Description:
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, Lambda functions, and virtual appliances. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers four types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault-tolerant.
Rational:
Elastic Load Balancing helps to manage incoming requests by optimally routing traffic so that no one instance is overwhelmed. An internet-facing AWS ELB/ALB has a publicly resolvable DNS name, required to route HTTP(S) requests from clients over the Internet to the EC2 instances that are registered with the load balancer.
Impact:
Using the correct scheme for the load balancer will maintain load balancer architecture security.
Default value:
By default, the Elastic Load Balancer scheme is set to Internet-facing.
Pre-requisites:
Sign in as admin or IAM user with required permissions
Note down all the configurations of the existing load balancer
Remediation:
Test plan:
Sign in to the AWS Management console
Go to EC2 service at https://console.aws.amazon.com/ec2
Click on Load Balancers in the left navigation pane
Select the load balancer you want to examine
In the Description tab at the bottom check scheme is set to internet-facing or not
If you notice it is set to the Internet-facing follow the implementation steps.
Implementation steps:
Sign in to the AWS Management console
Go to EC2 service at https://console.aws.amazon.com/ec2
Click on Load Balancers in the left navigation pane
Select the type of load balancer you want to create and click on create
(Here I am selecting Application Load Balancer)On Configure Load Balancer page, provide a unique name for the load balancer
Select the scheme to Internal
Configure the remaining necessary options like listeners, availability zones as per the configurations you noted and click on Next: Configure Security Settings
On Configure Security Settings page, choose the available and click certificate type from the options available and click on Next: Configure Security Groups
On Configure Security Groups page, select Create a new security group or user existing one. This security group should contain a rule that allows traffic to the port that you configured your ALB to use and click Next: Configure Routing.
On Configure Routing page, use an existing Target Group or create a new one based on your requirements and provide tall the information required and enable Health check
- On the Register Targets page, use the Add to registered button to attach the necessary backend instances to the internal ALB and click on Next: Review.
- Review all the details provided and click on create
Backout plan:
In case of any abnormal behavior or the ELB please refer to the configurations noted.
Reference:
Load balancer types - Amazon Elastic Container Service