Internet Facing ELBv2 Load Balancers (Not Scored)
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that all internet-facing Application Load Balancers (ALBs) and Network Load Balancers (NLBs) available within your AWS account are regularly reviewed for security purposes. An internet-facing load balancer has a publicly resolvable DNS name (identified by an A record), required to route requests/connections from clients over the Internet to the target instances registered with the ELBv2 load balancer. On the other hand, an internal ELBv2 load balancer is commonly used within a multi-tier architecture, where you have front-end web servers that perform requests to an internal load balancer, using private IP addresses that are resolved from the internal load balancer's DNS name. Cloud Conformity strongly recommends reviewing your Application Load Balancers and Network Load Balancers on a regular basis to ensure that the scheme used by each ELBv2 resource fits the necessary requirements from the security standpoint.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using the right scheme (internal or internet-facing) for your Amazon Application Load Balancers (ALBs) and Network Load Balancers (NLBs) is crucial for maintaining your AWS load balancing architecture security.
To identify the scheme used by the ELBv2 load balancers provisioned in your AWS account, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.
04 Select the AWS load balancer that you want to examine.
05 Select Description tab from the dashboard bottom panel to view the ELBv2 resource description.
06 Within Basic Configuration section, check the Scheme attribute value set for the selected load balancer. If the Scheme attribute value is set to internet-facing, the selected ALB/NLB is internet-facing and routes requests/connections from clients over the Internet to the registered target EC2 instances, therefore it must be reviewed from the security standpoint.
07 Repeat steps no. 4 – 6 to determine the scheme used by other Amazon ELBv2 load balancers provisioned in the current region.
08 Change the AWS region from the navigation bar and repeat the audit process for other regions.
01 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all existing AWS ELBv2 load balancers available in the selected region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[*].LoadBalancerArn'
02 The command output should return a table with the requested Amazon Resource Names (ARNs):
[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-alb/aaaabbbbccccdddd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-frontend-nlb/aaaabbbbccccdddd"
]
03 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as identifier and custom filtering to describe the scheme used by the selected AWS ELBv2 resource (ALB or NLB):
aws elbv2 describe-load-balancers --region us-east-1 --load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-alb/aaaabbbbccccdddd --query 'LoadBalancers[*].Scheme'
04 The command output should return the name of the scheme used by the selected load balancer:
[
"internet-facing"
]
05 Repeat steps no. 3 – 4 to determine the scheme used by other Amazon ELBv2 load balancers available in the current region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.
Case A: Review your ELBv2 internet-facing load balancers and change the scheme configuration for any ALB/NLB resource that is not following the regulatory security requirements. To change the scheme for your AWS load balancers you need to re-create them with the internal scheme configuration. To create internal Amazon ELBv2 load balancers, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.
04 Click Create load balancer from the dashboard top menu, choose Application Load Balancer or Network Load Balancer to select the type of the ELBv2 load balancer that you want to set up, then click Create to start the setup process.
05 On the Step 1: Configure Load Balancer page, provide a unique name for your new AWS ALB/NLB, then set the load balancer Scheme to internal. Configure the necessary listeners and select the required Availability Zones. (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags section. (ALB only) Click Next: Configure Security Settings to continue the setup process.
06 (ALB only) On the Step 2: Configure Security Settings page, create the necessary HTTPS listener for your new AWS ALB. If your application does not require an HTTPS listener just skip this page and click Next: Configure Security Groups to continue the setup process.
07 (ALB only) On the Step 3: Configure Security Groups page, select Create a new security group and provide a name and a short description for the new EC2 security group. This security group should contain a rule that allows traffic to the port that you configured your ALB to use. (ALB and NLB) Click Next: Configure Routing to set the target group and the health checks configuration.
08 On the Step 4 (2): Configure Routing page, choose an existing Target Group from the Available dropdown list or set a new one based on your requirements. In the Health checks section, click Advanced health check settings and configure the load balancer health checks. Click Next: Register Targets to continue the process.
09 On the Step 5 (3): Register Targets page, use the Add to registered button to attach the existing target instances to the specified target group. The new ELBv2 load balancer will start routing requests to the registered EC2 instances as soon as the setup process is complete and the target instances pass the initial health check. Once registered, click Next: Review.
10 On the Step 6 (4): Review page, examine the configuration details then click Create to build your new internal AWS ALB/NLB.
11 On the Load Balancer Creation status page, wait for the confirmation message then click Close to return to the dashboard.
