Logo of Trend Micro

ELB Cross-Zone Load Balancing Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ELB-002

By using at least two subnets in different Availability Zones with the Cross-Zone Load Balancing feature enabled, your ELBs can distribute the traffic evenly across all backend instances. To use Cross-Zone Load Balancing at optimal level, Amazon recommends maintaining an equal EC2 capacity distribution in each of the AZs registered with the load balancer.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

Enabling Cross-Zone Load Balancing makes it easier to deploy and manage applications that run across multiple subnets in different Availability Zones. This would also guarantee better fault tolerance and more consistent traffic flow. If one of the availability zones registered with the ELB fails (as result of network outage or power loss), the load balancer with the Cross-Zone Load Balancing activated would act as a traffic guard, stopping any request being sent to the unhealthy zone and routing it to the other zone(s).

Note: no extra charges — with cross-zone load balancing implemented, Amazon will not charge for data transfer between the load balancer nodes and backend instances.

Audit

To determine if Cross-Zone Load Balancing is enabled, you need to perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Description tab from the bottom panel.

06 Check if the Cross-Zone Load Balancing status is enabled:

Checking if Cross-Zone Load Balancing status on the AWS Console

Using AWS CLI

01 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) to check if the Cross-Zone Load Balancing feature is enabled for your ELB: 

aws elb describe-load-balancer-attributes
	--load-balancer-name MyWebELB

02 The command output should expose the Cross-Zone Load Balancing status (disabled in this case): 

{
	"LoadBalancerAttributes": {
		"ConnectionDraining": {
			"Enabled": false,
			"Timeout": 300
		},
		"CrossZoneLoadBalancing": {
			"Enabled": false
		},
		"ConnectionSettings": {
			"IdleTimeout": 60
		},
		"AccessLog": {
			"Enabled": false
		}
	}
}

Remediation / Resolution

To enable Cross-Zone Load Balancing with at least two subnets in different AZs, you need to perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Description tab from the bottom panel.

06 Find the Cross-Zone Load Balancing status and click (Edit):

Find the Cross-Zone Load Balancing status on the AWS Console

07 In the Configure Cross-Zone Load Balancing dialog box, select Enable:

Enable Cross-Zone Load Balancing on the AWS Console

and click Save.

08 Select the Instances tab from the bottom panel and click Edit Availability Zones button.

09 In the Add and Remove Subnets dialog box, under Available Subnets, click the + button to add more subnets to the current ELB configuration and click Save.

Using AWS CLI

01 Run the following command (OSX/Linux/UNIX) to enable Configure Cross-Zone Load Balancing feature via AWS CLI: 

aws elb modify-load-balancer-attributes \
	--load-balancer-name MyWebELB \
	--load-balancer-attributes "{\"CrossZoneLoadBalancing\":{\"Enabled\":true}}"

02 The command response output should look like the following: 

{
	"LoadBalancerAttributes": {
		"CrossZoneLoadBalancing": {
			"Enabled": true
		}
	},
	"LoadBalancerName": "MyWebELB"
}

03 Run attach-load-balancer-to-subnets command (OSX/Linux/UNIX) to add one or more available subnets to the existing AZ configuration for the selected load balancer: 

aws elb attach-load-balancer-to-subnets \
	--load-balancer-name MyWebELB \
	--subnets subnet-df0e1cab subnet-91625dd7 subnet-aaafce90

04 The command output should look like the following: 

{
   "Subnets": [
   	"subnet-d2427bfc",
   	"subnet-df0e1cab",
   	"subnet-91625dd7",
   	"subnet-aaafce90"
   ]
 }

References

Publication date Apr 1, 2016

Related ELB rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

ELB Cross-Zone Load Balancing Enabled

Risk level: Medium