0% found this document useful (0 votes)

87 views

Elastic Load Balancing: User Guide

Uploaded by

Prashant Garje

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

87 views

Elastic Load Balancing: User Guide

Uploaded by

Prashant Garje

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 32

Elastic Load Balancing

User Guide
Elastic Load Balancing User Guide

Elastic Load Balancing: User Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be aﬃliated with, connected to, or sponsored by Amazon.
Elastic Load Balancing User Guide

Table of Contents
What is Elastic Load Balancing? ........................................................................................................... 1
Load balancer benefits ................................................................................................................ 1
Features of Elastic Load Balancing ............................................................................................... 1
Accessing Elastic Load Balancing .................................................................................................. 1
Related services ......................................................................................................................... 2
Pricing ...................................................................................................................................... 2
How Elastic Load Balancing works ........................................................................................................ 3
Availability Zones and load balancer nodes ................................................................................... 3
Cross-zone load balancing ................................................................................................... 3
Request routing ......................................................................................................................... 5
Routing algorithm .............................................................................................................. 5
HTTP connections .............................................................................................................. 5
HTTP headers .................................................................................................................... 6
HTTP header limits ............................................................................................................ 6
Load balancer scheme ................................................................................................................ 7
Network MTU ............................................................................................................................ 7
Getting started .................................................................................................................................. 9
Create an Application Load Balancer ............................................................................................ 9
Create a Network Load Balancer .................................................................................................. 9
Create a Gateway Load Balancer .................................................................................................. 9
Create a Classic Load Balancer ..................................................................................................... 9
Security ........................................................................................................................................... 10
Data protection ........................................................................................................................ 10
Encryption at rest ............................................................................................................. 11
Encryption in transit ......................................................................................................... 11
Identity and access management ............................................................................................... 11
Grant permissions using IAM policies .................................................................................. 12
API actions for Elastic Load Balancing ................................................................................. 12
Elastic Load Balancing resources ........................................................................................ 13
Resource-level permissions for Elastic Load Balancing ........................................................... 14
Condition keys for Elastic Load Balancing ............................................................................ 16
Predefined AWS managed policies ...................................................................................... 17
API permissions ................................................................................................................ 18
Service-linked role ............................................................................................................ 19
Compliance validation ............................................................................................................... 21
Resilience ................................................................................................................................ 21
Infrastructure security ............................................................................................................... 22
Network isolation ............................................................................................................. 22
Controlling network traffic ................................................................................................ 22
Interface VPC endpoints ............................................................................................................ 23
Create an interface endpoint for Elastic Load Balancing ........................................................ 23
Create a VPC endpoint policy for Elastic Load Balancing ........................................................ 24
Migrate your Classic Load Balancer ..................................................................................................... 25
Step 1: Create a new load balancer ............................................................................................ 25
Option 1: Use the migration wizard in the console ............................................................... 25
Option 2: Use the load balancer copy utility from github ....................................................... 26
Option 3: Migrate manually to an Application Load Balancer or Network Load Balancer .............. 27
Option 4: Migrate manually to a Classic Load Balancer in a VPC ............................................. 27
Step 2: Gradually redirect traffic to your new load balancer ........................................................... 28
Step 3: Update policies, scripts, and code .................................................................................... 28
Step 4: Delete the old load balancer ........................................................................................... 29

iii
Elastic Load Balancing User Guide
Load balancer beneﬁts

What is Elastic Load Balancing?

Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as
EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of
its registered targets, and routes traffic only to the healthy targets. Elastic Load Balancing scales your
load balancer as your incoming traffic changes over time. It can automatically scale to the vast majority
of workloads.

Load balancer beneﬁts

A load balancer distributes workloads across multiple compute resources, such as virtual servers. Using a
load balancer increases the availability and fault tolerance of your applications.

You can add and remove compute resources from your load balancer as your needs change, without
disrupting the overall ﬂow of requests to your applications.

You can conﬁgure health checks, which monitor the health of the compute resources, so that the load
balancer sends requests only to the healthy ones. You can also oﬄoad the work of encryption and
decryption to your load balancer so that your compute resources can focus on their main work.

Features of Elastic Load Balancing

Elastic Load Balancing supports the following load balancers: Application Load Balancers, Network Load
Balancers, Gateway Load Balancers, and Classic Load Balancers. You can select the type of load balancer
that best suits your needs. For more information, see Product comparisons.

