Logo of Trend Micro

Unused ELBv2 Load Balancers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: ELBv2-008

Find any unused Amazon Application Load Balancers (ALBs) and Network Load Balancers (NLBs) and remove them from your account in order to help lower the cost of your monthly AWS bill. An AWS ELBv2 load balancer is considered "unused" when the associated target group has no EC2 target instance registered or when the registered target instances are not healthy anymore.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Cost
optimisation

You are charged for each hour or partial hour that an AWS ELBv2 load balancer is running, regardless whether you are using the resource or not. Removing unused AWS resources like an Application Load Balancer (ALB) or a Network Load Balancer (NLB) will help you avoid unexpected charges on your AWS bill.

Audit

Case A: To determine if the target groups associated with your ELBv2 load balancers have registered target instances, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Target Groups.

04 Select the target group associated with the AWS ELBv2 load balancer (ALB or NLB) that you want to examine. To determine the resources association, verify the Load balancer attribute value available on the Description tab.

05 Select Targets tab from the dashboard bottom panel to access the list with the registered targets.

06 Under Registered targets, check for EC2 target instances registered to the selected target group. If there are no target instances currently registered to the group, i.e.

Registered Targets

the selected ELBv2 load balancer is considered "unused" and can be safely removed from your AWS account in order to avoid unexpected service charges.

07 Repeat steps no. 4 – 6 to verify other target groups associated with your load balancers for registered target instances, available within the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all existing AWS ELBv2 load balancers available in the selected region: 

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[*].LoadBalancerArn'

02 The command output should return a table with the requested ARNs: 

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-mvp-nlb/aaaabbbbccccdddd"

]

03 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as identifier and custom query filters to expose the Amazon Resource Name (ARN) of the target group associated with the selected ELBv2 resource: 

aws elbv2 describe-target-groups
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd
	--query 'TargetGroups[*].TargetGroupArn'

04 The command output should return the ARN of the associated target group: 

[
  "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd"

]

05 Run describe-target-health command (OSX/Linux/UNIX) using the ARN of the target group returned at the previous step as identifier and custom query filters to list the IDs of the target instances registered to the selected AWS ELBv2 load balancer: 

aws elbv2 describe-target-health
	--region us-east-1
	--target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd
	--query 'TargetHealthDescriptions[*].Target.Id'

06 The command output should return an array that contains the ID(s) of the registered EC2 target instance(s): 

[]

If the describe-target-health custom command output returns an empty array (i.e. []), as shown in the example above, there are no EC2 target instances currently registered to the target group, therefore the selected ELBv2 load balancer is considered "unused" and can be safely removed from your AWS account.

07 Repeat steps no. 3 – 6 to verify other target groups associated with your load balancers for registered target instances, available in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 -7 to perform the entire audit process for other regions.

Case B: To determine if the target groups associated with your ELBv2 load balancers have healthy target instances registered to the groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Target Groups.

04 Select the target group associated with the AWS ELBv2 load balancer that you want to examine. To determine the resources association, verify the Load balancer attribute value available on the Description tab.

05 Select Targets tab from the dashboard bottom panel to access the list with the registered targets.

06 In the Registered targets section, check the health check status, listed in the Status column, for each EC2 target instance registered to the selected target group. If none of the registered EC2 instances are healthy, i.e.

registered EC2 instances are healthy

the selected ELBv2 load balancer is considered "unused" and can be safely removed from your AWS account in order to stop incurring charges for the resource.

07 Repeat steps no. 4 – 6 to verify the health status of the target instances registered to other target groups available within the current region.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

Based on the type of the ELBv2 load balancer that you want to create, perform of the following sets of commands:

01 Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all existing Amazon ELBv2 load balancers available in the selected region: 

aws elbv2 describe-load-balancers
	--region us-east-1
	--query 'LoadBalancers[*].LoadBalancerArn'

02 The command output should return a table with the requested Amazon Resource Names (ARNs): 

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/cc-mvp-nlb/aaaabbbbccccdddd"

]

03 Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as identifier and custom query filters to expose the Amazon Resource Name (ARN) of the target group associated with the selected ELBv2 resource: 

aws elbv2 describe-target-groups
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd
	--query 'TargetGroups[*].TargetGroupArn'

04 The command output should return the ARN of the associated target group: 

[
    "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd"
]

05 Run describe-target-health command (OSX/Linux/UNIX) using the ARN of the target group returned at the previous step as identifier and custom query filters to list the current health status for each EC2 target instance registered to the target group associated with the selected ELBv2 load balancer: 

aws elbv2 describe-target-health
	--region us-east-1
	--target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-mvp-target-group/aaaabbbbccccdddd
	--query 'TargetHealthDescriptions[*].[Target.Id,TargetHealth.State]'

06 The command output should return an array that contains the ID of each registered EC2 target instance and its health status: 

[
    [
        "i-0d7630e3b0511fd98",
        "unhealthy"
    ],
    [
        "i-011eac7e3eb0134dc",
        "unhealthy"
    ]
]

If the health status for each EC2 target instance returned by the describe-target-health command output is set to "unhealthy", there are no healthy target instances currently registered to the associated target group, therefore the selected ELBv2 load balancer is considered "unused" and can be safely removed from your AWS account.

07 Repeat steps no. 3 – 6 to verify the health status of the target instances registered to other target groups available in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the audit process for other regions.

Remediation / Resolution

To delete any unused Application Load Balancers (ALBs) or Network Load Balancers (NLBs) currently available within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Select the load balancer that you want to remove (see Audit section part I to identify the right AWS ALB/NLB resource).

05 Click the Actions dropdown button from the dashboard top menu and select Delete.

06 Inside the Delete Load Balancer confirmation box, review the selected load balancer identifier then click Yes, Delete to confirm the action.

07 Repeat steps no. 4 – 6 to remove any other unused Application Load Balancers or Network Load Balancers provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the remediation/resolution process for other regions.

Using AWS CLI

01 Run delete-load-balancer command (OSX/Linux/UNIX) using the resource ARN as identifier (see Audit section part II to identify the right Amazon ALB/NLB resource), to delete the selected unused load balancer (the command does not produce an output): 

aws elbv2 delete-load-balancer
	--region us-east-1
	--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-mvp-alb/aaaabbbbccccdddd

02 Repeat step no. 1 to delete any other unused Application Load Balancers or Network Load Balancers provisioned within the current region.

03 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Feb 5, 2018

Related ELBv2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Unused ELBv2 Load Balancers

Risk level: Low