Profile Applicability:

  • Level 2

Description:

A Classic Load Balancer (CLB) should be configured to span multiple Availability Zones (AZs) to ensure high availability and fault tolerance. By distributing incoming traffic across multiple AZs, the load balancer can help maintain application availability even in the event of an AZ failure.

Properly configured CLBs will have at least two or more AZs enabled and registered with healthy instances to provide a resilient and scalable architecture.

Rationale:

  • High Availability: Distributing load across multiple AZs reduces the risk of single points of failure and ensures continuous application availability.

  • Fault Tolerance: If one AZ becomes unavailable, the CLB can route traffic to healthy instances in other AZs, minimizing service disruptions.

  • Improved Performance: Load balancing across AZs optimizes resource utilization and improves response times by routing traffic to the closest or least-loaded instance.

  • Compliance: Many security and availability standards require multi-AZ deployment for mission-critical workloads.

Impact:

  • Pros:

    • Increased application availability and uptime.

    • Better fault tolerance during AZ failures or outages.

    • Optimized resource usage and balanced traffic distribution.

  • Cons:

    • Potential additional costs for running instances in multiple AZs.

    • Complexity in managing instances across multiple AZs.

Default Value:

  • By default, when a Classic Load Balancer is created, it is not automatically configured across multiple AZs.

  • AZs need to be manually enabled, and instances must be registered in each AZ.

Pre-Requisite:

  • IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer

    • elasticloadbalancing:RegisterInstancesWithLoadBalancer

  • AWS CLI installed and configured.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 Dashboard → Load Balancers.

                             

  1. Select Classic Load Balancers from the left-hand panel.

                                  

  1. For each Classic Load Balancer:

    • Select the CLB.

    • Go to the Description tab.

    • Under Availability Zones, verify that at least two AZs are enabled.

                                       

  • Ensure each enabled AZ has healthy registered instances.

Using AWS CLI:

List Classic Load Balancers and their AZs:

aws elb describe-load-balancers --region <region> --query 'LoadBalancerDescriptions[*].{Name:LoadBalancerName,AvailabilityZones:AvailabilityZones}' --output table

Expected Output (Pass):

 --------------------------------------------------------
|          DescribeLoadBalancers                       |
+-------------------+----------------------------------+
|      Name         |     AvailabilityZones           |
+-------------------+----------------------------------+
|  my-app-clb       |  [ "us-east-1a", "us-east-1b" ] |
+-------------------+----------------------------------+
Fail Output (Single AZ):
 --------------------------------------------------------
|          DescribeLoadBalancers                       |
+-------------------+----------------------------------+
|      Name         |     AvailabilityZones           |
+-------------------+----------------------------------+
|  my-app-clb       |  [ "us-east-1a" ]               |
+-------------------+----------------------------------+

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Navigate to EC2 Dashboard → Load Balancers.

                   

  1. Select the Classic Load Balancer to modify.

           

  1. Under the Instances tab:

    • Click Edit Availability Zones.

                           

  • Select at least two AZs.

                         

  • Click Save.

                     

  1. Under the Instances tab, register instances in each selected AZ.

  2. Verify that all instances pass the health checks.

Using AWS CLI:

Enable Additional Availability Zones:

aws elb enable-availability-zones-for-load-balancer --load-balancer-name <clb-name> --availability-zones <az-1> <az-2>

 Example:

aws elb enable-availability-zones-for-load-balancer --load-balancer-name my-app-clb --availability-zones us-east-1a us-east-1b

Register Instances in the New AZs:

aws elb register-instances-with-load-balancer --load-balancer-name <clb-name> --instances <instance-id-1> <instance-id-2>

Verify the Updated AZ Configuration:

aws elb describe-load-balancers --load-balancer-names <clb-name> --query 'LoadBalancerDescriptions[*].AvailabilityZones' --output table

Check Instance Health:

aws elb describe-instance-health --load-balancer-name <clb-name> --query 'InstanceStates[*].{InstanceId:InstanceId,State:State}' --output table


Backout Plan:

If enabling multi-AZ causes issues:

Using AWS Console:

  • Navigate to EC2 Dashboard → Load Balancers.

  • Select the Classic Load Balancer.

  • Click Edit Availability Zones.

   

  • Deselect problematic AZ(s) and click Save.

Using AWS CLI:

 aws elb disable-availability-zones-for-load-balancer --load-balancer-name <clb-name> --availability-zones <az-to-remove>


 Example:

aws elb disable-availability-zones-for-load-balancer --load-balancer-name my-app-clb --availability-zones us-east-1b

References:

  1. AWS CLB Documentation

  2. AWS CLI - ELB Commands

  3. AWS High Availability Guide

CIS Controls:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

12.3

Ensure High Availability – Implement high availability by using multi-AZ deployments.

v7

9.1

Limit Exposure to External Networks – Utilize load balancers to reduce the exposure of internal services.