Configure Multiple Availability Zones for Gateway Load Balancers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Ensure that your Amazon Gateway Load Balancers (GWLBs) are configured to use multiple Availability Zones (AZs) in order to maintain application availability in the event of a failure such as an Availability Zone outage or an internal hardware or network outage.

Reliability

One of the AWS cloud best practices is to enable at least two Availability Zones (AZs) for load balancers. This Multi-AZ configuration helps ensure that your load balancers can continue to route traffic and help systems against failure and Availability Zone disruption. If one Availability Zone becomes unavailable or has no healthy targets, the load balancer can route traffic to the healthy targets in another Availability Zone.


Audit

To determine if your Amazon Gateway Load Balancers are using Multi-AZ configurations, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Select the Gateway Load Balancer that you want to examine. A Gateway Load Balancer (GWLB) has the Type attribute value set to gateway in the Type column.

05 Select the Description tab to access the configuration information available for the selected load balancer.

06 In the Basic Configuration section, check the number of Availability Zones configured for the selected load balancer, listed next to Availability Zones. If there is just one Availability Zone listed, the selected Amazon Gateway Load Balancer (GWLB) is not using multiple Availability Zones (AZs), therefore the load balancer configuration is not fault-tolerant.

07 Repeat steps no. 4 – 6 for each Gateway Load Balancer available within the current AWS region.

08 Change the AWS region from the navigation bar and repeat the audit process for other cloud regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all the Gateway Load Balancers (GWLBs) available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `gateway`)].LoadBalancerArn'

02 The command output should return an array with the requested GWLB ARN(s):

[
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd",
"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-staging-gwlb/abcd1234abcd1234"
]

03 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the Amazon Gateway Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the name of each Availability Zone (AZ) configured for the selected load balancer:

aws elbv2 describe-load-balancers
  --region us-east-1
  --load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd
  --query 'LoadBalancers[*].AvailabilityZones[*].ZoneName | []'

04 The command output should return the requested AZ identifier(s):

[
  "us-east-1a"
]

If the describe-load-balancers command output returns just one Availability Zone name, as shown in the output example above, the selected Amazon Gateway Load Balancer (GWLB) is not using multiple Availability Zones (AZs), therefore the load balancer configuration is not fault-tolerant.

05 Repeat step no. 3 and 4 for each Gateway Load Balancer deployed in the selected AWS cloud region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To configure multiple Availability Zones (AZs) for your Amazon Gateway Load Balancers (GWLBs), you have to re-create your load balancers with the appropriate AZ configuration. To create Gateway Load Balancers with multiple Availability Zones, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Select the Gateway Load Balancer that you want to re-create, copy the resource configuration information (attributes, listeners, tags, and so on), then click on the Actions dropdown menu and choose Delete.

05 Inside the confirmation box, choose Yes, Delete to delete the non-compliant load balancer.

06 Select Create Load Balancer from the console top menu to create a new Amazon Gateway Load Balancer.

07 Choose Create under Gateway Load Balancer to select the type of the load balancer that you want to set up. Use the configuration information identified at step no. 4 to launch the new load balancer.

08 On the Step 1: Configure Load Balancer page, provide a unique name for your new Gateway Load Balancer, choose the Virtual Private Cloud (VPC) where you want to deploy the load balancer, then select at least two Availability Zones (AZs) from the Availability Zones configuration section. (Optional) To add tags to your new load balancer, use the Add tag button available in the Tags section. Click Next: Configure Routing to continue the setup process.

09 On the Step 2: Configure Routing page, choose Existing target group from the Target group dropdown list, and select the name of the target group associated with the source (non-compliant) load balancer from the Name dropdown list. The health check configuration settings available in the Health checks section remain unchanged. Click Next: Register Targets to continue.

10 On the Step 3: Register Targets page, review the target(s) registered with the target group that you have selected at the previous step. Choose Next: Review.

11 On the Step 4: Review page, review the load balancer configuration details, then choose Create to launch your new Amazon Gateway Load Balancer (GWLB).

12 On the Load Balancer Creation status page, wait for the confirmation message, then choose Close to return to the main console.

13 Replace the Amazon Resource Name (ARN) of the source load balancer with the ARN of the new load balancer within your system(s) configuration.

14 Repeat steps no. 4 – 13 to configure multiple Availability Zones for other Amazon Gateway Load Balancers available within the current AWS region.

