Web-Tier Auto Scaling Group associated ELB

Risk Level: Medium (should be achieved)

Rule ID: ASG-013

Ensure that your web-tier Auto Scaling Groups (ASGs) have associated load balancers to equally distribute incoming traffic across all Amazon EC2 instances running within the ASG and help you provide high availability for your web applications. This conformity rule assumes that all the AWS cloud resources created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Before running this rule by the Trend Cloud One™ – Conformity engine, the web-tier tags must be configured in the rule settings, on your Conformity account console.

This rule can help you with the following compliance standards:

APRA

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Attaching load balancers to your web-tier Auto Scaling Groups (ASGs) can help you maintain the availability of the auto-scaling application in the event of a failure and improve scaling for the Amazon EC2 instances behind the load balancers (also known as backend instances).

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the web tier.

Audit

To determine if your Auto Scaling Groups are using load balancers for efficient application scaling and high availability, perform the following operations:

Using AWS Console

01 Sign in to your Cloud Conformity console, accessCheck for web-tier Auto Scaling Groups with associated Load Balancers rule settings and identify the tag set defined for all AWS resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

04 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

05 Select the Auto Scaling Group (ASG) that you want to examine.

06 Choose the Details tab to view the ASG resource configuration details.

07 In the Tags section, search for the tag set identified at step no. 1 (i.e. <web_tier_tag>:<web_tier_tag_value>). If the web-tier tag set is not found in the Tags list, the selected resource is not a component of your web tier and the Audit process ends here. If the web-tier tag set is found, the selected resource is a web-tier Auto Scaling Group (ASG), and the Audit process can continue with the next step.

08 In the Load balancing section, check the Classic Load Balancers attribute value to identify the name of the Classic Load Balancer attached to the selected Auto Scaling Group (ASG), and the Load balancer target groups value to identify the name of the Target Group associated with the selected ASG. If both Classic Load Balancers and Load balancer target groups attributes are missing their values, there are no Classic, Application, or Network Load Balancers associated with the selected web-tier Auto Scaling Group (ASG).

09 Repeat steps no. 5 – 8 for each web-tier ASG deployed within the selected AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

02 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) available in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

03 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|   cc-production-asg     |
|   cc-frontend-app-asg   |
|   cc-internal-app-asg   |
+-------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the Auto Scaling Group (ASG) that you want to examine as the identifier parameter and custom query filters to describe the tags defined for the selected resource:

aws autoscaling describe-tags
  --region us-east-1
  --filters "Name=auto-scaling-group,Values=cc-production-asg"
  --query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

If the describe-tags command output returns an empty array (i.e. []), as shown in the output example below, the verified ASG is not tagged, therefore the Audit process for the selected resource ends here:
```
[]
```
If the command output returns a set of tags different than the one identified at step no. 1, as shown in the example below, the verified Auto Scaling Group (ASG) does not belong to your web tier, therefore the Audit process for the selected resource ends here:
```
[
	{
		"Value": "OpsTeam",
		"Key": "Melbourne"
	}
]
```
If the describe-tags command output returns a set of tags that match the one identified at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified ASG is tagged as a web-tier resource, therefore the Audit process continues with the next step:
```
[
	{
		"Key": "<web_tier_tag>",
		"Value": "<web_tier_tag_value>"
	}
]
```

06 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the web-tier Auto Scaling Group that you want to examine as the identifier parameter and custom query filters to describe the identifiers of the load balancers and/or Target Groups associated with the selected ASG:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-names cc-production-asg
  --query 'AutoScalingGroups[*].{"LoadBalancers":LoadBalancerNames, "TargetGroups":TargetGroupARNs}'

07 The command output should return the requested cloud resource identifiers:

[
	{
		"LoadBalancers": [],
		"TargetGroups": []
	}
]

If the describe-auto-scaling-groups command output returns an empty array (i.e. []) for both "LoadBalancers" and "TargetGroups" configuration attributes, as shown in the output example above, there are no Classic, Application, or Network Load Balancers associated with the selected web-tier Auto Scaling Group (ASG).

08 Repeat steps no. 4 – 7 for each web-tier ASG available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

Case A: To create and attach Classic Load Balancers to your web-tier Auto Scaling Groups (ASGs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Choose Create Load Balancer button from the console top menu to initiate the setup process.

05 On the Select load balancer type page, choose Classic Load Balancer - previous generationto set up a new Classic Load Balancer, then select Create to start the setup.

