Logo of Trend Micro

Unused Elastic Load Balancers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: ELB-001

Identify unused Elastic Load Balancers, and delete them to help lower the cost of your monthly AWS bill.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Cost
optimisation

Any Elastic Load Balancer configured in your AWS account is adding charges to your monthly bill, regardless of whether it is active or not. If your ELB have no associated back-end instances, consider registering instances or deleting it. If your ELB has no healthy backend instances, consider troubleshooting the configuration or deleting it. Removing AWS components that aren’t being utilised, like the Elastic Load Balancer, will help you avoid unexpected charges on your bill.

Audit

Case A: To determine if your ELB has no registered instances, perform the following

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Description tab from the bottom panel.

06 Search for the Status section:

Status section of Load Balancer on AWS console

07 If the selected load balancer status is “0 of 0 instances in service”:

In service section of Load Balancer on AWS console

it means that there are no registered backend instances and the ELB can be safely removed.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) to determine if your ELB has any EC2 backend instances registered to it: 

aws elb describe-load-balancers \
	--load-balancer-name MyWebELB

02 The command output should reveal the IDs of the instances behind the load balancer. If the Instances list is empty [], the ELB is unused and can be safely removed. 

{
    "LoadBalancerDescriptions": [
        {
            "Subnets": [
                "subnet-91625dd7",
                "subnet-aaafce90",
                "subnet-d4247bfc",
                "subnet-df0e1cab"
            ],
            "HealthCheck": {
                "HealthyThreshold": 10,
                "Interval": 30,
                "Target": "HTTP:80/index.html",
                "Timeout": 5,
                "UnhealthyThreshold": 2
            },
            "VPCId": "vpc-f7ac5792",
            "BackendServerDescriptions": [],
            "Instances": [],
            "DNSName": "MyWebELB-140230182.us-east-1.elb.amazonaws.com",
            "SecurityGroups": [
                "sg-f28ada8a"
            ],
            "LoadBalancerName": "MyWebELB",
            "CreatedTime": "2016-04-02T15:03:20.890Z",
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b",
                "us-east-1c",
                "us-east-1e"
            ],
            "Scheme": "internet-facing",
        }
    ]
}

Audit

Case B: To determine if your ELB has no healthy backend instances, perform the following

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your Elastic Load Balancer.

05 Select the Instances tab from the bottom panel.

06 Search for any registered instance:

Registered instances on Load Balancer on AWS console

07 If the current status of the registered instances is "OutOfService" and the description field displays the following message: "Instance has failed at least the UnhealthyThreshold number of health checks consecutively", it means that the instances are marked unhealthy and the ELB can be safely removed.

Using AWS CLI

01 Run describe-instance-health command (OSX/Linux/UNIX) to determine if your ELB has any unhealthy backend instances registered with it: 

aws elb describe-instance-health \
	--load-balancer-name MyWebELB

02 The command output should reveal each backend instance status. If each instance State is “OutOfService” and the Description message is “Instance has failed at least the UnhealthyThreshold number of health checks consecutively", the ELB has unhealthy instances and can be safely removed. 

{
    "InstanceStates": [
        {
            "InstanceId": "i-2c9598b6",
            "ReasonCode": "Instance",
            "State": "OutOfService",
            "Description": "Instance has failed at least the UnhealthyThreshold number of health checks consecutively."
        }
}

Remediation / Resolution

To remove any unused or inactive Elastic Load Balancers from your AWS account, you need to perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard

03 In the navigation panel, under Load balancing, click Load Balancers.

04 Select your unused Elastic Load Balancer.

05 Click the Actions dropdown from the ELB dashboard top menu:

Select Actions on the ELB top menu on AWS console

and select Delete:

Select Delete on the drop down menu on AWS console

06 In the Delete Load Balancer dialog box, confirm the action and click Yes, Delete.

Using AWS CLI

01 Run delete-load-balancer command (OSX/Linux/UNIX) to delete any unused or inactive Elastic Load Balancers from your account via AWS CLI: 

aws elb delete-load-balancer \
	--load-balancer-name MyWebELB

02 The make sure your ELB was successfully removed, run describe-load-balancers command using the name of the deleted load balancer as the parameter (MyWebELB in this case): 

aws elb describe-load-balancers \
	--load-balancer-name MyWebELB

03 The command output should return the LoadBalancerNotFound error:

A client error (LoadBalancerNotFound) occurred when calling the DescribeLoadBalancers operation: Cannot find Load Balancer MyWebELB

References

Publication date Apr 29, 2016

Related ELB rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Unused Elastic Load Balancers

Risk level: Low