For more information about using each load balancer, see the User Guide for Application Load Balancers,
the User Guide for Network Load Balancers, the User Guide for Gateway Load Balancers, and the User
Guide for Classic Load Balancers.

Accessing Elastic Load Balancing

You can create, access, and manage your load balancers using any of the following interfaces:

• AWS Management Console— Provides a web interface that you can use to access Elastic Load
Balancing.
• AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services,
including Elastic Load Balancing. The AWS CLI is supported on Windows, macOS, and Linux. For more
information, see AWS Command Line Interface.
• AWS SDKs — Provide language-speciﬁc APIs and take care of many of the connection details, such as
calculating signatures, handling request retries, and error handling. For more information, see AWS
SDKs.
• Query API— Provides low-level API actions that you call using HTTPS requests. Using the Query
API is the most direct way to access Elastic Load Balancing. However, the Query API requires that
your application handle low-level details such as generating the hash to sign the request, and error
handling. For more information, see the following:
• Application Load Balancers and Network Load Balancers — API version 2015-12-01

1
Elastic Load Balancing User Guide
Related services

• Classic Load Balancers — API version 2012-06-01

Related services
Elastic Load Balancing works with the following services to improve the availability and scalability of
your applications.

• Amazon EC2 — Virtual servers that run your applications in the cloud. You can configure your load
balancer to route traffic to your EC2 instances. For more information, see the Amazon EC2 User Guide
for Linux Instances or the Amazon EC2 User Guide for Windows Instances.
• Amazon EC2 Auto Scaling — Ensures that you are running your desired number of instances, even if
an instance fails. Amazon EC2 Auto Scaling also enables you to automatically increase or decrease the
number of instances as the demand on your instances changes. If you enable Auto Scaling with Elastic
Load Balancing, instances that are launched by Auto Scaling are automatically registered with the load
balancer. Likewise, instances that are terminated by Auto Scaling are automatically de-registered from
the load balancer. For more information, see the Amazon EC2 Auto Scaling User Guide.
• AWS Certificate Manager — When you create an HTTPS listener, you can specify certificates provided
by ACM. The load balancer uses certificates to terminate connections and decrypt requests from
clients.
• Amazon CloudWatch — Enables you to monitor your load balancer and to take action as needed. For
more information, see the Amazon CloudWatch User Guide.
• Amazon ECS — Enables you to run, stop, and manage Docker containers on a cluster of EC2 instances.
You can configure your load balancer to route traffic to your containers. For more information, see the
Amazon Elastic Container Service Developer Guide.
• AWS Global Accelerator — Improves the availability and performance of your application. Use an
accelerator to distribute traffic across multiple load balancers in one or more AWS Regions. For more
information, see the AWS Global Accelerator Developer Guide.
• Route 53 — Provides a reliable and cost-effective way to route visitors to websites by translating
domain names into the numeric IP addresses that computers use to connect to each other. For
example, it would translate www.example.com into the numeric IP address 192.0.2.1. AWS assigns
URLs to your resources, such as load balancers. However, you might want a URL that is easy for users
to remember. For example, you can map your domain name to a load balancer. For more information,
see the Amazon Route 53 Developer Guide.
• AWS WAF — You can use AWS WAF with your Application Load Balancer to allow or block requests
based on the rules in a web access control list (web ACL). For more information, see the AWS WAF
Developer Guide.

Pricing
With your load balancer, you pay only for what you use. For more information, see Elastic Load Balancing
pricing.

2
Elastic Load Balancing User Guide
Availability Zones and load balancer nodes

How Elastic Load Balancing works

A load balancer accepts incoming traffic from clients and routes requests to its registered targets (such
as EC2 instances) in one or more Availability Zones. The load balancer also monitors the health of its
registered targets and ensures that it routes traffic only to healthy targets. When the load balancer
detects an unhealthy target, it stops routing traffic to that target. It then resumes routing traffic to that
target when it detects that the target is healthy again.

You configure your load balancer to accept incoming traffic by specifying one or more listeners. A listener
is a process that checks for connection requests. It is configured with a protocol and port number for
connections from clients to the load balancer. Likewise, it is configured with a protocol and port number
for connections from the load balancer to the targets.