06 On the load balancer setup page, perform the following operations:

For Step 1: Define Load Balancer, provide a unique name for your new load balancer, select the target VPC, choose whether or not to create an internal load balancer, and set up the required listener configuration. Choose Next: Assign Security Groups to continue the setup.
For Step 2: Assign Security Groups, choose one or more existing security groups for the new load balancer or create new ones. These security groups should act as a set of firewall rules that control the traffic to your load balancer. Choose Next: Configure Security Settings to continue.
For Step 3: Configure Security Settings, create and configure the necessary HTTPS listeners for your new Classic Load Balancer. Choose Next: Configure Health Check to continue.
For Step 4: Configure Health Check, configure the health check settings to meet your specific needs. Choose Next: Add EC2 instances to continue the setup.
For Step 5: Add EC2 Instances, add the necessary Amazon EC2 instances to your load balancer. Configure Availability Zone (AZ) distribution. Choose Next: Add EC2 instances to continue the setup.
For Step 6: Add Tags, apply tags to your load balancer to help organize and identify the resource. Add the required web-tier tags (e.g. <web_tier_tag>:<web_tier_tag_value>) to your new resource. Choose Review and Create to continue.
For Step 7: Review, review your load balancer configuration, then choose Create to deploy your new Amazon Classic Load Balancer.
Choose Close to return to the Amazon EC2 console.

07 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

08 Select the web-tier Auto Scaling Group (ASG) that you want to reconfigure.

09 Choose the Details tab to access the ASG resource configuration details.

10 In the Load balancing section choose Edit to modify the exiting configuration.

11 Select Classic Load Balancers under Load balancers, and choose your new Classic Load Balancer from the setting dropdown list. Choose Update to apply the changes and integrate the new Classic Load Balancer with the selected Auto Scaling Group (ASG).

12 Repeat steps no. 3 – 11 for each web-tier ASG that you want to reconfigure, available within the current AWS region.

13 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group that you want to reconfigure as the identifier parameter to describe the resource configuration details, required later when the new load balancer will be created and attached to the ASG:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg

02 The command output should return the requested configuration information:

{
	"AutoScalingGroups": [
		{
			"AutoScalingGroupName": "cc-production-asg",
			"AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:abcdabcd-1234-1234-1234-abcdabcdabcd:autoScalingGroupName/cc-production-asg",
			"LaunchTemplate": {
				"LaunchTemplateId": "lt-01234abcd1234abcd",
				"LaunchTemplateName": "cc-asg-launch-template",
				"Version": "$Default"
			},
			"MinSize": 1,
			"MaxSize": 1,
			"DesiredCapacity": 1,
			"DefaultCooldown": 300,
			"AvailabilityZones": [
				"us-east-1a"
			],
			"LoadBalancerNames": [],
			"TargetGroupARNs": [],
			"HealthCheckType": "EC2",
			"HealthCheckGracePeriod": 300,
			"Instances": [
				{
					"InstanceId": "i-01234abcd1234abcd",
					"InstanceType": "t2.micro",
					"AvailabilityZone": "us-east-1a",
					"LifecycleState": "InService",
					"HealthStatus": "Healthy",
					"LaunchTemplate": {
						"LaunchTemplateId": "lt-01234abcd1234abcd",
						"LaunchTemplateName": "cc-asg-launch-template",
						"Version": "1"
					},
					"ProtectedFromScaleIn": false
				}
			],
			"CreatedTime": "2022-09-09T15:18:08.259000+00:00",
			"SuspendedProcesses": [],
			"VPCZoneIdentifier": "subnet-01234abcd1234abcd",
			"EnabledMetrics": [],
			"TerminationPolicies": [
				"Default"
			],
			"NewInstancesProtectedFromScaleIn": false,
			"ServiceLinkedRoleARN": "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
		}
	]
}

03 Run create-security-group command (OSX/Linux/UNIX) to create the security group that will be used by the new Classic Load Balancer. The following command example creates a security group named "cc-elb-security-group" inside a VPC identified with the ID vpc-abcd1234, available within the US East (N. Virginia) region:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-elb-security-group
  --description "ASG Classic Load Balancer Security Group"
  --vpc-id vpc-abcd1234

04 The command output should return the ID of the new security group:

{
	"GroupId": "sg-01234abcd1234abcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as the identifier parameter, to set up the inbound rules based on your web application requirements (the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter to configure the outbound rules based on your application needs (the command does not return an output):

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run create-load-balancer command (OSX/Linux/UNIX) using the configuration information returned at steps no. 2 and 4 as input parameters, to create a new web-tier Classic Load Balancer:

aws elb create-load-balancer
  --region us-east-1
  --load-balancer-name cc-classic-load-balancer
  --listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80"
  --subnets "subnet-01234abcd1234abcd" "subnet-0abcd1234abcd1234"
  --security-groups sg-01234abcd1234abcd
  --tags Key=<web_tier_tag>,Value=<web_tier_tag_value>

08 The command output should return the DNS name for the new load balancer:

{
	"DNSName": "cc-classic-load-balancer-123456789012.us-east-1.elb.amazonaws.com"
}

09 Run attach-load-balancers command (OSX/Linux/UNIX) to attach the Classic Load Balancer created at the previous steps to the selected web-tier Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancers
  --region us-east-1
  --load-balancer-names cc-classic-load-balancer
  --auto-scaling-group-name cc-production-asg

10 Repeat steps no. 1 – 9 for each web-tier ASG that you want to reconfigure, available in the selected AWS region.

11 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

Case B: To create Application/Network Load Balancers and associate their Target Groups with your web-tier Auto Scaling Groups (ASGs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Choose Create Load Balancer from the console top menu to initiate the setup process.

05 On the Select load balancer type page, choose one of the following options based on your application requirements:

For Application Load Balancers (ALBs):
- Choose Application Load Balancer to set up a new load balancer, then select Createto start the setup process.
- On the Create Application Load Balancer page, perform the following operations:
  - Provide a unique name for your new ALB in the Load balancer name box.
  - For Scheme, choose whether to create an internet-facing load balancer or an internal one.
  - Choose the right IP address type from the IP address type.
  - Select the Virtual Private Cloud (VPC) for the load balancer targets from the VPC dropdown list.
  - For Mappings, select at least one Availability Zone (AZ) and one subnet for each supported zone. AWS recommends selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones.
  - Click inside the Security groups box and choose one or more security groups for the new load balancer. The security group(s) should act as a set of firewall rules that control the traffic to your load balancer.
  - For Listeners and routing, create and configure the necessary HTTP(S) listener(s) for your new Application Load Balancer. Choose Create target group and follow the setup wizard to create a new Target Group resource for your Application Load Balancer. Ensure that the target type is set to Instances.
  - (Optional) For AWS Global Accelerator, choose whether or not to integrate an AWS Global Accelerator with the load balancer at launch.
  - To attach tags to your new load balancer, use the Add tag button available in the Tags – optional section. Add the required web-tier tags (e.g. <web_tier_tag>:<web_tier_tag_value>) to your new cloud resource.
  - In the Summary section, review your load balancer configuration.
  - Choose Create load balancer to launch your new web-tier Application Load Balancer (ALB).
  - Choose View load balancer to return to the Amazon EC2 console.
For Network Load Balancers (NLBs):
- Choose Network Load Balancer to set up a new load balancer, then select Create to start the setup.
- On the Create Network Load Balancer page, perform the following operations:
  - Provide a unique name for your new NLB in the Load balancer name box.
  - For Scheme, choose whether to create an internet-facing load balancer or an internal one.
  - Choose the right IP address type from the IP address type.
  - Select the Virtual Private Cloud (VPC) for the load balancer targets from the VPC dropdown list.
  - For Mappings, select at least one Availability Zone (AZ) and one subnet for each supported zone. AWS recommends selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones.
  - For Listeners and routing, create and configure the necessary TCP/TLS/UDP listener(s) for your new Network Load Balancer. Choose Create target group and follow the setup wizard to create a new Target Group resource for your Network Load Balancer. Make sure that the target type is set to Instances.
  - To attach tags to your new load balancer, use the Add tag button available in the Tags – optional section. Add the required web-tier tags (e.g. <web_tier_tag>:<web_tier_tag_value>) to your new cloud resource.
  - In the Summary section, review your load balancer configuration.
  - Choose Create load balancer to launch your new web-tier Network Load Balancer.
  - Choose View load balancer to return to the Amazon EC2 console.

06 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

07 Select the web-tier Auto Scaling Group (ASG) that you want to reconfigure.

08 Choose the Details tab to access the ASG resource configuration details.

09 In the Load balancing section choose Edit to modify the exiting configuration.

10 Select Application, Network or Gateway Load Balancer target groups under Load balancers, and choose the Target Group associated with your Application/Network Load Balancer from the setting dropdown list. Choose Update to apply the changes and integrate the new Application/Network Load Balancer with the selected web-tier Auto Scaling Group (ASG).

11 Repeat steps no. 3 – 10 for each web-tier ASG that you want to reconfigure, available in the selected AWS region.

12 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg

02 The command output should return the requested configuration information:

{
	"AutoScalingGroups": [
		{
			"AutoScalingGroupName": "cc-production-asg",
			"AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:abcdabcd-1234-1234-1234-abcdabcdabcd:autoScalingGroupName/cc-production-asg",
			"LaunchTemplate": {
				"LaunchTemplateId": "lt-01234abcd1234abcd",
				"LaunchTemplateName": "cc-asg-launch-template",
				"Version": "$Default"
			},
			"MinSize": 1,
			"MaxSize": 1,
			"DesiredCapacity": 1,
			"DefaultCooldown": 300,
			"AvailabilityZones": [
				"us-east-1a"
			],
			"LoadBalancerNames": [],
			"TargetGroupARNs": [],
			"HealthCheckType": "EC2",
			"HealthCheckGracePeriod": 300,
			"Instances": [
				{
					"InstanceId": "i-01234abcd1234abcd",
					"InstanceType": "t2.micro",
					"AvailabilityZone": "us-east-1a",
					"LifecycleState": "InService",
					"HealthStatus": "Healthy",
					"LaunchTemplate": {
						"LaunchTemplateId": "lt-01234abcd1234abcd",
						"LaunchTemplateName": "cc-asg-launch-template",
						"Version": "1"
					},
					"ProtectedFromScaleIn": false
				}
			],
			"CreatedTime": "2022-09-09T15:18:08.259000+00:00",
			"SuspendedProcesses": [],
			"VPCZoneIdentifier": "subnet-01234abcd1234abcd",
			"EnabledMetrics": [],
			"Tags": [],
			"TerminationPolicies": [
				"Default"
			],
			"NewInstancesProtectedFromScaleIn": false,
			"ServiceLinkedRoleARN": "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
		}
	]
}

03 Run create-security-group command (OSX/Linux/UNIX) to create the security group that will be used by the new Application/Network Load Balancer. The following command example creates a security group named "cc-elbv2-security-group" inside a VPC identified with the ID vpc-abcd1234, available within the US East (N. Virginia) region:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-elbv2-security-group
  --description "ASG Load Balancer Security Group"
  --vpc-id vpc-abcd1234

04 The command output should return the ID of the new security group:

{
	"GroupId": "sg-01234abcd1234abcd"
}

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Based on the type of the ELBv2 load balancer that you want to create, perform of the following sets of commands:

For Application Load Balancers (ALBs):

Run create-load-balancer command (OSX/Linux/UNIX) to create a new web-tier Application Load Balancer (ALB):

aws elbv2 create-load-balancer
  --region us-east-1
  --name cc-application-load-balancer
  --type application
  --ip-address-type ipv4
  --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
  --security-groups sg-0abcd1234abcd1234
  --tags Key=<web_tier_tag>,Value=<web_tier_tag_value>

The command output should return the configuration information available for the new load balancer:

{
	"LoadBalancers": [
		{
			"VpcId": "vpc-0abcd1234abcd1234",
			"State": {
				"Code": "provisioning"
			},
			"LoadBalancerName": "cc-application-load-balancer",

	...

			"Type": "application",
			"AvailabilityZones": [
				{
					"SubnetId": "subnet-0abcd1234abcd1234",
					"ZoneName": "us-east-1a"
				},
				{
					"SubnetId": "subnet-01234abcd1234abcd",
					"ZoneName": "us-east-1b"
				}
			]
		}
	]
}

Run create-target-group command (OSX/Linux/UNIX) to set up the target group for the newly created Application Load Balancer:

aws elbv2 create-target-group
  --region us-east-1
  --name cc-alb-target-group
  --protocol HTTP
  --port 80
  --vpc-id vpc-0abcd1234abcd1234
  --health-check-protocol HTTP
  --health-check-port traffic-port
  --health-check-path /index.html
  --health-check-interval-seconds 30
  --health-check-timeout-seconds 5
  --healthy-threshold-count 10
  --unhealthy-threshold-count 2
  --target-type instance

The command output should return the new ALB Target Group metadata:

{
	"TargetGroups": [
		{
			"HealthCheckPath": "/index.html",
			"HealthCheckIntervalSeconds": 30,
			"VpcId": "vpc-0abcd1234abcd1234",
			"Protocol": "HTTP",
			"HealthCheckTimeoutSeconds": 5,

			... 

