Logo of Trend Micro

Internet Facing ELBv2 Load Balancers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: ELBv2-007

Ensure that all internet-facing Application Load Balancers (ALBs) and Network Load Balancers (NLBs) available within your AWS account are regularly reviewed for security purposes. An internet-facing load balancer has a publicly resolvable DNS name (identified by an A record), required to route requests/connections from clients over the Internet to the target instances registered with the ELBv2 load balancer. On the other hand, an internal ELBv2 load balancer is commonly used within a multi-tier architecture, where you have front-end web servers that perform requests to an internal load balancer, using private IP addresses that are resolved from the internal load balancer's DNS name. Cloud Conformity strongly recommends reviewing your Application Load Balancers and Network Load Balancers on a regular basis to ensure that the scheme used by each ELBv2 resource fits the necessary requirements from the security standpoint.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using the right scheme (internal or internet-facing) for your Amazon Application Load Balancers (ALBs) and Network Load Balancers (NLBs) is crucial for maintaining your AWS load balancing architecture security.

Audit

To identify the scheme used by the ELBv2 load balancers provisioned in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the AWS load balancer that you want to examine.

05 Select Description tab from the dashboard bottom panel to view the ELBv2 resource description.

06 Within Basic Configuration section, check the Scheme attribute value set for the selected load balancer. If the Scheme attribute value is set to internet-facing, the selected ALB/NLB is internet-facing and routes requests/connections from clients over the Internet to the registered target EC2 instances, therefore it must be reviewed from the security standpoint.

07 Repeat steps no. 4 – 6 to determine the scheme used by other Amazon ELBv2 load balancers provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all existing AWS ELBv2 load balancers available in the selected region: 

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[*].LoadBalancerArn'

02 The command output should return a table with the requested Amazon Resource Names (ARNs): 

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-alb/aaaabbbbccccdddd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-frontend-nlb/aaaabbbbccccdddd"

]

03 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as identifier and custom filtering to describe the scheme used by the selected AWS ELBv2 resource (ALB or NLB): 

aws elbv2 describe-load-balancers
	--region us-east-1
	--load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-frontend-alb/aaaabbbbccccdddd
	--query 'LoadBalancers[*].Scheme'

04 The command output should return the name of the scheme used by the selected load balancer: 

[
    "internet-facing"
]

If the describe-load-balancers command output returns "internet-facing", as shown in the example above, the selected AWS ALB/NLB is internet-facing and routes requests/connections from clients over the Internet to the registered target instances, therefore it should be reviewed for security purposes.

05 Repeat steps no. 3 – 4 to determine the scheme used by other Amazon ELBv2 load balancers available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

Case A: Review your ELBv2 internet-facing load balancers and change the scheme configuration for any ALB/NLB resource that is not following the regulatory security requirements. To change the scheme for your AWS load balancers you need to re-create them with the internal scheme configuration. To create internal Amazon ELBv2 load balancers, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Click Create load balancer from the dashboard top menu, choose Application Load Balancer or Network Load Balancer to select the type of the ELBv2 load balancer that you want to set up, then click Create to start the setup process.

05 On the Step 1: Configure Load Balancer page, provide a unique name for your new AWS ALB/NLB, then set the load balancer Scheme to internal. Configure the necessary listeners and select the required Availability Zones. (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags section. (ALB only) Click Next: Configure Security Settings to continue the setup process.

06 (ALB only) On the Step 2: Configure Security Settings page, create the necessary HTTPS listener for your new AWS ALB. If your application does not require an HTTPS listener just skip this page and click Next: Configure Security Groups to continue the setup process.

07 (ALB only) On the Step 3: Configure Security Groups page, select Create a new security group and provide a name and a short description for the new EC2 security group. This security group should contain a rule that allows traffic to the port that you configured your ALB to use. (ALB and NLB) Click Next: Configure Routing to set the target group and the health checks configuration.

08 On the Step 4 (2): Configure Routing page, choose an existing Target Group from the Available dropdown list or set a new one based on your requirements. In the Health checks section, click Advanced health check settings and configure the load balancer health checks. Click Next: Register Targets to continue the process.

09 On the Step 5 (3): Register Targets page, use the Add to registered button to attach the existing target instances to the specified target group. The new ELBv2 load balancer will start routing requests to the registered EC2 instances as soon as the setup process is complete and the target instances pass the initial health check. Once registered, click Next: Review.

10 On the Step 6 (4): Review page, examine the configuration details then click Create to build your new internal AWS ALB/NLB.

11 On the Load Balancer Creation status page, wait for the confirmation message then click Close to return to the dashboard.

12 Repeat steps no. 4 - 11 to create additional internal ELBv2 load balancers within the current region.

13 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

Based on the type of the ELBv2 load balancer that you want to create, perform of the following sets of commands:

01 For Application Load Balancers (ALBs):

  1. Run create-load-balancer command (OSX/Linux/UNIX) with the --scheme parameter set to internal to create an internal AWS Application Load Balancer: 
    aws elbv2 create-load-balancer
	--region us-east-1
	--name cc-internal-alb
	--type application
	--scheme internal
	--ip-address-type ipv4
	--subnets subnet-1234abcd subnet-abcd1234
	--security-groups sg-aaaabbbb
	--tags Key=Environment,Value=production
  2. The command output should return the new AWS ALB metadata: 
    {
    "LoadBalancers": [
        {
            "VpcId": "vpc-12345678",
            "State": {
                "Code": "provisioning"
            },
            "LoadBalancerName": "cc-internal-alb",
            "Scheme": "internal ",

		...