15 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the Amazon Gateway Load Balancer that you want to re-create as the identifier parameter, to describe the configuration information available for the selected load balancer:

aws elbv2 describe-load-balancers
  --region us-east-1
  --load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd
  --query 'LoadBalancers[*]'

02 The command output should return the requested configuration information:

[
  {
    "LoadBalancerArn":
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd",
    "CreatedTime": "2021-01-15T10:00:00.000000+00:00",
    "LoadBalancerName": "cc-project5-gwlb",
    "VpcId": "vpc-abcdabcd",
    "State": {
      "Code": "active"
    },
    "Type": "gateway",
    "AvailabilityZones": [
      {
        "ZoneName": "us-east-1a",
        "SubnetId": "subnet-abcd1234"
      }
    ]
  }
]

03 Run describe-subnets command (OSX/Linux/UNIX) to list the subnets created for the specified Virtual Private Cloud (VPC) and the names of the associated Availability Zones (AZs):

aws ec2 describe-subnets
  --region us-east-1
  --filters "Name=vpc-id,Values=vpc-abcdabcd"
  --query 'Subnets[*].{"AvailabilityZone":AvailabilityZone, "SubnetId":SubnetId}'

04 The command output should return the requested subnets and their associated AZs:

[
  {
    "AvailabilityZone": "us-east-1a",
    "SubnetId": "subnet-abcd1234"
  },
  {
    "AvailabilityZone": "us-east-1b",
    "SubnetId": "subnet-1234abcd"
  },
  {
    "AvailabilityZone": "us-east-1c",
    "SubnetId": "subnet-abcdabcd"
  },
  {
    "AvailabilityZone": "us-east-1d",
    "SubnetId": "subnet-12341234"
  }
]

05 Run create-load-balancer command (OSX/Linux/UNIX) to create a new Amazon Gateway Load Balancer (GWLB) using the configuration information gathered at the previous steps. Configure multiple Availability Zones by adding subnet IDs to the --subnets command parameter:

aws elbv2 create-load-balancer
  --region us-east-1
  --name cc-project5-multi-az-gwlb
  --type gateway
  --subnets subnet-abcd1234 subnet-1234abcd subnet-abcdabcd subnet-12341234

06 The command output should return the metadata for the newly created load balancer:

{
  "LoadBalancers": [
    {
      "LoadBalancerArn":
      "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-multi-az-gwlb/abcd1234abcd1234",
      "CreatedTime": "2021-01-15T10:00:00.877000+00:00",
      "LoadBalancerName": "cc-project5-multi-az-gwlb",
      "VpcId": "vpc-abcdabcd",
      "State": {
        "Code": "provisioning"
      },
      "Type": "gateway",
      "AvailabilityZones": [
        {
          "ZoneName": "us-east-1a",
          "SubnetId": "subnet-abcd1234"
        },
        {
          "ZoneName": "us-east-1b",
          "SubnetId": "subnet-1234abcd"
        },
        {
          "ZoneName": "us-east-1c",
          "SubnetId": "subnet-abcdabcd"
        },
        {
          "ZoneName": "us-east-1d",
          "SubnetId": "subnet-12341234"
        }
      ]
    }
  ]
}

07 Run describe-listeners command (OSX/Linux/UNIX) to describe the listener(s) associated with the Amazon Gateway Load Balancer that you want to re-create (source load balancer):

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd

08 The command output should return the GWLB listener(s) configuration information:

{
  "Listeners": [
    {
      "ListenerArn":
      "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/gwy/cc-project5-gwlb/abcdabcdabcdabcd/abcd1234abcd1234",
      "LoadBalancerArn":
      "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd",
      "DefaultActions": [
        {
          "Type": "forward",
          "TargetGroupArn":
          "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1234abcd1234abcd12",
          "ForwardConfig": {
            "TargetGroups": [
              {
                "TargetGroupArn":
                "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1234abcd1234abcd12"
              }
            ]
          }
        }
      ]
    }
  ]
}

09 Run delete-load-balancer command (OSX/Linux/UNIX) to delete the source (non-compliant) Amazon Gateway Load Balancer (GWLB). This will release the associated target group (the command does not produce an output):

aws elbv2 delete-load-balancer
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-gwlb/abcdabcdabcdabcd

10 Run create-listener command (OSX/Linux/UNIX) to create a listener for the new (compliant) Amazon Gateway Load Balancer and to forward the load balancer requests to the specified target group:

aws elbv2 create-listener
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-multi-az-gwlb/abcd1234abcd1234
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/abcd1234abcd1234ab

11 The command output should return the metadata for the newly created listener:

{
  "Listeners": [
    {
      "ListenerArn":
      "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/gwy/cc-project5-multi-az-gwlb/abcd1234abcd1234/1234abcd1234abcd",
      "LoadBalancerArn":
      "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/gwy/cc-project5-multi-az-gwlb/abcd1234abcd1234",
      "DefaultActions": [
        {
          "Type": "forward",
          "TargetGroupArn":
          "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1234abcd1234abcd12",
          "ForwardConfig": {
            "TargetGroups": [
              {
                "TargetGroupArn":
                "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/1234abcd1234abcd12"
              }
            ]
          }
        }
      ]
    }
  ]
}

12 Replace the Amazon Resource Name (ARN) of the source load balancer with the ARN of the new load balancer within your system(s) configuration.

13 Repeat steps no. 1 – 12 to configure multiple Availability Zones for other Amazon Gateway Load Balancers available in the selected AWS region.

14 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 13 to perform the entire remediation process for other regions.

References

Publication date Feb 6, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Configure Multiple Availability Zones for Gateway Load Balancers

Risk level: High