Enable Least Outstanding Requests Algorithm

Risk Level: Medium (should be achieved)

Ensure that your Amazon Application Load Balancers (ALBs) are configured to use the Least Outstanding Requests algorithm in order to efficiently balance requests across targets based on the target group with the lowest number of outstanding requests. This routing algorithm is particularly useful for application workloads with varied request sizes, targets that change frequently, and targets with varied levels of processing power, including those with a mix of instance types within a single auto-scaling group.

Reliability

Performance
efficiency

A routing algorithm determines how the load balancer selects targets from the associated target group when routing requests. The algorithms used by the Application Load Balancers (ALBs) are Round-Robin and Least Outstanding Requests. In contrast to Round-Robin, with Least Outstanding Requests (LOR) algorithm, as the new request comes in, the Application Load Balancer will send it to the target with the least number of outstanding requests. Targets processing long-standing requests or having lower processing capabilities are not weighed down with more requests and the load is evenly spread across targets. With LOR routing algorithm you can easily avoid over-utilization or under-utilization of targets within target groups when the requests had varied processing times or targets were frequently added or removed.

Audit

To determine if your Application Load Balancers are configured to use the Least Outstanding Requests routing algorithm, perform the following operations:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
In the main navigation panel, under Load Balancing, choose Load Balancers.
Click inside the Filter by tags and attributes or search by keyword box, select Type and choose application to list the Application Load Balancers available in the current AWS region.
Select the Application Load Balancer (ALB) that you want to examine.
Select the Listeners tab from the console bottom panel to access the listener configuration available for the selected load balancer.
Click on the name (link) of the target group that you want to examine, listed in the Rules column.
Select the associated target group, choose the Attributes tab, and check the Load balancing algorithm attribute value, available under Traffic configuration. If the Load balancing algorithm value is set to Round Robin, the selected Application Load Balancer (ALB) is configured to use the Round-Robin routing algorithm instead of Least Outstanding Requests algorithm.
Repeat steps no. 7 and 8 to check other listeners configured for the selected load balancer.
Repeat steps no. 5 – 8 for each Application Load Balancer (ALB) available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Application Load Balancers (ALBs) available in the selected AWS region:
```
aws elbv2 describe-load-balancers
  --region us-east-1
  --query 'LoadBalancers[?(Type == `application`)].LoadBalancerArn'
```

The command output should return an array with the requested ALB ARN(s):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-web-alb/abcdabcdabcdabcd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internal-app-alb/abcd1234abcd1234"
]

Run describe-listeners command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the ARNs of the listeners configured for the selected load balancer:

aws elbv2 describe-listeners
  --region us-east-1
  --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-project5-web-alb/abcdabcdabcdabcd
  --query 'Listeners[*].DefaultActions[*].TargetGroupArn | []'

The command output should return the requested ALB listener ARN(s):

[
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/aaaabbbbccccdddd",
	"arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/aaaabbbbccccdddd"
]

Run describe-target-group-attributes command (OSX/Linux/UNIX) using the ARN of the target group that you want to examine as the identifier parameter and custom query filters to describe the name of the routing algorithm configured for the selected target group:

aws elbv2 describe-target-group-attributes
  --region us-east-1
  --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/aaaabbbbccccdddd
  --query 'Attributes[?(Key == `load_balancing.algorithm.type`)].Value | []'

The command output should return the name of the configured routing algorithm:
```
[
	"round_robin"
]
```
If describe-target-group-attributes command output returns "round_robin", the Application Load Balancer (ALB) associated with the selected target group is configured to use the Round-Robin routing algorithm instead of Least Outstanding Requests algorithm.
Repeat steps no. 5 and 6 to check other listeners configured for the selected load balancer.
Repeat steps no. 3 – 7 for each Application Load Balancer (ALB) available in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable the Least Outstanding Requests (LOR) routing algorithm for your Application Load Balancers (ALBs), perform the following operations:

