- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing V2
- Configure Multiple Availability Zones for Gateway Load Balancers
Ensure that your Amazon Gateway Load Balancers (GWLBs) are configured to use multiple Availability Zones (AZs) in order to maintain application availability in the event of an infrastructure failure (AZ failure).
Reliability One of the AWS cloud best practices is to enable at least two Availability Zones (AZs) for load balancers. This Multi-AZ configuration helps ensure that your load balancers can continue to route traffic and help systems against failure and Availability Zone disruption. If one Availability Zone becomes unavailable or has no healthy targets, the load balancer can route traffic to the healthy targets in another Availability Zone.
Audit
To determine if your Amazon Gateway Load Balancers are using Multi-AZ configurations, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Select the Gateway Load Balancer that you want to examine. A Gateway Load Balancer (GWLB) has the Type attribute value set to gatewayin theTypecolumn.
05 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.
06 In the Basic Configuration section, check the number of Availability Zones configured for the selected load balancer, listed next to Availability Zones. If there is just one subnet/zone listed for the Availability Zones, the selected Gateway Load Balancer (GWLB) is not using multiple Availability Zones (AZs), therefore the load balancer configuration is not fault-tolerant.
07 Repeat steps no. 4 – 6 for each Gateway Load Balancer available within the current AWS cloud region.
08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Gateway Load Balancers (GWLBs) available in the selected AWS region:
aws elbv2 describe-load-balancers --region us-east-1 --query 'LoadBalancers[?(Type == `gateway`)].LoadBalancerArn'
02 The command output should return an array with the requested GWLB ARN(s):
[ "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd", "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-staging-gwlb/abcd1234abcd1234" ]
03 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the Gateway Load Balancer (GWLB) that you want to examine as the identifier parameter and custom query filters to describe the name of each Availability Zone (AZ) configured for the selected load balancer:
aws elbv2 describe-load-balancers --region us-east-1 --load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd --query 'LoadBalancers[*].AvailabilityZones[*].ZoneName | []'
04 The command output should return the requested Availability Zone identifier(s):
[ "us-east-1b" ]
If the describe-load-balancers command output returns just one AZ name, as shown in the output example above, the selected Gateway Load Balancer (GWLB) is not using multiple Availability Zones (AZs), therefore the load balancer configuration is not fault-tolerant.
05 Repeat steps no. 3 and 4 for each Gateway Load Balancer deployed in the selected AWS cloud region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To configure multiple Availability Zones (AZs) for your Amazon Gateway Load Balancers (GWLBs), you have to re-create your load balancers with the appropriate AZ configuration. To create Gateway Load Balancers with multiple Availability Zones, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"GatewayLoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": "cc-gateway-load-balancer",
"Type": "gateway",
"LoadBalancerAttributes": [
{
"Key": "load_balancing.cross_zone.enabled",
"Value": "true"
}
],
"SubnetMappings": [
{
"SubnetId": "subnet-01234abcd1234abcd"
},
{
"SubnetId": "subnet-0abcd1234abcd1234"
},
{
"SubnetId": "subnet-0abcdabcdabcdabcd"
}
]
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: GatewayLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: cc-gateway-load-balancer Type: gateway LoadBalancerAttributes: - Key: load_balancing.cross_zone.enabled Value: 'true' SubnetMappings: - SubnetId: subnet-01234abcd1234abcd - SubnetId: subnet-0abcd1234abcd1234 - SubnetId: subnet-0abcdabcdabcdabcd
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "aws_lb" "gateway-load-balancer" {
name = "cc-gateway-load-balancer"
load_balancer_type = "gateway"
enable_cross_zone_load_balancing = true
subnet_mapping {
subnet_id = "subnet-01234abcd1234abcd"
}
subnet_mapping {
subnet_id = "subnet-0abcd1234abcd1234"
}
subnet_mapping {
subnet_id = "subnet-0abcdabcdabcdabcd"
}
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Select the Gateway Load Balancer that you want to re-create, copy the resource configuration information (attributes, listeners, tags, and so on), then choose Actions, and select Delete to remove the non-compliant load balancer before creating a new one.
05 In the confirmation box, choose Yes, Delete to delete the selected load balancer. This will release the associated target group
06 Choose Create Load Balancer from the console top menu to create a new Amazon Gateway Load Balancer.
07 Select Create under Gateway Load Balancer to select the type of the load balancer that you want to provision. Use the configuration information identified at step no. 4 to launch the new load balancer.
08 On the Create Gateway Load Balancer setup page, perform the following actions:
- Provide a unique name for your new GWLB in the Load balancer name box.
- Choose the right IP address type from the IP address type.
- Select the Virtual Private Cloud (VPC) for the load balancer targets from the VPC dropdown list.
- For Network mapping, select at least two Availability Zones for a Multi-AZ configuration. The load balancer will route traffic only to targets in the selected Availability Zones.
- For IP listener routing, select the name of the target group associated with the source (non-compliant) load balancer from the Default action dropdown list.
- (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags – optional section.
- In the Summary section, review your load balancer configuration.
- Choose Create load balancer to launch your new Gateway Load Balancer.
- Choose View load balancer to return to the Amazon EC2 console.
