ELBv2 Minimum Number of EC2 Target Instances

Risk Level: High (not acceptable risk)

Rule ID: ELBv2-004

Ensure there are at least two healthy EC2 target instances registered to each Amazon Application Load Balancer (ALB) and Network Load Balancer (NLB) in order to provide a fault-tolerant load balancing configuration for your applications.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

To achieve fault tolerance and minimize the risk of downtime, always register at least two target Amazon EC2 instances to the target group(s) associated with your ELBv2 load balancers.

Audit

To determine if your Amazon ELBv2 load balancers distribute the traffic to at least two healthy target instances, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Target groups.

04 Select the target group associated with the Amazon ELBv2 load balancer that you want to examine. To confirm the target group-load balancer association, check the Load balancer attribute value listed in the Details section.

05 Select the Targets tab from the console bottom panel to access the list with the registered targets.

06 In the Registered targets section, check for healthy EC2 instances (i.e. instances with the Health status set to healthy) registered to the target group. If the number of healthy instances registered to the selected target group is less than two, the associated Amazon ELBv2 load balancer is not using a fault-tolerant configuration.

07 Repeat steps no. 4 – 6 for each ELBv2 load balancer that you want to examine, available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each load balancer available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[*].LoadBalancerArn'

02 The command output should return an array with the requested load balancer ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd"
]

03 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the target group associated with the selected load balancer:

aws elbv2 describe-target-groups
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd
  --query 'TargetGroups[*].TargetGroupArn'

04 The command output should return the ARN of the associated target group:

[
  "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd"
]

05 Run describe-target-health command (OSX/Linux/UNIX) using the ARN of the target group returned at the previous step as the identifier parameter and custom query filters to describe the health status of each Amazon EC2 instance within the target group associated with the selected load balancer:

aws elbv2 describe-target-health
  --region us-east-1
  --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd
  --query 'TargetHealthDescriptions[*].[Target.Id,TargetHealth.State]'

06 The command output should return an array with the ID of each registered EC2 instance and the instance health status:

[
    [
        "i-01234abcd1234abcd",
        "healthy"
    ],
    [
        "i-0abcd1234abcd1234",
        "unhealthy"
    ]
]

If the number of healthy Amazon EC2 instances registered to the selected target group is less than two, as shown in the output example above, the associated Amazon ELBv2 load balancer is not using a fault-tolerant configuration.

07 Repeat steps no. 3 – 6 for each ELBv2 load balancer that you want to examine, available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To register additional healthy Amazon EC2 instances to the target groups associated with your ELBv2 load balancers, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Configure Target Group to Register Additional Healthy Instances",
  "Resources": {
    "ApplicationLoadBalancer": {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties" : {
        "Name" : "cc-internet-facing-load-balancer",
        "Type" : "application",
        "Scheme" : "internet-facing",
        "IpAddressType" : "ipv4",
        "SecurityGroups" : [ "sg-0abcdabcdabcdabcd" ],
        "Subnets" : [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
      }
    },
    "TargetGroup": {
      "Type" : "AWS::ElasticLoadBalancingV2::TargetGroup",
      "Properties" : {
         "Name" : "cc-mvp-target-group",
         "Protocol" : "HTTPS",
         "Port" : 443,
         "TargetType" : "instance",
         "Targets" : [ "i-0abcdabcdabcdabcd" ],
         "VpcId" : "vpc-0abcdabcdabcdabcd"
       }
    },
    "HTTPSListener": {
        "Type" : "AWS::ElasticLoadBalancingV2::Listener",
        "Properties" : {
            "Protocol" : "HTTPS",
            "Port" : 443,
            "LoadBalancerArn": {
                   "Ref" : "ApplicationLoadBalancer"
            },
            "DefaultActions": [
                {
                    "Type" : "forward",
                    "TargetGroupArn" : {
                           "Ref" : "TargetGroup"
                    }
                }
            ],
            "Certificates" : [
              {
                  "CertificateArn" : "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"
              }
            ],
            "SslPolicy" : "ELBSecurityPolicy-FS-1-2-Res-2020-10"
          }
       }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Configure Target Group to Register Additional Healthy Instances
Resources:
  ApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: cc-internet-facing-load-balancer
      Type: application
      Scheme: internet-facing
      IpAddressType: ipv4
      SecurityGroups:
        - sg-0abcdabcdabcdabcd
      Subnets:
        - subnet-01234abcd1234abcd
        - subnet-0abcd1234abcd1234
  TargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: cc-mvp-target-group
      Protocol: HTTPS
      Port: 443
      TargetType: instance
      Targets:
        - i-0abcdabcdabcdabcd
      VpcId: vpc-0abcdabcdabcdabcd
  HTTPSListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      Protocol: HTTPS
      Port: 443
      LoadBalancerArn: !Ref 'ApplicationLoadBalancer'
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref 'TargetGroup'
      Certificates:
        - CertificateArn: arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate
      SslPolicy: ELBSecurityPolicy-FS-1-2-Res-2020-10

