Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Idle Elastic Load Balancers (ELBv2)

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Find any Amazon Application Load Balancers (ALBs) and Network Load Balancers (NLBs) that appear to be idle and remove them from your account to help lower the cost of your monthly AWS bill.
By default, an AWS ALB resource is considered "idle" when it meets the following criteria:

  • The sum of the requests made to the load balancer in the past 7 days is less than 100. The CloudWatch metric used to detect idle Application Load Balancers is RequestCount (Sum). This metric records the number of HTTP/HTTPS requests processed over a predefined time frame. It includes only the requests with a response generated by a target of the load balancer.

And an AWS NLB resource is considered "idle" when it meets the following criteria:
  • The sum of the TCP connections initiated in the past 7 days is less than 100. The CloudWatch metric used to detect idle Network Load Balancers is NewFlowCount (Sum). This metric records the number of TCP connections (flows) established from clients to targets within a predefined time frame.

Note 1: Knowing the role and the owner of an AWS load balancer before you take the decision to terminate it is very important. For this rule, Cloud Conformity assumes that your ELBv2 resources are tagged with "Role" and "Owner" tags, which provide visibility into their usage profile and help you decide whether its safe or not to remove these resources from your account.Note 2: You can change the default threshold (i.e. 100) for this rule on the Cloud Conformity console and set your own value for the RequestCount/NewFlowCount metric to configure your load balancers idleness.
Cost
optimisation

Regularly checking your AWS load balancers for the number of HTTP(S) requests and TCP connections completed, will help you efficiently identify and remove any idle ELBv2 resources from your AWS account in order to stop accumulating unnecessary service charges.


Audit

Case A: To find any idle Application Load Balancers within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the Application Load Balancer that you want to examine.

05 Select the Monitoring tab from the dashboard bottom panel.

06 Within CloudWatch metrics section, click on the Requests (Count) usage graph thumbnail to open the usage details box for the requests made to the selected ALB. Inside the CloudWatch Monitoring Details dialog box, set the following parameters:

  1. From the Statistic dropdown list, select Sum.
  2. From the Time Range list, select Last 1 Week.
  3. From the Period dropdown list, select 1 Minute.

Once the monitoring data is loaded, verify the RequestCount usage for the last 7 days. If the sum of the requests made to the Application Load Balancer in the past 7 days is less than 100, the selected AWS ALB qualifies as candidate for idle load balancer. Click Close to return to the dashboard.

07 Now determine the selected ALB role within the stack and its owner by checking the Role and Owner tags values assigned to the load balancer in order to decide whether it's safe or not to delete the resource. To check for the necessary tags, perform the following:

  1. Select the Tags tab from the ELB dashboard bottom panel.
  2. Verify the following tags and their values:
    • Check the Role tag value, available in the Value column, or any Role-like tag value that can provide information about the usage profile of the load balancer (e.g. cc-staging-alb) in order to decide if the ALB can be terminated or not.
    • Check the Owner tag value, available in the Value column, or any Owner-like tag value that can provide the contact information (name, email, phone number) of the resource owner in order to get the confirmation to remove or not the selected ALB.
    If all conditions outlined at step no. 6 and 7 are met (including the owner confirmation), the selected Application Load Balancer is considered "idle" and can be safely removed from your account in order to stop incurring charges for it.

08 Repeat steps no. 4 – 7 to verify the RequestCount metric usage and to check the necessary tags (i.e. Role and Owner) for the rest of the Application Load Balancers provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the names of all existing AWS ALBs available in the selected region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancers[?(Type == `application`)].LoadBalancerName | []'

02 The command output should return a table with the requested ALB identifiers:

-----------------------
|DescribeLoadBalancers|
+---------------------+
|  cc-staging-alb     |
|  cc-webapp-alb      |
+---------------------+

03 Run get-metric-statistics command (OSX/Linux/UNIX) to get the statistics recorded by AWS CloudWatch for the RequestCount metric, representing the number of HTTP(S) requests completed by the selected load balancer during the specified time frame. The following command example returns the RequestCount (Sum) data for an AWS ALB named "cc-staging-alb", usage data captured during a 7 days period, using 5 minute period as the granularity of the returned datapoints:

aws cloudwatch get-metric-statistics
	--region us-east-1
	--metric-name RequestCount
	--start-time 2018-01-13T16:30:00
	--end-time 2018-01-20T16:30:00
	--period 300
	--namespace AWS/EC2
	--statistics Sum
	--dimensions Name=LoadBalancerName,Value=cc-staging-alb

04 The command output should return the usage information requested:

{
    "Datapoints": [
        {
            "Timestamp": "2018-01-13T16:30:00Z",
            "Sum": 0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2018-01-13T17:30:00Z",
            "Sum": 0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2018-01-13T18:30:00Z",
            "Sum": 0,
            "Unit": "Count"
        },

        ...