            "Type": "application",
            "AvailabilityZones": [
                {
                    "SubnetId": "subnet-1234abcd",
                    "ZoneName": "us-east-1a"
                },
                {
                    "SubnetId": "subnet-abcd1234",
                    "ZoneName": "us-east-1b"
                }
            ]
        }
    ]
}
  3. Run create-target-group command (OSX/Linux/UNIX) to build the required target group for the newly created internal Application Load Balancer: 
    aws elbv2 create-target-group
	--region us-east-1
	--name cc-alb-target-group
	--protocol HTTP
	--port 80
	--vpc-id vpc-12345678
	--health-check-protocol HTTP
	--health-check-port traffic-port
	--health-check-path /index.html
	--health-check-interval-seconds 30
	--health-check-timeout-seconds 5
	--healthy-threshold-count 10
	--unhealthy-threshold-count 2
	--target-type instance
  4. The command output should return the new ELBv2 target group metadata: 
    [
    "TargetGroups": [
        {
            "HealthCheckPath": "/index.html",
            "HealthCheckIntervalSeconds": 30,
            "VpcId": "vpc-12345678",
            "Protocol": "HTTP",
            "HealthCheckTimeoutSeconds": 5,

            ...

            "Matcher": {
                "HttpCode": "200"
            },
            "HealthCheckPort": "traffic-port",
            "Port": 80,
            "TargetGroupName": "cc-alb-target-group"
        }
    ]
}
  5. Run register-targets command (OSX/Linux/UNIX) to add the necessary EC2 instance targets, identified by the IDs i-0d3886fda05de9801 and i-06d20515a463ea399, to the target group created at the previous step (the command does not produce an output): 
    aws elbv2 register-targets
	--region us-east-1
	--target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
	--targets Id=i-0d3886fda05de9801 Id=i-06d20515a463ea399
  6. Run create-listener command (OSX/Linux/UNIX) to create, configure and attach the necessary HTTP(S) listener to the newly created AWS ALB: 
    aws elbv2 create-listener
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-alb/aaaabbbbccccdddd
	--protocol HTTP
	--port 80
	--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
  7. The command output should return the new listener metadata: 
    {
   "Listeners": [
      {
         "Protocol": "HTTP",
         "DefaultActions": [
             {
                "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd",
                "Type": "forward"
             }
         ],
         "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-alb/aaaabbbbccccdddd”,
         "Port": 80,
         "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internal-alb/aaaabbbbccccdddd/bbbbccccddddeeee"
      }
   ]
}

02 For Network Load Balancers (NLBs):

  1. Run create-load-balancer command (OSX/Linux/UNIX) with the --scheme parameter set to internal to create an internal Amazon Network Load Balancer: 
    aws elbv2 create-load-balancer
	--region us-east-1
	--name cc-internal-nlb
	--type network
	--scheme internal
	--ip-address-type ipv4
	--subnets subnet-1234abcd subnet-abcd1234
	--tags Key=Environment,Value=production
  2. The command output should return the new AWS NLB metadata: 
    {
    "LoadBalancers": [
        {
            "VpcId": "vpc-12345678",
            "State": {
                "Code": "active"
            },
            "LoadBalancerName": "cc-internal-nlb",
            "Scheme": "internal",

            ...

            "Type": "network",
            "AvailabilityZones": [
                {
                    "SubnetId": "subnet-1234abcd",
                    "ZoneName": "us-east-1a"
                },
                {
                    "SubnetId": "subnet-abcd1234",
                    "ZoneName": "us-east-1b"
                }
            ]
        }
    ]
}
  3. Run create-target-group command (OSX/Linux/UNIX) to build the required target group for the newly created internal Network Load Balancer: 
    aws elbv2 create-target-group
	--region us-east-1
	--name cc-nlb-target-group
	--protocol TCP
	--port 80
	--vpc-id vpc-12345678
	--health-check-protocol TCP
	--health-check-port traffic-port
	--health-check-interval-seconds 30
	--health-check-timeout-seconds 10
	--healthy-threshold-count 3
	--unhealthy-threshold-count 3
	--target-type instance
  4. The command output should return the new ELBv2 target group metadata: 
    [
    "TargetGroups": [
        {
            "TargetType": "instance",
            "HealthCheckIntervalSeconds": 30,
            "VpcId": "vpc-12345678",
            "Protocol": "TCP",
            "HealthCheckTimeoutSeconds": 10,
            "HealthCheckProtocol": "TCP",

            ...

            "UnhealthyThresholdCount": 3,
            "HealthyThresholdCount": 3,
            "Matcher": {},
            "HealthCheckPort": "traffic-port",
            "Port": 80,
            "TargetGroupName": "cc-nlb-target-group"
        }
    ]
}
  5. Run register-targets command (OSX/Linux/UNIX) to add the necessary EC2 instance targets, identified by the IPs 10.0.1.30 and 10.0.1.18, to the target group created at the previous step (the command does not produce an output): 
    aws elbv2 register-targets
	--region us-east-1
	--target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd
	--targets Id=10.0.1.30 Id=10.0.1.18
  6. Run create-listener command (OSX/Linux/UNIX) to create, configure and attach the necessary TCP listener to the newly created Amazon NLB: 
    aws elbv2 create-listener
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-nlb/aaaabbbbccccdddd
	--protocol TCP
	--port 80
	--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd
  7. The command output should return the new listener metadata: 
    {
   "Listeners": [
      {
         "Protocol": "TCP",
         "DefaultActions": [
             {
                "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd",
                "Type": "forward"
             }
         ],
         "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-nlb/aaaabbbbccccdddd”,
         "Port": 80,
         "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internal-nlb/aaaabbbbccccdddd/bbbbccccddddeeee"
      }
   ]
}

03 Repeat step no. and 2 to launch additional internal ELBv2 load balancers in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 for other regions.

References

Publication date Feb 5, 2018

Related ELBv2 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Internet Facing ELBv2 Load Balancers

Risk level: High