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
  name               = "cc-internet-facing-load-balancer"
  load_balancer_type = "application"
  internal           = false
  ip_address_type    = "ipv4"
  security_groups    = ["sg-0abcdabcdabcdabcd"]
  subnets            = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
}

# Configure Target Group to Register Additional Healthy Instances
resource "aws_lb_target_group" "target-group" {
  name        = "cc-mvp-target-group"
  protocol    = "HTTPS"
  port        = 443
  target_type = "instance"
  vpc_id      = "vpc-0abcdabcdabcdabcd"
}

# Add HTTPS Listener to Application Load Balancer
resource "aws_lb_listener" "https-listener" {
  load_balancer_arn = aws_lb.application-load-balancer.arn
  protocol          = "HTTPS"
  port              = "443"
  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
  certificate_arn   = "arn:aws:iam::123456789012:server-certificate/cloudconformity-certificate"

  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.target-group.arn
  }
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Target groups.

04 Select the target group associated with the Amazon ELBv2 load balancer that you want to reconfigure.

05 Select the Targets tab from the console bottom panel to access the list with the registered targets.

06 On the Targets panel, perform the following actions:

To remove all the unhealthy EC2 instances, select the registered instances from the Registered targets section, then choose Deregister to remove them from the selected target group.
To register new, healthy EC2 instances, choose Register targets from the Registered targets section, select and include all the instances that you want to register, then choose Registered pending targets.

07 Repeat steps no. 4 – 6 to register healthy target instances with other Amazon ELBv2 load balancers available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 To remove the unhealthy target instances and register new, healthy EC2 instances to the target group associated with your Amazon ELBv2 load balancer, perform the following commands:

Run deregister-targets command (OSX/Linux/UNIX) to remove the unhealthy EC2 instances, identified by the --targets parameter, from the target group associated with your load balancer (the command does not produce an output):
```
aws elbv2 deregister-targets
  --region us-east-1
  --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd
  --targets Id=i-0abcd1234abcd1234
```
Run register-targets command (OSX/Linux/UNIX) to register a new target EC2 instance, identified by the ID i-0abcdabcdabcdabcd, to the target group associated with your Amazon ELBv2 load balancer (the command does not produce an output):
```
aws elbv2 register-targets
  --region us-east-1
  --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd
  --targets Id=i-0abcdabcdabcdabcd
```

02 Repeat step no. 1 to register healthy target instances with other Amazon ELBv2 load balancers available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
elbv2
describe-load-balancers
describe-target-groups
describe-target-health
deregister-targets
register-targets

CloudFormation Documentation
Elastic Load Balancing V2 resource type reference

Terraform Documentation
AWS Provider

Publication date Feb 5, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

ELBv2 Minimum Number of EC2 Target Instances

Risk Level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELBv2 rules