Unused ELBv2 Load Balancers

Risk Level: Low (generally tolerable level of risk)

Rule ID: ELBv2-008

Find unused Application Load Balancers (ALBs) and Network Load Balancers (NLBs) and remove them from your AWS account in order to help lower the cost of your AWS bill. An Amazon ELBv2 load balancer is considered "unused" when the associated target group has no target instance registered or when the registered target instances are not healthy anymore.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

Sustainability

You are being charged for each hour or partial hour that a ELBv2 load balancer is running, regardless whether you are using the resource or not. Removing unused AWS cloud resources like an Application Load Balancer (ALB) or a Network Load Balancer (NLB) will help you avoid unexpected charges on your AWS bill.

Audit

Case A: To determine if the target groups associated with your ELBv2 load balancers have registered target instances, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Target groups.

04 Select the target group that you want to examine and check the Load balancer attribute value listed in the Details section to determine the association with a load balancer (ALB or NLB). If the target group is associated with a load balancer, the Load balancer attribute has a value, therefore you can continue the Audit with the next step.

05 Select the Targets tab from the console bottom panel to access the list with the registered targets.

06 In the Registered targets section, check for Amazon EC2 instances registered to the selected target group. If there are no EC2 instances currently registered to the group and the following message is displayed: No registered targets, the associated ELBv2 load balancer is considered unused and can be removed from your AWS cloud account in order to avoid unexpected charges.

07 Repeat steps no. 4 – 6 to check other target groups associated with load balancers for registered target instances, available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each load balancer available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[*].LoadBalancerArn'

02 The command output should return an array with the requested load balancer ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd"
]

03 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the Amazon Resource Name (ARN) of the target group associated with the selected load balancer:

aws elbv2 describe-target-groups
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd
  --query 'TargetGroups[*].TargetGroupArn'

04 The command output should return the ARN of the associated target group:

[
  "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd"
]

05 Run describe-target-health command (OSX/Linux/UNIX) using the ARN of the target group returned at the previous step as the identifier parameter, to list the ID of each target instance registered to the selected load balancer:

aws elbv2 describe-target-health
  --region us-east-1
  --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd
  --query 'TargetHealthDescriptions[*].Target.Id'

06 The command output should return an array with the ID(s) of the registered EC2 target instance(s):

[]

If the describe-target-health command output returns an empty array (i.e. []), as shown in the output example above, there are no Amazon EC2 instances currently registered to the target group, therefore the associated ELBv2 load balancer is considered unused and can be removed from your AWS cloud account.

07 Repeat steps no. 3 – 6 to check other target groups associated with your load balancers for registered target instances, available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Case B: To determine if the target groups associated with your ELBv2 load balancers have healthy target instances registered, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Target groups.

05 Select the Targets tab from the console bottom panel to access the list with the registered targets.

06 In the Registered targets section, check the health status of each Amazon EC2 instance registered to the selected target group, listed in the Health status column. If none of the registered instances are healthy, the associated ELBv2 load balancer is considered unused and can be removed from your AWS cloud account in order to avoid unexpected charges.

07 Repeat steps no. 4 – 6 for each target group that you want to examine, available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARN) of each load balancer available in the selected AWS region:

aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[*].LoadBalancerArn'

02 The command output should return an array with the requested load balancer ARN(s):

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-load-balancer/aaaabbbbccccdddd",
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd"
]

aws elbv2 describe-target-groups
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd
  --query 'TargetGroups[*].TargetGroupArn'

04 The command output should return the ARN of the associated target group:

[
  "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd"
]

05 Run describe-target-health command (OSX/Linux/UNIX) using the ARN of the target group returned at the previous step as the identifier parameter and custom query filters to list the health status available for each Amazon EC2 instance registered to the target group associated with the selected load balancer:

aws elbv2 describe-target-health
  --region us-east-1
  --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd
  --query 'TargetHealthDescriptions[*].[Target.Id,TargetHealth.State]'

06 The command output should return the ID of each registered EC2 instance and the current health status:

[
    [
        "i-0abcd1234abcd1234",
        "unhealthy"
    ],
    [
        "i-0abcd1234abcd1234",
        "unhealthy"
    ]
]

If the health status available for each Amazon EC2 instance returned by the describe-target-health command output is "unhealthy", there are no healthy target instances registered to the associated target group, therefore the selected ELBv2 load balancer is considered unused and can be safely removed from your AWS account.

07 Repeat steps no. 5 and 6 for each target group that you want to examine, available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To delete any unused Application Load Balancers (ALBs) and Network Load Balancers (NLBs) available within your AWS cloud account, perform the following actions:

Using Terraform (AWS Provider)

01 To remove an unused Application/Network Load Balancer, run the following Terraform command, using the Terraform name of the load balancer that you want to delete (e.g. internet-facing-load-balancer) as the --target parameter:

terraform destroy --target aws_lb.internet-facing-load-balancer

02 Type yes and press Enter to confirm the unused load balancer deletion:

│ Warning: Resource targeting is in effect
│ You are creating a plan with the -target option, which means that the result of this plan may not represent all of the changes requested by the current configuration.
│ The -target option is not for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message.
│

Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Select the Application Load Balancer/Network Load Balancer that you want to reconfigure. An Application Load Balancer has the Type attribute value set to application in the Type column and a Network Load Balancer has the Type attribute value set to network.

05 Choose Actions from the console top menu and select Delete.

06 In the Delete Load Balancer confirmation box, review the load balancer name, then choose Yes, Delete to remove the selected ELBv2 load balancer from your AWS account.

07 Repeat steps no. 4 – 6 to remove other unused Application Load Balancers and/or Network Load Balancers available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run delete-load-balancer command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to delete as the identifier parameter, to remove the selected ELBv2 load balancer from your AWS account (the command does not produce an output):

aws elbv2 delete-load-balancer
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd

02 Repeat step no. 1 to delete other unused Application Load Balancers and/or Network Load Balancers available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
elbv2
describe-load-balancers
describe-target-groups
describe-target-health
delete-load-balancer

CloudFormation Documentation
Elastic Load Balancing V2 resource type reference

Terraform Documentation
AWS Provider

Publication date Feb 5, 2018

Audit

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELBv2 rules