Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Internet Facing ELBv2 Load Balancers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ELBv2-007

Ensure that all internet-facing Application Load Balancers (ALBs) and Network Load Balancers (NLBs) available within your AWS cloud account are regularly reviewed for security purposes. An internet-facing load balancer has a publicly resolvable DNS name (identified by an A record), required to route requests/connections from clients over the Internet to the target instances registered with the ELBv2 load balancer. On the other hand, an internal ELBv2 load balancer is commonly used within a multi-tier architecture, where you have front-end web servers that perform requests to an internal load balancer, using private IP addresses that are resolved from the internal load balancer's DNS name. Trend Cloud One™ – Conformity strongly recommends reviewing your Application Load Balancers and Network Load Balancers on a regular basis to ensure that the scheme used by each ELBv2 resource fits the necessary requirements from the security standpoint.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using the right scheme (internal or internet-facing) for your Application Load Balancers (ALBs) and Network Load Balancers (NLBs) is crucial for maintaining the security of your load balancing cloud architecture.


Audit

To identify the scheme used by the ELBv2 load balancers deployed within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose both application and network to list the Application and Network Load Balancers available in the current AWS region.

05 Select the Application/Network Load Balancer that you want to examine.

06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

07 In the Basic Configuration section, check the Scheme configuration attribute value. If the attribute value is set to internet-facing, the selected Application/Network Load Balancer is internet-facing and routes requests/connections from clients over the Internet to the registered EC2 instances, therefore the load balancer must be reviewed from the security standpoint.

08 Repeat steps no. 5 – 7 for each Application/Network Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each Application/Network Load Balancer available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`) && (Type == `network`)].LoadBalancerArn | []'

02 The command output should return an array with the requested load balancer ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd"
]

03 Run describe-load-balancers command (OSX/Linux/UNIX) using the ARN of the Application/Network Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the scheme name used by the selected ELBv2 load balancer:

aws elbv2 describe-load-balancers
  --region us-east-1
  --load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd
  --query 'LoadBalancers[*].Scheme'

04 The command output should return the name of the scheme used by the selected load balancer:

[
    "internet-facing"
]

If the describe-load-balancers command output returns "internet-facing", as shown in the output example above, the selected Application/Network Load Balancer is internet-facing and routes requests/connections from clients over the Internet to the registered EC2 instances, therefore the load balancer must be reviewed from the security standpoint.

05 Repeat steps no. 3 – 4 to determine the scheme used by other Amazon ELBv2 load balancers available in the current AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

Review your internet-facing ELBv2 load balancers and change the scheme configuration for the load balancers that are not following the regulatory security requirements. To change the scheme for your Application/Network Load Balancers you need to re-create them with the internal scheme configuration. To create internal ELBv2 load balancers, perform the following actions:

For Application Load Balancers (ALBs):

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create Application Load Balancer with Internal Scheme Configuration",
  "Resources": {
    "ApplicationLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties" : {
        "Name" : "cc-internet-facing-load-balancer",
        "Type" : "application",
        "Scheme" : "internal",
        "IpAddressType" : "ipv4",
        "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
        "Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Create Application Load Balancer with Internal Scheme Configuration
Resources:
  ApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: cc-internet-facing-load-balancer
      Type: application
      Scheme: internal
      IpAddressType: ipv4
      SecurityGroups:
        - sg-0abcdabcdabcdabcd
      Subnets:
        - subnet-01234abcd1234abcd
        - subnet-0abcd1234abcd1234

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
  name               = "cc-internet-facing-load-balancer"
  load_balancer_type = "application"
  ip_address_type    = "ipv4"
  security_groups    = ["sg-0abcdabcdabcdabcd"]
  subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]

  # Create Application Load Balancer with Internal Scheme Configuration
  internal           = true

}

For Network Load Balancers (NLBs):

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Create Network Load Balancer with Internal Scheme Configuration",
  "Resources": {
    "ApplicationLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties" : {
        "Name" : "cc-internet-facing-load-balancer",
        "Type" : "network",
        "Scheme" : "internal",
        "IpAddressType" : "ipv4",
        "Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Create Network Load Balancer with Internal Scheme Configuration
Resources:
  ApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: cc-internet-facing-load-balancer
      Type: network
      Scheme: internal
      IpAddressType: ipv4
      Subnets:
        - subnet-01234abcd1234abcd
        - subnet-0abcd1234abcd1234

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
  name               = "cc-internet-facing-load-balancer"
  load_balancer_type = "network"
  ip_address_type    = "ipv4"
  subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]

  # Create Application Load Balancer with Internal Scheme Configuration
  internal           = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click Create Load Balancer button from the console top menu to initiate the setup process.

