Profile Applicability:

  • Level 2

Description:

Elastic Load Balancer v2 (ELBv2) includes Application Load Balancers (ALBs) and Network Load Balancers (NLBs). These load balancers distribute incoming traffic across multiple targets such as EC2 instances, containers, and IP addresses. Configuring an ELBv2 across multiple Availability Zones (AZs) provides high availability and fault tolerance by ensuring that the load balancer can distribute traffic even if one AZ experiences a failure. This SOP ensures that your ELBv2 is configured to distribute traffic across multiple AZs to improve application uptime and resilience.

Rationale:

  • High Availability: Distributing traffic across multiple AZs ensures that if one AZ fails, the load balancer can still route traffic to the remaining healthy AZs, maintaining application availability.

  • Fault Tolerance: By leveraging multiple AZs, your load balancer can handle disruptions or failures in one AZ without affecting the availability of your applications.

  • Scalability: Configuring ELBv2 across multiple AZs ensures that it can scale and accommodate a growing number of incoming requests while maintaining performance.

Impact:

Pros:

  • Improved Resilience: Traffic can be routed to healthy targets in different AZs, improving application uptime and reliability.

  • Disaster Recovery: In case of a failure in one AZ, the load balancer automatically shifts traffic to healthy targets in other AZs, ensuring minimal impact.

  • Better Traffic Distribution: Ensures more balanced traffic distribution across multiple AZs, improving overall load balancing performance.

Cons:

  • Increased Costs: Configuring ELBv2 across multiple AZs may lead to higher data transfer costs between AZs.

  • Complexity: More configuration and management are required to set up and monitor the ELBv2 across multiple AZs.

Default Value:

By default, ELBv2 (ALB and NLB) is designed to work across multiple AZs, but the configuration of which AZs to use may need to be explicitly selected during the setup.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • elasticloadbalancing:DescribeTargetGroups

  • AWS CLI installed and configured.

  • Availability of multiple Availability Zones within the VPC where the ELBv2 is deployed.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing under Services.

  3. In the Load Balancers section, select the ELBv2 (ALB or NLB) you want to inspect.

  4. In the Description tab, check the Availability Zones section:

    • It will display the AZs associated with the load balancer.

    • Ensure that more than one AZ is listed. If only one AZ is listed, the ELBv2 is not distributed across multiple AZs.

Using AWS CLI:

  1. To describe the ELBv2 and check the Availability Zones associated with it, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application` || Type==`network`].{Name:LoadBalancerName,AvailabilityZones:AvailabilityZones[*].ZoneName}'

  2. The output will display the AZs associated with each ELBv2. Ensure that more than one AZ is listed for the load balancer.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Elastic Load Balancing.

  2. In the Load Balancers section, select the ELBv2 to modify.

  3. Under the Description tab, click Edit Availability Zones.

  4. Add the desired Availability Zones to the ELBv2 if not already configured.

  5. Save the changes.

Using AWS CLI:

  1. To modify the ELBv2 and enable it across multiple AZs, run:

    aws elbv2 set-subnets \
  --load-balancer-arn <load-balancer-arn> \
  --subnets <subnet-id-1> <subnet-id-2>

  1. To verify the AZs after the modification, run:

    aws elbv2 describe-load-balancers --query 'LoadBalancers[?Type==`application` || Type==`network`].{Name:LoadBalancerName,AvailabilityZones:AvailabilityZones[*].ZoneName}'

Backout Plan:

Using AWS Console:

  1. If configuring the ELBv2 across multiple AZs causes issues, sign in to the AWS Management Console.
    Navigate to Elastic Load Balancing, select the Load Balancer, and go to the Description tab.

  2. Click Edit Subnets and remove subnets from additional AZs to revert to a single AZ configuration.

  3. Save the changes and verify that the ELBv2 is now only deployed in one AZ.

Using AWS CLI:

  1. To revert the ELBv2 to a single AZ, run:

    aws elbv2 set-subnets --load-balancer-arn <LOAD_BALANCER_ARN> --subnets <SINGLE_SUBNET_ID>

  2. Verify that the load balancer is no longer configured across multiple AZs:

    aws elbv2 describe-load-balancers --load-balancer-arn <LOAD_BALANCER_ARN>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.