Elastic Load Balancing supports the following types of load balancers:

• Application Load Balancers

• Network Load Balancers
• Gateway Load Balancers
• Classic Load Balancers

There is a key difference in how the load balancer types are configured. With Application Load Balancers,
Network Load Balancers, and Gateway Load Balancers, you register targets in target groups, and route
traffic to the target groups. With Classic Load Balancers, you register instances with the load balancer.

Availability Zones and load balancer nodes

When you enable an Availability Zone for your load balancer, Elastic Load Balancing creates a load
balancer node in the Availability Zone. If you register targets in an Availability Zone but do not enable
the Availability Zone, these registered targets do not receive traﬃc. Your load balancer is most eﬀective
when you ensure that each enabled Availability Zone has at least one registered target.

We recommend enabling multiple Availability Zones for all load balancers. With an Application Load
Balancer however, it is a requirement that you enable at least two or more Availability Zones. This
configuration helps ensure that the load balancer can continue to route traffic. If one Availability Zone
becomes unavailable or has no healthy targets, the load balancer can route traffic to the healthy targets
in another Availability Zone.

After you disable an Availability Zone, the targets in that Availability Zone remain registered with the
load balancer. However, even though they remain registered, the load balancer does not route traﬃc to
them.

Cross-zone load balancing

The nodes for your load balancer distribute requests from clients to registered targets. When cross-
zone load balancing is enabled, each load balancer node distributes traﬃc across the registered targets
in all enabled Availability Zones. When cross-zone load balancing is disabled, each load balancer node
distributes traﬃc only across the registered targets in its Availability Zone.

The following diagrams demonstrate the eﬀect of cross-zone load balancing. There are two enabled
Availability Zones, with two targets in Availability Zone A and eight targets in Availability Zone B. Clients

3
Elastic Load Balancing User Guide
Cross-zone load balancing

send requests, and Amazon Route 53 responds to each request with the IP address of one of the load
balancer nodes. This distributes traffic such that each load balancer node receives 50% of the traffic from
the clients. Each load balancer node distributes its share of the traffic across the registered targets in its
scope.

If cross-zone load balancing is enabled, each of the 10 targets receives 10% of the traﬃc. This is because
each load balancer node can route its 50% of the client traﬃc to all 10 targets.

If cross-zone load balancing is disabled:

• Each of the two targets in Availability Zone A receives 25% of the traﬃc.
• Each of the eight targets in Availability Zone B receives 6.25% of the traﬃc.

This is because each load balancer node can route its 50% of the client traﬃc only to targets in its
Availability Zone.

With Application Load Balancers, cross-zone load balancing is always enabled.

With Network Load Balancers and Gateway Load Balancers, cross-zone load balancing is disabled by
default. After you create the load balancer, you can enable or disable cross-zone load balancing at any
time.

When you create a Classic Load Balancer, the default for cross-zone load balancing depends on how you
create the load balancer. With the API or CLI, cross-zone load balancing is disabled by default. With the
AWS Management Console, the option to enable cross-zone load balancing is selected by default. After
you create a Classic Load Balancer, you can enable or disable cross-zone load balancing at any time. For
more information, see Enable cross-zone load balancing in the User Guide for Classic Load Balancers.

4
Elastic Load Balancing User Guide
Request routing

Request routing
Before a client sends a request to your load balancer, it resolves the load balancer's domain name using a
Domain Name System (DNS) server. The DNS entry is controlled by Amazon, because your load balancers
are in the amazonaws.com domain. The Amazon DNS servers return one or more IP addresses to the
client. These are the IP addresses of the load balancer nodes for your load balancer. With Network Load
Balancers, Elastic Load Balancing creates a network interface for each Availability Zone that you enable.
Each load balancer node in the Availability Zone uses this network interface to get a static IP address.
You can optionally associate one Elastic IP address with each network interface when you create the load
balancer.

As traffic to your application changes over time, Elastic Load Balancing scales your load balancer and
updates the DNS entry. The DNS entry also specifies the time-to-live (TTL) of 60 seconds. This helps
ensure that the IP addresses can be remapped quickly in response to changing traffic.

The client determines which IP address to use to send requests to the load balancer. The load balancer
node that receives the request selects a healthy registered target and sends the request to the target
using its private IP address.

Routing algorithm
With Application Load Balancers, the load balancer node that receives the request uses the following
process:

1. Evaluates the listener rules in priority order to determine which rule to apply.
2. Selects a target from the target group for the rule action, using the routing algorithm conﬁgured for
the target group. The default routing algorithm is round robin. Routing is performed independently
for each target group, even when a target is registered with multiple target groups.

