Description:

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, Lambda functions, and virtual appliances. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers four types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault-tolerant.


Rational:

Elastic Load Balancing helps to manage incoming requests by optimally routing traffic so that no one instance is overwhelmed. An internet-facing AWS ELB/ALB has a publicly resolvable DNS name, required to route HTTP(S) requests from clients over the Internet to the EC2 instances that are registered with the load balancer. 


Impact:

By using the correct scheme for the load balancer will maintain load balancer architecture security.


Default value:

By default, the Elastic Load Balancer scheme is set to Internet-facing.


Audit:

  1. Sign in to AWS Management console

  2. Go to EC2 service at https://console.aws.amazon.com/ec2

  3. Click on Load Balancers in the left navigation pane

  4. Select the load balancer you want to examine

  5. In the Description tab at the bottom check scheme is set to internet-facing or not
    If you notice it is set to the Internet-facing follow the implementation steps.


Remediation:

Pre-requisites:

  1. Sign in as admin or IAM user with required permissions

  2. Note down all the configurations of the existing load balancer


Implementation steps:

  1. Sign in to AWS Management console

  2. Go to EC2 service at https://console.aws.amazon.com/ec2

  3. Click on Load Balancers in the left navigation pane

  4. Select the type of load balancer you want to create and click on create
    (Here I am selecting Application Load Balancer)

  5. On Configure Load Balancer page, provide a unique name for the load balancer

  6. Select the scheme to Internal

  7. Configure the remaining necessary options like listeners, availability zones as per the configurations you noted and click on Next: Configure Security Settings

  8. On Configure Security Settings page, choose the ceravailable and click otificate type from the options available and click on Next: Configure Security Groups

  9. On Configure Security Groups page, select Create a new security group or user existing one. This security group should contain a rule that allows traffic to the port that you configured your ALB to use and Click Next: Configure Routing.


  10. On Configure Routing page, use an existing Target Group or create a new one based on your requirements and provide tall the information required and enable Health check

  11. On the Register Targets page, use the Add to registered button to attach the necessary backend instances to the internal ALB and click on Next: Review.
  12. Review all the details provided and click on create


Backout plan:

In case of any abnormal behavior or the ELB please refer to the configurations noted.


Reference:

Load balancer types - Amazon Elastic Container Service