Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free TrialEnsure that your web-tier Elastic Load Balancers (ELBs) are using the appropriate health check configuration in order to monitor the availability of the EC2 instances associated with the ELBs through application layer. An application layer health check is an HTTP-based test performed periodically by an AWS ELB to determine the availability of the EC2 instances registered to the load balancer. The status of the backend instances that are healthy at the time of the health check is "InService" and the status of any instances that are unhealthy at the time of the health check is "OutOfService". When an AWS ELB determines that an EC2 backend instance is unhealthy, it stops routing requests to that instance. The load balancer resumes routing requests to the backend instance when it has been restored to a healthy state. This conformity rule assumes that all AWS resources (including ELBs) created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> is the tag name and <web_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
Improve the reliability of the web applications behind your web-tier ELBs by using the right health check configuration. Cloud Conformity recommends that you always use application layer (HTTP(S)) health checks instead of TCP health checks (where a specified TCP port is probed to make sure is accepting connections) for your web-tier load balancers.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if your web-tier ELBs are using the right health check configuration, perform the following:
01 Sign in to your Cloud Conformity console, access Configure Health Check for Web-Tier ELBs conformity rule settings and copy the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).
02 Sign in to the AWS Management Console.
03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
04 In the navigation panel, under LOAD BALANCING, click Load Balancers.
05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>) and press Enter. This filtering method will return only the ELBs tagged for the web tier. If no results are returned, there are no ELBs tagged within your web tier and the audit process ends here. If the EC2 dashboard lists one or more load balancers, continue the audit with the next step.
06 Select the web-tier load balancer that you want to examine.
07 Select the Health Check tab from the bottom panel and verify the ELB health check configuration details. If the ping protocol used by the ELB is TCP or SSL, i.e. the Ping Target configuration attribute is set to TCP:<port_number> or SSL:<port_number>, the health check configuration set for the selected AWS ELB is not using HTTP-based checks (performed at application level) to determine the health of the registered EC2 instances, therefore the current configuration is not suitable for your web-tier load balancer.
08 Repeat step no. 6 and 7 to verify the health check configuration for other load balancers created for your web tier in the selected AWS region.
09 Change the AWS region from the navigation bar and repeat steps no. 5 – 8 for other regions.
01 Sign in to your Cloud Conformity console, access Configure Health Check for Web-Tier ELBs conformity rule settings and copy the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).
02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs provisioned in the selected AWS region:
aws elb describe-load-balancers --region us-east-1 --output table --query 'LoadBalancerDescriptions[*].LoadBalancerName'
03 The command output should return a table with the requested ELB names:
------------------------- | DescribeLoadBalancers | +-----------------------+ | cc-web-project-elb | | cc-frontend-elb | +-----------------------+
04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource:
aws elb describe-tags --region us-east-1 --load-balancer-name cc-web-project-elb --query 'TagDescriptions[*].Tags[]'
05 The command request should return one of the following outputs:
[]
|
[
{
"Value": "Role",
"Key": "Frontend Load Balancer"
}
]
[
{
"Value": "<web_tier_tag_value>",
"Key": "<web_tier_tag>"
}
]
06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the web-tier ELB identified at the previous step to describe the configuration of the health checks conducted on the selected load balancer:
aws elb describe-load-balancers
--region us-east-1
--load-balancer-name cc-web-project-elb
--query 'LoadBalancerDescriptions[*].{HealthCheck:HealthCheck}'
07 The command output should return the requested configuration metadata:
[
{
"HealthCheck": {
"HealthyThreshold": 10,
"Interval": 30,
"Target": "TCP:80",
"Timeout": 5,
"UnhealthyThreshold": 2
}
}
]
08 Repeat step no. 6 and 7 to verify the health check configuration for other ELBs provisioned for your web tier in the selected AWS region.
09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.
To update your web-tier ELBs configuration in order to use application layer health checks instead of TCP health checks, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under LOAD BALANCING, click Load Balancers.
04 Select the web-tier ELB that you want to reconfigure (see Audit section part I to identify the right ELB resource).
05 Select the Health Check tab from the bottom panel and click Edit Health Check to initiate the configuration update process.
06 Within Configure Health Check dialog box, select HTTP or HTTPS from the Ping Protocol dropdown list and configure the Ping Port and Ping Path attributes based on your requirements. In the Advanced Details section, leave the default settings unchanged or customize the health check settings to meet your specific needs. Click Save to apply the changes and return to the EC2 dashboard.
07 Repeat steps no. 4 – 6 to enable application layer health checks for other web-tier ELBs available in the selected region.
08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.
01 Run configure-health-check command (OSX/Linux/UNIX) to configure the health check settings to use when evaluating the health state of the EC2 instances behind your web-tier ELB (see Audit section part II to identify the right resource). The following command example updates the health check configuration for a load balancer named "cc-web-project-elb" using an HTTP-based ping target with the port set to 80 and the path set to "/index.html":
aws elb configure-health-check --region us-east-1 --load-balancer-name cc-web-project-elb --health-check Target=HTTP:80/index.html,Interval=30,UnhealthyThreshold=2,HealthyThreshold=10,Timeout=5
02 The command output should return the metadata for the updated ELB health check configuration:
{
"HealthCheck": {
"HealthyThreshold": 10,
"Interval": 30,
"Target": "HTTP:80/index.html",
"Timeout": 5,
"UnhealthyThreshold": 2
}
}
03 Repeat step no. 1 and 2 to enable application layer health checks for other web-tier ELBs provisioned in the selected region.
04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s ChatUnlock the Remediation Steps
Gain free unlimited access to our full Knowledge Base
Over 600 rules & best practices for 
and 
Get started for FREE
Thank you!
Please click the link in the confirmation email sent to
You are auditing:
Web-Tier ELBs Health Check
Risk level: High