12 Repeat steps no. 4 - 11 to create additional internal ELBv2 load balancers within the current region.
13 Change the AWS region from the navigation bar and repeat the entire process for other regions.
Based on the type of the ELBv2 load balancer that you want to create, perform of the following sets of commands:
01 For Application Load Balancers (ALBs):
aws elbv2 create-load-balancer --region us-east-1 --name cc-internal-alb --type application --scheme internal --ip-address-type ipv4 --subnets subnet-1234abcd subnet-abcd1234 --security-groups sg-aaaabbbb --tags Key=Environment,Value=production
{
"LoadBalancers": [
{
"VpcId": "vpc-12345678",
"State": {
"Code": "provisioning"
},
"LoadBalancerName": "cc-internal-alb",
"Scheme": "internal ",
...
"Type": "application",
"AvailabilityZones": [
{
"SubnetId": "subnet-1234abcd",
"ZoneName": "us-east-1a"
},
{
"SubnetId": "subnet-abcd1234",
"ZoneName": "us-east-1b"
}
]
}
]
}
aws elbv2 create-target-group --region us-east-1 --name cc-alb-target-group --protocol HTTP --port 80 --vpc-id vpc-12345678 --health-check-protocol HTTP --health-check-port traffic-port --health-check-path /index.html --health-check-interval-seconds 30 --health-check-timeout-seconds 5 --healthy-threshold-count 10 --unhealthy-threshold-count 2 --target-type instance
[
"TargetGroups": [
{
"HealthCheckPath": "/index.html",
"HealthCheckIntervalSeconds": 30,
"VpcId": "vpc-12345678",
"Protocol": "HTTP",
"HealthCheckTimeoutSeconds": 5,
...
"Matcher": {
"HttpCode": "200"
},
"HealthCheckPort": "traffic-port",
"Port": 80,
"TargetGroupName": "cc-alb-target-group"
}
]
}
aws elbv2 register-targets --region us-east-1 --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd --targets Id=i-0d3886fda05de9801 Id=i-06d20515a463ea399
aws elbv2 create-listener --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-alb/aaaabbbbccccdddd --protocol HTTP --port 80 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
{
"Listeners": [
{
"Protocol": "HTTP",
"DefaultActions": [
{
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd",
"Type": "forward"
}
],
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-alb/aaaabbbbccccdddd”,
"Port": 80,
"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internal-alb/aaaabbbbccccdddd/bbbbccccddddeeee"
}
]
}
02 For Network Load Balancers (NLBs):
aws elbv2 create-load-balancer --region us-east-1 --name cc-internal-nlb --type network --scheme internal --ip-address-type ipv4 --subnets subnet-1234abcd subnet-abcd1234 --tags Key=Environment,Value=production
{
"LoadBalancers": [
{
"VpcId": "vpc-12345678",
"State": {
"Code": "active"
},
"LoadBalancerName": "cc-internal-nlb",
"Scheme": "internal",
...
"Type": "network",
"AvailabilityZones": [
{
"SubnetId": "subnet-1234abcd",
"ZoneName": "us-east-1a"
},
{
"SubnetId": "subnet-abcd1234",
"ZoneName": "us-east-1b"
}
]
}
]
}
aws elbv2 create-target-group --region us-east-1 --name cc-nlb-target-group --protocol TCP --port 80 --vpc-id vpc-12345678 --health-check-protocol TCP --health-check-port traffic-port --health-check-interval-seconds 30 --health-check-timeout-seconds 10 --healthy-threshold-count 3 --unhealthy-threshold-count 3 --target-type instance
[
"TargetGroups": [
{
"TargetType": "instance",
"HealthCheckIntervalSeconds": 30,
"VpcId": "vpc-12345678",
"Protocol": "TCP",
"HealthCheckTimeoutSeconds": 10,
"HealthCheckProtocol": "TCP",
...
"UnhealthyThresholdCount": 3,
"HealthyThresholdCount": 3,
"Matcher": {},
"HealthCheckPort": "traffic-port",
"Port": 80,
"TargetGroupName": "cc-nlb-target-group"
}
]
}
aws elbv2 register-targets --region us-east-1 --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd --targets Id=10.0.1.30 Id=10.0.1.18
aws elbv2 create-listener --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-nlb/aaaabbbbccccdddd --protocol TCP --port 80 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd
{
"Listeners": [
{
"Protocol": "TCP",
"DefaultActions": [
{
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd",
"Type": "forward"
}
],
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-nlb/aaaabbbbccccdddd”,
"Port": 80,
"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internal-nlb/aaaabbbbccccdddd/bbbbccccddddeeee"
}
]
}
03 Repeat step no. and 2 to launch additional internal ELBv2 load balancers in the current region.
04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat