Use the Conformity Knowledge Base AI to help improve your Cloud Posture

ELB Connection Draining Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ELB-003

Ensure that the Connection Draining feature is enabled for your Amazon Classic Load Balancers. The feature allows existing requests to complete before the load balancer shifts traffic away from a deregistered or unhealthy backend EC2 instance.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Enabling the Connection Draining feature will provide better management of the compute resources behind the Classic Load Balancers, such as replacing backend EC2 instances without impacting the user experience. For example, taking an EC2 instance out of service and replacing it with a fresh instance that contains up-to-date software, while avoid breaking open network connections.


Audit

To determine if Connection Draining is enabled for your Classic Load Balancers, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to examine.

06 Select the Instances tab from the console bottom panel to access the backend instances configuration available for the selected load balancer.

07 Check the Connection Draining attribute value to determine the feature status. If the Connection Draining attribute value is set to Disabled, the Connection Draining reliability feature is not enabled for the selected Amazon Classic Load Balancer.

08 Repeat steps no. 5 – 7 for each Classic Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:

aws elb describe-load-balancers
  --region us-east-1
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

02 The command output should return an array with the requested load balancer name(s):

[
    "cc-frontend-load-balancer",
    "cc-project5-load-balancer"
]

03 Run describe-load-balancer-attributes command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to determine if Connection Draining is enabled for the selected load balancer:

aws elb describe-load-balancer-attributes
  --load-balancer-name cc-frontend-load-balancer
  --query 'LoadBalancerAttributes.ConnectionDraining.Enabled'

04 The command output should return the reliability feature status (true for enabled, false for disabled):

false

If the describe-load-balancer-attributes command output returns false, the Connection Draining feature is not enabled for the selected Amazon Classic Load Balancer.

05 Repeat steps no. 3 and 4 for each Classic Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Connection Draining feature for your Amazon Classic Load Balancers, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Connection Draining for Classic Load Balancers",
  "Resources": {
    "ClassicLoadBalancer": {
      "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
      "Properties" : {
        "LoadBalancerName" : "cc-frontend-load-balancer",
        "Scheme" : "internet-facing",
        "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
        "Subnets" : [ "subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd" ],
        "Instances" : [ "i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd" ],
        "Listeners": [{
            "InstancePort": "80",
            "InstanceProtocol": "HTTP",
            "LoadBalancerPort": "80",
            "Protocol": "HTTP",
            "PolicyNames": []
        }],
        "HealthCheck": {
            "Target": "HTTP:80/index.html",
            "HealthyThreshold": "10",
            "UnhealthyThreshold": "2",
            "Interval": "50",
            "Timeout": "5"
        },
        "ConnectionDrainingPolicy" : {
            "Enabled" : true,
            "Timeout" : 300
        }
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Connection Draining for Classic Load Balancers
Resources:
  ClassicLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      LoadBalancerName: cc-frontend-load-balancer
      Scheme: internet-facing
      SecurityGroups:
        - sg-0abcdabcdabcdabcd
      Subnets:
        - subnet-0abcd1234abcd1234
        - subnet-0abcdabcdabcdabcd
        - subnet-01234abcd1234abcd
      Instances:
        - i-0abcd1234abcd1234
        - i-0abcdabcdabcdabcd
      Listeners:
        - InstancePort: '80'
          InstanceProtocol: HTTP
          LoadBalancerPort: '80'
          Protocol: HTTP
          PolicyNames: []
      HealthCheck:
        Target: HTTP:80/index.html
        HealthyThreshold: '10'
        UnhealthyThreshold: '2'
        Interval: '50'
        Timeout: '5'
      ConnectionDrainingPolicy:
        Enabled: true
        Timeout: 300

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_elb" "classic-load-balancer" {
  name               = "cc-frontend-load-balancer"
  internal           = false
  security_groups    = ["sg-0abcdabcdabcdabcd"]
  subnets            = ["subnet-0abcd1234abcd1234", "subnet-0abcdabcdabcdabcd", "subnet-01234abcd1234abcd"]
  instances          = ["i-0abcd1234abcd1234", "i-0abcdabcdabcdabcd"]

  listener {
    instance_port     = 80
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }

  health_check {
    healthy_threshold   = 10
    unhealthy_threshold = 2
    timeout             = 5
    target              = "HTTP:80/index.html"
    interval            = 50
  }

  # Enable Connection Draining for Classic Load Balancers
  connection_draining         = true
  connection_draining_timeout = 300

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to reconfigure.

06 Select the Instances tab from the console bottom panel to access the backend instances configuration available for the selected load balancer.

07 Click on the (Edit) link next to the Connection Draining status to modify the feature configuration.

08 In the Configure Connection Draining configuration box, select the Connection Draining checkbox to enable the feature. (Optional) For Timeout, set the number of seconds (between 1 and 3600) to allow existing traffic to continue flowing. Choose Save to apply the changes.

09 Repeat steps no. 5 – 8 for each Classic Load Balancer that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-load-balancer-policy command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to reconfigure as the identifier parameter, to enable the Connection Draining reliability feature for the selected Amazon Classic Load Balancer:

aws elb modify-load-balancer-attributes
  --load-balancer-name cc-frontend-load-balancer
  --load-balancer-attributes "{\"ConnectionDraining\":{\"Enabled\":true,\"Timeout\":300}}"

02 The command output should return the Connection Draining feature configuration:

{
  "LoadBalancerName": "cc-frontend-load-balancer",
  "LoadBalancerAttributes": {
      "ConnectionDraining": {
          "Enabled": true,
          "Timeout": 300
      }
  }
}

03 Repeat steps no. 1 and 2 for each Classic Load Balancer that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Apr 1, 2016

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

ELB Connection Draining Enabled

Risk Level: Medium