09 Repeat steps no. 4 – 8 for each Gateway Load Balancer that you want to re-create, available within the current AWS cloud region.
10 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the Gateway Load Balancer (GWLB) that you want to re-create as the identifier parameter, to describe the configuration information available for the selected load balancer:
aws elbv2 describe-load-balancers --region us-east-1 --load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd --query 'LoadBalancers[*]'
02 The command output should return the requested configuration information:
[
{
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd",
"CreatedTime": "2021-01-15T10:00:00.000000+00:00",
"LoadBalancerName": "cc-project5-gwlb",
"VpcId": "vpc-abcdabcd",
"State": {
"Code": "active"
},
"Type": "gateway",
"AvailabilityZones": [
{
"ZoneName": "us-east-1a",
"SubnetId": "subnet-abcd1234"
}
]
}
]
03 Run describe-subnets command (OSX/Linux/UNIX) to list the subnets created for the specified Virtual Private Cloud (VPC) and the names of the associated Availability Zones (AZs):
aws ec2 describe-subnets
--region us-east-1
--filters "Name=vpc-id,Values=vpc-0abcd1234abcd1234"
--query 'Subnets[*].{"AvailabilityZone":AvailabilityZone, "SubnetId":SubnetId}'
04 The command output should return the requested subnets and their associated AZs:
[
{
"AvailabilityZone": "us-east-1a",
"SubnetId": "subnet-01234abcd1234abcd"
},
{
"AvailabilityZone": "us-east-1b",
"SubnetId": "subnet-0abcd1234abcd1234"
},
{
"AvailabilityZone": "us-east-1c",
"SubnetId": "subnet-01234abcd1234abcd"
},
{
"AvailabilityZone": "us-east-1d",
"SubnetId": "subnet-0abcd1234abcd1234"
}
]
05 Run create-load-balancer command (OSX/Linux/UNIX) to create a new Gateway Load Balancer (GWLB) using the configuration information collected at the previous steps. Configure multiple Availability Zones by adding subnet IDs to the --subnets command parameter:
aws elbv2 create-load-balancer --region us-east-1 --name cc-project5-multi-az-gwlb --type gateway --subnets subnet-abcd1234 subnet-1234abcd subnet-abcdabcd subnet-12341234
06 The command output should return the configuration information available for the new load balancer:
{
"LoadBalancers": [
{
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-multi-az-gwlb/abcd1234abcd1234",
"CreatedTime": "2021-01-15T10:00:00.877000+00:00",
"LoadBalancerName": "cc-project5-multi-az-gwlb",
"VpcId": "vpc-abcdabcd",
"State": {
"Code": "provisioning"
},
"Type": "gateway",
"AvailabilityZones": [
{
"ZoneName": "us-east-1a",
"SubnetId": "subnet-abcd1234"
},
{
"ZoneName": "us-east-1b",
"SubnetId": "subnet-1234abcd"
},
{
"ZoneName": "us-east-1c",
"SubnetId": "subnet-abcdabcd"
},
{
"ZoneName": "us-east-1d",
"SubnetId": "subnet-12341234"
}
]
}
]
}
07 Run describe-listeners command (OSX/Linux/UNIX) to describe the listener(s) associated with the Gateway Load Balancer that you want to re-create (i.e. source load balancer):
aws elbv2 describe-listeners --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd
08 The command output should return the GWLB listener(s) configuration information:
{
"Listeners": [
{
"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/gwy/cc-project5-gwlb/abcdabcdabcdabcd/abcd1234abcd1234",
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd",
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1234abcd1234abcd12",
"ForwardConfig": {
"TargetGroups": [
{
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1234abcd1234abcd12"
}
]
}
}
]
}
]
}
09 Run delete-load-balancer command (OSX/Linux/UNIX) to delete the source (non-compliant) Gateway Load Balancer (GWLB). This will release the associated target group (the command does not produce an output):
aws elbv2 delete-load-balancer --region us-east-1 --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd
10 Run create-listener command (OSX/Linux/UNIX) to create a listener for the new (compliant) Gateway Load Balancer and to forward the requests to the specified target group:
aws elbv2 create-listener --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-multi-az-gwlb/abcd1234abcd1234 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/abcd1234abcd1234ab
11 The command output should return the configuration information for the new listener:
{
"Listeners": [
{
"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/gwy/cc-project5-multi-az-gwlb/abcd1234abcd1234/1234abcd1234abcd",
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-multi-az-gwlb/abcd1234abcd1234",
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1234abcd1234abcd12",
"ForwardConfig": {
"TargetGroups": [
{
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1234abcd1234abcd12"
}
]
}
}
]
}
]
}
12 Repeat steps no. 1 – 11 for each Gateway Load Balancer that you want to re-create, available in the selected AWS cloud region.
13 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- What is a Gateway Load Balancer?
- Gateway Load Balancers
- Target groups for your Gateway Load Balancers
- AWS Command Line Interface (CLI) Documentation
- describe-load-balancers
- create-load-balancer
- describe-listeners
- delete-load-balancer
- create-listener
- describe-subnets
Related ELBv2 rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Configure Multiple Availability Zones for Gateway Load Balancers
Risk Level: High