Profile Applicability 

  • Level 2

Description

Elastic Load Balancing (ELB) health checks allow Auto Scaling groups to monitor the health of instances based on the status reported by the load balancer. By enabling ELB health checks, Auto Scaling can replace unhealthy instances, ensuring high availability and optimal performance for your applications.

Rationale

  • Improved Fault Tolerance: Automatically replaces unhealthy instances based on ELB health checks.

  • Enhanced Availability: Ensures that only healthy instances serve traffic.

  • Compliance: Aligns with best practices for resilient and highly available architectures.

Impact

Pros:

  • Ensures that traffic is routed only to healthy instances.

  • Improves application reliability and user experience.

  • Automates the replacement of unhealthy instances.

Cons:

  • Requires proper configuration of ELB health checks.

  • May cause temporary disruptions if health checks are misconfigured.

Default Value

By default, Auto Scaling groups use EC2 instance status checks for health monitoring. ELB health checks must be explicitly enabled.

Pre-Requisite

IAM Permissions Required:

  • autoscaling:DescribeAutoScalingGroups

  • autoscaling:UpdateAutoScalingGroup

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 > Auto Scaling Groups.

  3. Select the Auto Scaling Group associated with a load balancer.

  4. Under the Details tab, check the Health Check Type field. Verify that it includes ELB.

Using AWS CLI:

  1. Describe the Auto Scaling Group:

    aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names <asg-name>

  2. Check the HealthCheckType field in the output. Ensure it is set to ELB.

Implementation Steps:

Using AWS Console:

  1. Navigate to EC2 > Auto Scaling Groups.

  2. Select the Auto Scaling Group to update.

  3. Click Edit and update the Health Check Type to ELB.

  4. Set the Health Check Grace Period to allow sufficient time for instances to initialize before health checks begin.

  5. Save the updated configuration.

Using AWS CLI:

  1. Enable ELB health checks for the Auto Scaling Group:

    aws autoscaling update-auto-scaling-group \
--auto-scaling-group-name <asg-name> \
--health-check-type ELB \
--health-check-grace-period <grace-period-in-seconds>

  1. Verify the updated configuration:

    aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names <asg-name>

Backout Plan

Using AWS Console:

  1. If enabling ELB health checks causes issues, sign in to the AWS Management Console.

  2. Navigate to EC2, then to Auto Scaling Groups.

  3. Select the Auto Scaling Group and go to the Health Checks section.

  4. Change the Health Check Type from ELB back to EC2 if necessary.

  5. Save the changes and verify that EC2 health checks are now in use.

Using AWS CLI:

  1. To revert back to EC2 health checks, run:

    aws autoscaling update-auto-scaling-group --auto-scaling-group-name <ASG_NAME> --health-check-type EC2 --health-check-grace-period <GRACE_PERIOD>

  2. Verify that the EC2 health checks are now in use:

    aws autoscaling describe-auto-scaling-groups --auto-scaling-group-name <ASG_NAME>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.