        {
            "Timestamp": "2018-01-20T14:30:00Z",
            "Sum": 0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2018-01-20T15:30:00Z",
            "Sum": 0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2018-01-20T16:30:00Z",
            "Sum": 0,
            "Unit": "Count"
        }
    ],
    "Label": "RequestCount"
}

If the sum of the requests made to the Application Load Balancer is less than 100, the selected AWS ALB qualifies as candidate for idle load balancer.

05 Run describe-tags command (OSX/Linux/UNIX) to describe the tags for the selected ALB:

aws elbv2 describe-tags
	--region us-east-1
	--resource-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-staging-alb/aaaabbbbccccdddd

06 The command output should return the tags (key-value pairs) applied to the load balancer. The Role and Owner tags returned and their values can be used to determine the resource role within the application stack and to contact its owner for more information in order to decide whether the load balancer can be deleted or not:

{
    "TagDescriptions": [
        {
            "ResourceArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-staging-alb/aaaabbbbccccdddd",
            "Tags": [
                {
                    "Value": "cc-webapp-staging",
                    "Key": "Role"
                },
                {
                    "Value": "ops@cloudconformity.com",
                    "Key": "Owner"
                },
                {
                    "Value": "cc-staging-alb",
                    "Key": "Name"
                }
            ]
        }
    ]
}

If the output data returned for steps no. 3 – 6 satisfy the condition set by this conformity rule, the selected Application Load Balancer is considered "idle" and can be safely terminated in order to reduce AWS ALB service costs.

07 Repeat steps no. 3 – 6 to verify the RequestCount metric usage and the necessary tags for the rest of the Application Load Balancers provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Case B: To find any idle Network Load Balancers within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the Network Load Balancer that you want to examine.

05 Select the Monitoring tab from the dashboard bottom panel.

06 Within CloudWatch metrics section, click on the New flow count (Count) usage graph thumbnail to open the usage details box for the new TCP connections completed by the selected NLB. Inside the CloudWatch Monitoring Details dialog box, set the following parameters:

  1. From the Statistic dropdown list, select Sum.
  2. From the Time Range list, select Last 1 Week.
  3. From the Period dropdown list, select 1 Minute.

Once the monitoring data is loaded, verify the RequestCount usage for the last 7 days. If the sum of the requests made to the Application Load Balancer in the past 7 days is less than 100, the selected AWS ALB qualifies as candidate for idle load balancer. Click Close to return to the dashboard.

07 Now determine the selected ALB role within the stack and its owner by checking the Role and Owner tags values assigned to the load balancer in order to decide whether it's safe or not to delete the resource. To check for the necessary tags, perform the following:

  1. Select the Tags tab from the ELB dashboard bottom panel.
  2. Verify the following tags and their values:
    • Check the Role tag value, available in the Value column, or any Role-like tag value that can provide information about the usage profile of the load balancer (e.g. cc-staging-alb) in order to decide if the ALB can be terminated or not.
    • Check the Owner tag value, available in the Value column, or any Owner-like tag value that can provide the contact information (name, email, phone number) of the resource owner in order to get the confirmation to remove or not the selected ALB.
    If all conditions outlined at step no. 6 and 7 are met (including the owner confirmation), the selected Application Load Balancer is considered "idle" and can be safely removed from your account in order to stop incurring charges for it.