Using AWS CloudFormation

CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"ApplicationLoadBalancer": {
			"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
			"Properties": {
				"Name": "cc-app-load-balancer",
				"Type": "application",
				"Scheme": "internet-facing",
				"IpAddressType": "ipv4",
				"Subnets": [
					"subnet-01234abcd1234abcd",
					"subnet-0abcd1234abcd1234"
				],
				"SecurityGroups": [
					"sg-0abcd1234abcd1234",
					"sg-01234abcd1234abcd"
				]
			}
		},
		"LoadBalancerTargetGroup": {
			"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
			"Properties": {
				"Name": "cc-new-web-target-group",
				"VpcId": "vpc-01234abcd1234abcd",
				"Port": 443,
				"Protocol": "HTTPS",
				"TargetGroupAttributes" : [
					{
						"Key": "load_balancing.algorithm.type",
						"Value": "least_outstanding_requests"
					}
				]
			}
		},
		"LoadBalancerListener": {
			"Type": "AWS::ElasticLoadBalancingV2::Listener",
			"Properties": {
				"Protocol": "HTTPS",
				"Port": 443,
				"LoadBalancerArn": {
					"Ref": "ApplicationLoadBalancer"
				},
				"Certificates": [
					{
						"CertificateArn": "arn:aws:iam::123412341234:server-certificate/domain.com"
					}
				],
				"DefaultActions": [
					{
						"Type": "forward",
						"TargetGroupArn": {
							"Ref": "LoadBalancerTargetGroup"
						}
					}
				]
			}
		}
	}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	ApplicationLoadBalancer:
		Type: AWS::ElasticLoadBalancingV2::LoadBalancer
		Properties:
		Name: cc-app-load-balancer
		Type: application
		Scheme: internet-facing
		IpAddressType: ipv4
		Subnets:
			- subnet-01234abcd1234abcd
			- subnet-0abcd1234abcd1234
		SecurityGroups:
			- sg-0abcd1234abcd1234
			- sg-01234abcd1234abcd
	LoadBalancerTargetGroup:
		Type: AWS::ElasticLoadBalancingV2::TargetGroup
		Properties:
		Name: cc-new-web-target-group
		VpcId: vpc-01234abcd1234abcd
		Port: 443
		Protocol: HTTPS
		TargetGroupAttributes:
			- Key: load_balancing.algorithm.type
			Value: least_outstanding_requests
	LoadBalancerListener:
		Type: AWS::ElasticLoadBalancingV2::Listener
		Properties:
		Protocol: HTTPS
		Port: 443
		LoadBalancerArn: !Ref 'ApplicationLoadBalancer'
		Certificates:
			- CertificateArn: arn:aws:iam::123412341234:server-certificate/domain.com
		DefaultActions:
			- Type: forward
			TargetGroupArn: !Ref 'LoadBalancerTargetGroup'

Using Terraform (AWS Provider)

Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_lb" "application-load-balancer" {
	name                       = "cc-app-load-balancer"
	load_balancer_type         = "application"
	internal                   = false
	ip_address_type            = "ipv4"
	subnets                    = ["subnet-01234abcd1234abcd","subnet-0abcd1234abcd1234"]
	security_groups            = ["sg-0abcd1234abcd1234","sg-01234abcd1234abcd"]
}

resource "aws_lb_target_group" "load-balancer-target-group" {
	name                          = "cc-new-web-target-group"
	vpc_id                        = "vpc-01234abcd1234abcd"
	port                          = 443
	protocol                      = "HTTPS"
	load_balancing_algorithm_type = "least_outstanding_requests"
}

resource "aws_lb_listener" "load-balancer-listener" {
	port               = "443"
	protocol           = "HTTPS"
	certificate_arn    = "arn:aws:iam::123412341234:server-certificate/domain.com"
	load_balancer_arn  = aws_lb.application-load-balancer.arn
	default_action {
	type             = "forward"
	target_group_arn = aws_lb_target_group.load-balancer-target-group.arn
	}
}

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
In the main navigation panel, under Load Balancing, choose Target Groups.
Click on the name (link) of the target group that you want to reconfigure, associated with your Application Load Balancer.
Select the Attributes tab from the console bottom panel and choose Edit.
In the Traffic configuration section, select Least outstanding requests for Load balancing algorithm to change the routing algorithm for the selected target group from Round-Robin to Least Outstanding Requests. Choose Save to apply the configuration changes.
Repeat steps no. 4 – 6 for each ALB target group available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

Run modify-target-group-attributes command (OSX/Linux/UNIX) using the ARN of the ALB target group that you want to reconfigure as the identifier parameter, to enable the Least Outstanding Requests (LOR) routing algorithm for the selected target group:

aws elbv2 modify-target-group-attributes
  --region us-east-1
  --target-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-project5-target-group/aaaabbbbccccdddd
  --attributes Key=load_balancing.algorithm.type,Value="least_outstanding_requests"

The command output should return the configuration attributes available for the modified target group:

{
	"Attributes": [
		{
			"Value": "false",
			"Key": "stickiness.enabled"
		},
		{
			"Value": "300",
			"Key": "deregistration_delay.timeout_seconds"
		},
		{
			"Value": "lb_cookie",
			"Key": "stickiness.type"
		},
		{
			"Value": "86400",
			"Key": "stickiness.lb_cookie.duration_seconds"
		},
		{
			"Value": "0",
			"Key": "slow_start.duration_seconds"
		},
		{
			"Value": "least_outstanding_requests",
			"Key": "load_balancing.algorithm.type"
		}
	]
}

Repeat steps no. 1 and 2 for each ALB target group available in the selected AWS region.
Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
describe-load-balancers
describe-listeners
describe-target-group-attributes
modify-target-group-attributes

Publication date Nov 27, 2023

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELBv2 rules