Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ELB Minimum Number Of EC2 Instances

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ELB-010

Ensure that your AWS Elastic Load Balancers have at least two healthy EC2 backend instances assigned, in order to provide a better fault-tolerant load balancing configuration.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Having just one EC2 instance behind your Elastic Load Balancer (ELB), even if the ELB is associated with an Auto Scaling Group (ASG) that can add instances automatically, increases the risk of downtime. To achieve fault tolerance with zero downtime, always register at least two EC2 instances with your ELB.

Audit

A common scenario where an ELB utilizes a single EC2 instance is when the instance is a part of an Auto Scaling Group with min, max and desired capacity set to 1. To determine if each ELB available in your account distributes the traffic to at least two healthy backend instances, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the Elastic Load Balancer that you want to examine.

05Select the Instances tab from the bottom panel.

06 In the instances table, search for any healthy instance with the current status set to InService:

In the instances table search for any healthy instance with the current status set to InService

If the number of healthy instances assigned to the selected ELB is less than two, the ELB does not have a fault-tolerant configuration.

07 Repeat steps 4 – 6 for each load balancer available in the current AWS region. Change the AWS region from the navigation bar to repeat the process for the other regions:

Change the AWS region from the navigation bar

Using AWS CLI

01 Run describe-instance-health command (OSX/Linux/UNIX) to determine the number and the health status of the EC2 instances registered with the selected ELB: 

aws elb describe-instance-health
	--region us-east-1
	--load-balancer-name MyWebELB

01 The command output should reveal the current health status for each backend instance. If the State parameter value is set to InService the instance is healthy, otherwise the instance is unhealthy: 

{
    "InstanceStates": [
        {
            "InstanceId": "i-c4d66559",
            "ReasonCode": "N/A",
            "State": "InService",
            "Description": "N/A"
        },
        {
            "InstanceId": "i-4e47f7d3",
            "ReasonCode": "Instance",
            "State": "OutOfService",
            "Description": "Instance has not passed the configured
             HealthyThreshold number of health checks consecutively."
        }
    ]
}

If there aren't at least two healthy instances assigned, the selected ELB does not have a fault-tolerant configuration which can lead to downtime in case of instance failure.

Remediation / Resolution

To register additional healthy EC2 backend instances with your Elastic Load Balancers, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

01 Navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.

01 If your ELB is associated with an Auto Scaling Group (ASG), you need to update the ASG configuration first to increase the number of backend instances:

  1. In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.
  2. Select the Auto Scaling Group that integrates the ELB.
  3. Select the Details tab from the bottom panel and click the Edit button from the right side: Select the Details tab from the bottom panel and click the Edit button from the right side
  4. Change the values available in the Desired, Min and Max fields to reflect the number of instances that will be registered with the ELB (in this case, the value must be at least 2 for each field).
  5. Click Save to apply the changes.

01 In the navigation panel, under LOAD BALANCING, click Load Balancers.

01 Select the Elastic Load Balancer that you want to examine.

01 Select the Instances tab from the bottom panel and click the Edit Instances button.

01 In the Add and Remove Instances dialog box, perform the following:

  1. To remove any unhealthy instance registered with the ELB, deselect the instance entry.
  2. To register a new EC2 instance available in the list, select the instance entry.

01 Once you have selected at least two healthy EC2 instances, review the changes and click Save.

01 Make sure the new instance(s) registered with the ELB respond successfully to the health checks by changing their status from OutOfService to InService (the registration process may take a few minutes depending on the ELB health check configuration):

Make sure the new instance(s) registered with the ELB respond positive to the health checks by changing their status from OutOfService to InService

01 Repeat steps 3 – 9 for each ELB / ASG available in the current AWS region. Change the AWS region from the navigation bar to repeat the process for the other regions:

Change the AWS region from the navigation bar

Using AWS CLI

01 Run update-auto-scaling-group command (OSX/Linux/UNIX) to update the selected Auto Scaling Group (ASG) launch configuration, in order to increase the number of backend instances (the command does not return any output): 

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name MyWebASG
	--launch-configuration-name MyASGLaunchConfig
	--min-size 2
	--max-size 2
	--desired-capacity 2

02 Run register-instances-with-load-balancer command (OSX/Linux/UNIX) to register new EC2 instances with the selected ELB. The following example registers a new instance with the ID i-c95cef54 (in this case the instance is created automatically by ASG): 

aws elb register-instances-with-load-balancer
	--region us-east-1
	--load-balancer-name MyWebELB
	--instances i-c95cef54

The command output should return each instance metadata registered with the selected ELB: 

{
    "Instances": [
        {
            "InstanceId": "i-c95cef54"
        },

        {
            "InstanceId": "i-ef78ce68"
        }
    ]
}

03 Run describe-instance-health command (OSX/Linux/UNIX) to determine the health status of the new EC2 instances registered with the selected ELB: 

aws elb describe-instance-health
	--load-balancer-name MyWebELB

04 The command output should reveal the current health status for each ELB backend instance. If the State parameter value is set to InService the instance is healthy, otherwise the instance is unhealthy (the registration process may take few minutes depending on the ELB health check configuration): 

{
    "InstanceStates": [
        {
            "InstanceId": "i-c95cef54",
            "ReasonCode": "Instance",
            "State": "InService",
            "Description": "N/A"
        },
	      ...
        {
            "InstanceId": "i-ef78ce68",
            "ReasonCode": "N/A",
            "State": "InService",
            "Description": "N/A"
        }
    ]
}

References

Publication date Apr 22, 2016

Related ELB rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

ELB Minimum Number Of EC2 Instances

Risk Level: High