target-group

Publication date Oct 15, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Classic Load Balancer

Risk level: Medium

Audit

Using AWS Console

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ELB rules