08 Repeat steps no. 4 – 7 to verify the RequestCount metric usage and to check the necessary tags (i.e. Role and Owner) for the rest of the Application Load Balancers provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the names of all existing AWS NLBs available in the selected region:

aws elbv2 describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancers[?(Type == `network`)].LoadBalancerName | []'

02 The command output should return a table with the requested ALB identifiers:

---------------------------
|  DescribeLoadBalancers  |
+-------------------------+
|  cc-network-test-elb    |
|  cc-network-prod-elb    |
+-------------------------+

03 Run get-metric-statistics command (OSX/Linux/UNIX) to get the statistics recorded by AWS CloudWatch for the NewFlowCount metric, representing the number of TCP connections established from clients to targets (processed by the load balancer) within the specified time frame. The following command example returns the NewFlowCount (Sum) data for an AWS NLB named "cc-network-test-elb ", usage data captured during a 7 days period, using 5 minute period as the granularity of the returned datapoints:

aws cloudwatch get-metric-statistics
	--region us-east-1
	--metric-name NewFlowCount
	--start-time 2018-01-13T18:11:00
	--end-time 2018-01-20T18:11:00
	--period 300
	--namespace AWS/EC2
	--statistics Sum
	--dimensions Name=LoadBalancerName,Value=cc-network-test-elb

04 The command output should return the usage information requested:

{
    "Datapoints": [
        {
            "Timestamp": "2018-01-13T18:11:00Z",
            "Sum": 0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2018-01-13T19:11:00Z",
            "Sum": 0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2018-01-13T20:11:00Z",
            "Sum": 0,
            "Unit": "Count"
        },

        ...

        {
            "Timestamp": "2018-01-20T16:11:00Z",
            "Sum": 0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2018-01-20T17:11:00Z",
            "Sum": 0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2018-01-20T18:11:00Z",
            "Sum": 0,
            "Unit": "Count"
        }
    ],
    "Label": "NewFlowCount"
}

If the sum of the TCP connections (flows) processed by the Network Load Balancer is less than 100, the selected AWS NLB qualifies as candidate for idle load balancer.

05 Run describe-tags command (OSX/Linux/UNIX) to describe the tags for the selected Network Load Balancer:

aws elbv2 describe-tags
	--region us-east-1
	--resource-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-test-elb/aaaabbbbccccdddd

06 The command output should return the tags (key-value pairs) applied to the load balancer. The Role and Owner tags returned and their values can be used to determine the resource role within the application stack and to contact its owner for more information in order to decide whether the load balancer can be deleted or not:

{
    "TagDescriptions": [
        {
            "ResourceArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-network-test-elb/aaaabbbbccccdddd",
            "Tags": [
                {
                    "Value": "cc-network-app-test",
                    "Key": "Role"
                },
                {
                    "Value": "ops@cloudconformity.com",
                    "Key": "Owner"
                },
                {
                    "Value": "cc-network-test-elb",
                    "Key": "Name"
                }
            ]
        }
    ]
}

If the output data returned for steps no. 3 – 6 satisfy the condition set by the conformity rule, the selected Network Load Balancer is considered "idle" and can be safely removed from your account in order to reduce AWS NLB service costs.

07 Repeat steps no. 3 – 6 to verify the NewFlowCount metric usage and the necessary tags for the rest of the Network Load Balancers provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

Option 1: Terminate the idle load balancers. To delete any Application Load Balancer or Network Load Balancer that is currently running in idle mode, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the load balancer that you want to terminate (see Audit section part I to identify the right ALB/NLB resource).

05 Click the Actions dropdown button from the dashboard top menu and select Delete.

06 Inside the Delete Load Balancer confirmation box, review the selected load balancer identifier (name) then click Yes, Delete to confirm the action.

07 Repeat steps no. 4 – 6 to remove any other idle Application Load Balancers or Network Load Balancers provisioned within the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run delete-load-balancer command (OSX/Linux/UNIX) using the resource ARN as identifier (see Audit section part II to identify the right AWS ALB/NLB resource), to delete the selected idle load balancer (the command does not produce an output):

aws elbv2 delete-load-balancer
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-staging-alb/aaaabbbbccccdddd

02 Repeat step no. 1 to delete any other idle Application Load Balancers or Network Load Balancers provisioned within the current region.

03 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

Option 2: Disable the rule check. If the selected idle load balancer is needed (its role within your application stack is essential and the owner confirms it), you should turn off this conformity rule check for your AWS load balancers (ELBv2) from the Cloud Conformity console

References

Publication date Feb 5, 2018

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Idle Elastic Load Balancers (ELBv2)

Risk Level: High