			"Matcher": {
				"HttpCode": "200"
			},
			"HealthCheckPort": "traffic-port",
			"Port": 80,
			"TargetGroupName": "cc-alb-target-group"
		}
	]
}

Run create-listener command (OSX/Linux/UNIX) to create, configure, and attach the necessary HTTP(S) listener to the new Application Load Balancer (ALB):

aws elbv2 create-listener
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-application-load-balancer/aaaabbbbccccdddd
  --protocol HTTP
  --port 80
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd

The command output should return the configuration information for the new listener:

{
	"Listeners": [
		{
			"Protocol": "HTTP",
			"DefaultActions": [
				{
					"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd",
					"Type": "forward"
				}
			],
			"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-application-load-balancer/aaaabbbbccccdddd",
			"Port": 80,
			"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-application-load-balancer/aaaabbbbccccdddd/bbbbccccddddeeee"
		}
	]
}

For Network Load Balancers (NLBs):

Run create-load-balancer command (OSX/Linux/UNIX) to create a new web-tier Network Load Balancer (NLB):

aws elbv2 create-load-balancer
  --region us-east-1
  --name cc-network-load-balancer
  --type network
  --ip-address-type ipv4
  --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
  --tags Key=<web_tier_tag>,Value=<web_tier_tag_value>

The command output should return the new NLB metadata:

{
	"LoadBalancers": [
		{
			"VpcId": "vpc-0abcd1234abcd1234",
			"State": {
				"Code": "active"
			},
			"LoadBalancerName": "cc-network-load-balancer",
			"Scheme": "internal",

			...

			"Type": "network",
			"AvailabilityZones": [
				{
					"SubnetId": "subnet-0abcd1234abcd1234",
					"ZoneName": "us-east-1a"
				},
				{
					"SubnetId": "subnet-01234abcd1234abcd",
					"ZoneName": "us-east-1b"
				}
			]
		}
	]
}

Run create-target-group command (OSX/Linux/UNIX) to build the Target Group for the newly created Network Load Balancer (NLB):

aws elbv2 create-target-group
  --region us-east-1
  --name cc-nlb-target-group
  --protocol TCP
  --port 80
  --vpc-id vpc-12345678
  --health-check-protocol TCP
  --health-check-port traffic-port
  --health-check-interval-seconds 30
  --health-check-timeout-seconds 10
  --healthy-threshold-count 3
  --unhealthy-threshold-count 3
  --target-type instance

The command output should return the new Target Group metadata:

{
	"TargetGroups": [
		{
			"TargetType": "instance",
			"HealthCheckIntervalSeconds": 30,
			"VpcId": "vpc-12345678",
			"Protocol": "TCP",
			"HealthCheckTimeoutSeconds": 10,
			"HealthCheckProtocol": "TCP",

			...


			"UnhealthyThresholdCount": 3,
			"HealthyThresholdCount": 3,
			"Matcher": {},
			"HealthCheckPort": "traffic-port",
			"Port": 80,
			"TargetGroupName": "cc-nlb-target-group"
		}
	]
}

Run create-listener command (OSX/Linux/UNIX) to create, configure, and attach the necessary TCP/TLS/UDP listener to the newly created Network Load Balancer:

aws elbv2 create-listener
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd
  --protocol TCP
  --port 80
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd

The command output should return the configuration information for the new listener:

{
	"Listeners": [
		{
		"Protocol": "TCP",
		"DefaultActions": [
			{
				"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd",
				"Type": "forward"
			}
		],
		"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd",                                            
		"Port": 80,
		"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-network-load-balancer/aaaabbbbccccdddd/bbbbccccddddeeee"
		}
	]
}

08 Run attach-load-balancer-target-groups command (OSX/Linux/UNIX) to attach the Target Group associated with your Application/Network Load Balancer to the selected web-tier Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancer-target-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --target-group-arns aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd

09 Repeat steps no. 1 – 8 for each web-tier ASG that you want to reconfigure, available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
describe-auto-scaling-groups
attach-load-balancers
attach-load-balancer-target-groups
create-security-group
authorize-security-group-ingress
authorize-security-group-egress
create-load-balancer
create-load-balancer
create-target-group
create-listener

Publication date Apr 1, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

References

Related AutoScaling rules