Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Same Availability Zones In ASG And ELB

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ASG-004

Ensure that the AWS Auto Scaling Groups (ASGs) and their associated Elastic Load Balancers (ELBs) are sharing the same Availability Zones (AZs) in order to increase the performance of your auto scaling environments by allowing your applications to use AWS low-latency network links.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency
Sustainability

By using the same AWS Availability Zones for your Auto Scaling Groups and their load balancers (which run themselves on EC2 instances) you will get the lowest possible network latency.

Audit

To identify any unattached Elastic IPs currently available in your AWS account, perform the following: To determine if your ASGs share the AWS Availability Zones (AZs) with the ELBs attached, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the AWS ASG that you want to examine.

05 Select Instances tab from the dashboard bottom panel.

06 In the Availability Zone column identify the AWS Availability Zones used by the ASG EC2 instances, e.g.

In the Availability Zone column identify the AWS Availability Zones used by the ASG EC2 instances

07 Now select the Details tab and copy the name of the associated ELB displayed as the value of the Load Balancers property.

08 In the navigation panel, under LOAD BALANCING section, choose Load Balancers.

09 Paste the name of the ASG load balancer copied at step no. 7 in the Filter search box then press Enter.

10 Choose the AWS ELB returned as result and select the Instances tab from the dashboard bottom panel.

11 Under Edit Availability Zones, in the Availability Zone column, identify the AWS AZs configured for the selected Elastic Load Balancer, e.g.

Under Edit Availability Zones, in the Availability Zone column, identify the AWS AZs configured for the selected Elastic Load Balancer

If the Availability Zones identified at step no. 6 are different than the ones found at step no. 11, the selected ASG and its ELB are not sharing the same low latency network, therefore the network performance of your auto scaling environment needs optimization.

12 Repeat steps no. 3 – 11 to verify other Auto Scaling Groups available in the current region.

13 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of the Auto Scaling Groups available within the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names: 

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  MyWebAppASG            |
|  MyBackendASG           |
|  ProdCacheASG           |
+-------------------------+

03 Run again describe-auto-scaling-groups command (OSX/Linux/UNIX) using custom query filters to expose the AWS AZs configured for the selected Auto Scaling Group. The following command example provides AZ information about an ASG named MyWebAppASG available in the US-East-1 region: 

aws autoscaling describe-auto-scaling-groups
--region us-east-1
--auto-scaling-group-names MyWebAppASG
--query 'AutoScalingGroups[*].AvailabilityZones[]'

04 The command output should return the requested availability zones details: 

[
    "us-east-1a",
    "us-east-1b"
]

05 Now run describe-load-balancers command (OSX/Linux/UNIX) using the name of the ASG that you want to examine as identifier to expose the name(s) of load balancer(s) associated with it: 

aws autoscaling describe-load-balancers
	--region us-east-1
	--auto-scaling-group-name MyWebAppASG
	--query 'LoadBalancers[*].LoadBalancerName'

06 The command output should return the name of each load balancer added to the ASG: 

[
    "MyASGLoadBalancer"
]

07 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the ELB returned at the previous step as identifier to expose the details of the AWS AZs used by the selected ELB: 

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name MyASGLoadBalancer
	--query 'LoadBalancerDescriptions[*].AvailabilityZones[]'

08 The command output should return the names of requested availability zones: 

[
    "us-east-1d",
    "us-east-1e"
]

Based on the information returned at step no. 4 and 8, if the selected Auto Scaling Group and its Elastic Load Balancer is not using the same AWS Availability Zones, these are not sharing the same low latency network.

09 Repeat steps no. 3 – 8 to verify other ASGs configuration, available in the current region.

10 Repeat steps no. 1 – 9 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To configure your AWS Auto Scaling Groups to share the same availability zones with their load balancers, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the Auto Scaling Group that you want to update (see Audit section part I to identify the groups that need to be reconfigured in order to use the same AZs as the ELBs).

05 Select the Details tab from the dashboard bottom panel and click the Edit button:

Select the Details tab from the dashboard bottom panel and click the Edit button

to edit the selected ASG configuration.

06 Within the Subnet(s) box, delete the existing availability zone subnets by using the X button next to each subnet entry:

delete the existing availability zone subnets by using the X button next to each subnet entry

07 Click inside the Subnet(s) box and select the appropriate subnets to match the availability zones that you want to add to the selected ASG configuration.

08 Click the Save button to save the changes. From now on all EC2 instances within the Auto Scaling Group will be provisioned in the availability zones chosen at the previous step.

09 Repeat steps no. 4 – 8 to update other ASGs available in the current region.

10 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run update-auto-scaling-group command (OSX/Linux/UNIX) to update any misconfigured Auto Scaling Groups so these can share the same AZs with their associated load balancers. The following command example updates the configuration of an AWS Auto Scaling Group named MyWebAppASG available in the US-East-1 region (the command does not return an output): 

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name MyWebAppASG
	--availability-zones us-east-1d us-east-1e

02 Repeat step no. 1 to update other Auto Scaling Groups available in the selected region.

03 Change the AWS region and repeat the entire process for other regions.

References

Publication date Aug 31, 2016

Related AutoScaling rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Same Availability Zones In ASG And ELB

Risk Level: High