05 On the Select load balancer type page, choose one of the following options based on your application requirements:

  1. For Application Load Balancers (ALBs):
    • Choose Application Load Balancer to set up a new load balancer, then select Create to start the setup process.
    • On the Create Application Load Balancer page, perform the following:
      • Provide a unique name for your new ALB in the Load balancer name box.
      • Set the Scheme configuration setting to Internal. An internal load balancer routes requests from clients to targets using private IP addresses.
      • Choose the right IP address type from the IP address type.
      • Select the Virtual Private Cloud (VPC) for the load balancer targets from the VPC dropdown list.
      • For Mappings, select at least one Availability Zone (AZ) and one subnet for each supported zone. AWS recommends selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones.
      • Click inside the Security groups box and choose one or more security groups for the new load balancer. The security group(s) should act as a set of firewall rules that control the traffic to your load balancer.
      • For Listeners and routing, create and configure the necessary HTTP(S) listener(s) for your new Application Load Balancer.
      • (Optional) For AWS Global Accelerator, choose whether or not to integrate an AWS Global Accelerator with the load balancer at launch.
      • (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags – optional section.
      • In the Summary section, review your load balancer configuration.
      • Choose Create load balancer to launch your new, internal Amazon Application Load Balancer.
      • Choose View load balancer to access your new Application Load Balancer (ALB).
  2. For Network Load Balancers (NLBs):
    • Choose Network Load Balancer to set up a new load balancer, then select Create to start the setup.
    • On the Create Network Load Balancer page, perform the following operations:
      • Provide a unique name for your new NLB in the Load balancer name box.
      • Set the Scheme configuration setting to Internal.
      • Choose the right IP address type from the IP address type.
      • Select the Virtual Private Cloud (VPC) for the load balancer targets from the VPC dropdown list.
      • For Mappings, select at least one Availability Zone (AZ) and one subnet for each supported zone. AWS recommends selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones.
      • For Listeners and routing, create and configure the necessary TCP/TLS/UDP listener(s) for your new Network Load Balancer.
      • (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags – optional section.
      • In the Summary section, review your load balancer configuration.
      • Choose Create load balancer to launch your new, internal Amazon Network Load Balancer.
      • Choose View load balancer to access your new Network Load Balancer (NLB).

06 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

Based on the type of the ELBv2 load balancer that you want to create, perform of the following sets of commands:

01 For Application Load Balancers (ALBs):

  1. Run create-load-balancer command (OSX/Linux/UNIX) with the --scheme parameter set to internal to create an internal Amazon Application Load Balancer:
    aws elbv2 create-load-balancer
      --region us-east-1
      --name cc-internal-app-load-balancer
      --type application
      --scheme internal
      --ip-address-type ipv4
      --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
      --security-groups sg-0abcd1234abcd1234
      --tags Key=Environment,Value=production
    
  2. The command output should return the configuration information available for the new load balancer:
    {
        "LoadBalancers": [
            {
                "VpcId": "vpc-0abcd1234abcd1234",
                "State": {
                    "Code": "provisioning"
                },
                "LoadBalancerName": "cc-internal-app-load-balancer",
                "Scheme": "internal ",
    
    		...
    
                "Type": "application",
                "AvailabilityZones": [
                    {
                        "SubnetId": "subnet-0abcd1234abcd1234",
                        "ZoneName": "us-east-1a"
                    },
                    {
                        "SubnetId": "subnet-01234abcd1234abcd",
                        "ZoneName": "us-east-1b"
                    }
                ]
            }
        ]
    }
    
  3. Run create-listener command (OSX/Linux/UNIX) to create, configure, and attach the necessary HTTP(S) listener to the newly created Application Load Balancer (ALB):
    aws elbv2 create-listener
      --region us-east-1
      --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-app-load-balancer/aaaabbbbccccdddd
      --protocol HTTP
      --port 80
      --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-frontend-target-group/aaaabbbbccccdddd
    
  4. The command output should return the configuration information for the new listener:
    {
       "Listeners": [
          {
             "Protocol": "HTTP",
             "DefaultActions": [
                 {
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-frontend-target-group/aaaabbbbccccdddd",
                    "Type": "forward"
                 }
             ],
             "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-app-load-balancer/aaaabbbbccccdddd”,
             "Port": 80,
             "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internal-app-load-balancer/aaaabbbbccccdddd/bbbbccccddddeeee"
          }
       ]
    }
    

02 For Network Load Balancers (NLBs):

  1. Run create-load-balancer command (OSX/Linux/UNIX) with the --scheme parameter set to internal to create an internal Amazon Network Load Balancer:
    aws elbv2 create-load-balancer
      --region us-east-1
      --name cc-internal-net-load-balancer
      --type network
      --scheme internal
      --ip-address-type ipv4
      --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
      --tags Key=Environment,Value=production
    
  2. The command output should return the new AWS NLB metadata:
    {
        "LoadBalancers": [
            {
                "VpcId": "vpc-0abcd1234abcd1234",
                "State": {
                    "Code": "active"
                },
                "LoadBalancerName": "cc-internal-net-load-balancer",
                "Scheme": "internal",
    
                ...
    
                "Type": "network",
                "AvailabilityZones": [
                    {
                        "SubnetId": "subnet-0abcd1234abcd1234",
                        "ZoneName": "us-east-1a"
                    },
                    {
                        "SubnetId": "subnet-01234abcd1234abcd",
                        "ZoneName": "us-east-1b"
                    }
                ]
            }
        ]
    }
    
  3. Run create-listener command (OSX/Linux/UNIX) to create, configure, and attach the necessary TCP/TLS/UDP listener to the newly created Network Load Balancer (NLB):
    aws elbv2 create-listener
      --region us-east-1
      --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-net-load-balancer/aaaabbbbccccdddd
      --protocol TCP
      --port 80
      --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/aaaabbbbccccdddd
    
  4. The command output should return the configuration information for the new listener:
    {
       "Listeners": [
          {
             "Protocol": "TCP",
             "DefaultActions": [
                 {
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-network-target-group/aaaabbbbccccdddd",
                    "Type": "forward"
                 }
             ],
             "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-net-load-balancer/aaaabbbbccccdddd”,
             "Port": 80,
             "ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-internal-net-load-balance/aaaabbbbccccdddd/bbbbccccddddeeee"
          }
       ]
    }
    

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 5, 2018