Profile Applicability:

  • Level 1

Description:

For Network Load Balancers (NLBs) and Gateway Load Balancers (GWLBs), enabling Cross-Zone Load Balancing ensures that traffic is evenly distributed across alCross-Zone Load Balancing allows load balancers to route traffic to targets in all Availability Zones (AZs) that are registered with the load balancer. l registered targets, regardless of the AZ they are located in. This feature improves fault tolerance, increases resource utilization, and ensures better distribution of traffic across multiple AZs.

Rationale:

  • High Availability: Enabling Cross-Zone Load Balancing ensures that traffic is spread across all registered targets, improving the overall availability and fault tolerance of applications behind the load balancer.

  • Improved Load Distribution: Distributes traffic more evenly, which helps avoid overloading targets in one AZ and enhances overall performance.

  • Cost Optimization: Ensures that resources across multiple AZs are used efficiently, potentially reducing the need for additional load balancing resources in a single AZ.

Impact:

Pros:

  • Enhanced Availability: Traffic is distributed across all AZs, ensuring better availability and fault tolerance.

  • Improved Traffic Distribution: Helps in optimizing resource utilization by ensuring even traffic distribution across AZs.

  • Better Performance: Reduces the risk of overloading resources in a single AZ, leading to smoother application performance.

Cons:

  • Potential Latency: Traffic may incur additional latency when routed across AZs, depending on the specific use case.

  • Complexity: Enabling Cross-Zone Load Balancing may require a more complex architecture, especially when handling large-scale applications across multiple AZs.

Default Value:

By default, Cross-Zone Load Balancing is disabled for both NLBs and GWLBs. It must be explicitly enabled.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • elasticloadbalancing:ModifyLoadBalancerAttributes

  • AWS CLI installed and configured.

  • Ensure that NLB or GWLB is already created in your AWS environment.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing under Services.

  3. In the Load Balancers section, select Network Load Balancer (NLB) or Gateway Load Balancer (GWLB).

  4. Under the Attributes tab, verify if Cross-Zone Load Balancing is enabled.

    • If enabled, it will show as "Yes".

    • If not enabled, you can proceed to enable it.

  5. If Cross-Zone Load Balancing is disabled, you can modify the settings to enable it.

Using AWS CLI:

  1. To check if Cross-Zone Load Balancing is enabled, run the following command:

    aws elb describe-load-balancer-attributes --load-balancer-name <load-balancer-name> --query 'LoadBalancerAttributes.CrossZoneLoadBalancing.Enabled'

  2. If the result is false, it means Cross-Zone Load Balancing is disabled. You can enable it by following the implementation steps below.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Elastic Load Balancing.

  2. In the Load Balancers section, select your Network Load Balancer (NLB) or Gateway Load Balancer (GWLB).

  3. Under the Attributes tab, locate the Cross-Zone Load Balancing option.

  4. Click Edit, then select Enabled to activate Cross-Zone Load Balancing.

  5. Save the changes to ensure that Cross-Zone Load Balancing is enabled.

Using AWS CLI:

  1. To enable Cross-Zone Load Balancing for a Network Load Balancer (NLB) or Gateway Load Balancer (GWLB), run:

    aws elb modify-load-balancer-attributes --load-balancer-name <load-balancer-name> --load-balancer-attributes '{
   "CrossZoneLoadBalancing": {
     "Enabled": true
   }
}'

  1. After enabling Cross-Zone Load Balancing, verify that the configuration has been updated by running the following:

    aws elb describe-load-balancer-attributes --load-balancer-name <load-balancer-name> --query 'LoadBalancerAttributes.CrossZoneLoadBalancing.Enabled'

Backout Plan:

Using AWS Console:

  1. If enabling Cross-Zone Load Balancing causes issues, sign in to the AWS Management Console.

  2. Navigate to Elastic Load Balancing, select the Load Balancer, and go to the Description tab.

  3. Click Edit and disable Cross-Zone Load Balancing.

  4. Save the changes and verify that the traffic is no longer being routed across multiple AZs.

Using AWS CLI:

  1. To disable Cross-Zone Load Balancing, run:

    aws elbv2 modify-load-balancer-attributes --load-balancer-arn <LOAD_BALANCER_ARN> --attributes Key=cross_zone_load_balancing.enabled,Value=false

  2. Verify that the Cross-Zone Load Balancing has been disabled:

    aws elbv2 describe-load-balancer-attributes --load-balancer-arn <LOAD_BALANCER_ARN>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.