With Network Load Balancers, the load balancer node that receives the connection uses the following
process:

1. Selects a target from the target group for the default rule using a flow hash algorithm. It bases the
algorithm on:
• The protocol
• The source IP address and source port
• The destination IP address and destination port
• The TCP sequence number
2. Routes each individual TCP connection to a single target for the life of the connection. The TCP
connections from a client have different source ports and sequence numbers, and can be routed to
different targets.

With Classic Load Balancers, the load balancer node that receives the request selects a registered
instance as follows:

• Uses the round robin routing algorithm for TCP listeners

• Uses the least outstanding requests routing algorithm for HTTP and HTTPS listeners

HTTP connections
Classic Load Balancers use pre-open connections, but Application Load Balancers do not. Both Classic
Load Balancers and Application Load Balancers use connection multiplexing. This means that requests

5
Elastic Load Balancing User Guide
HTTP headers

from multiple clients on multiple front-end connections can be routed to a given target through
a single backend connection. Connection multiplexing improves latency and reduces the load on
your applications. To prevent connection multiplexing, disable HTTP keep-alives by setting the
Connection: close header in your HTTP responses.

Application Load Balancers and Classic Load Balancers support pipelined HTTP on front-end connections.
They do not support pipelined HTTP on backend connections.

Application Load Balancers support the following protocols on front-end connections: HTTP/0.9,
HTTP/1.0, HTTP/1.1, and HTTP/2. You can use HTTP/2 only with HTTPS listeners, and can send up
to 128 requests in parallel using one HTTP/2 connection. Application Load Balancers also support
connection upgrades from HTTP to WebSockets. However, if there is a connection upgrade, Application
Load Balancer listener routing rules and AWS WAF integrations no longer apply.

Application Load Balancers use HTTP/1.1 on backend connections (load balancer to registered target) by
default. However, you can use the protocol version to send the request to the targets using HTTP/2 or
gRPC. For more information, see Protocol versions. Keep-alive is supported on backend connections by
default. For HTTP/1.0 requests from clients that do not have a host header, the load balancer generates
a host header for the HTTP/1.1 requests sent on the backend connections. The host header contains the
DNS name of the load balancer.

Classic Load Balancers support the following protocols on front-end connections (client to load
balancer): HTTP/0.9, HTTP/1.0, and HTTP/1.1. They use HTTP/1.1 on backend connections (load
balancer to registered target). Keep-alive is supported on backend connections by default. For
HTTP/1.0 requests from clients that do not have a host header, the load balancer generates a host
header for the HTTP/1.1 requests sent on the backend connections. The host header contains the IP
address of the load balancer node.

HTTP headers
Application Load Balancers and Classic Load Balancers automatically add X-Forwarded-For, X-
Forwarded-Proto, and X-Forwarded-Port headers to the request.

Application Load Balancers convert the hostnames in HTTP host headers to lower case before sending
them to targets.

For front-end connections that use HTTP/2, the header names are in lowercase. Before the request
is sent to the target using HTTP/1.1, the following header names are converted to mixed case: X-
Forwarded-For, X-Forwarded-Proto, X-Forwarded-Port, Host, X-Amzn-Trace-Id, Upgrade, and
Connection. All other header names are in lowercase.

Application Load Balancers and Classic Load Balancers honor the connection header from the incoming
client request after proxying the response back to the client.

When Application Load Balancers and Classic Load Balancers receive an Expect header, they respond to
the client immediately with an HTTP 100 Continue without testing the content length header, remove
the Expect header, and then route the request.

HTTP header limits

The following size limits for Application Load Balancers are hard limits that cannot be changed.

HTTP/1.x headers

• Request line: 16 K
• Single header: 16 K
• Whole header: 64 K

6
Elastic Load Balancing User Guide
Load balancer scheme

HTTP/2 headers

• Request line: 16 K
• Single header: 16 K
• Whole header: 64 K

Load balancer scheme

When you create a load balancer, you must choose whether to make it an internal load balancer or an
internet-facing load balancer. Note that when you create a Classic Load Balancer in EC2-Classic, it must
be an internet-facing load balancer.

The nodes of an internet-facing load balancer have public IP addresses. The DNS name of an internet-
facing load balancer is publicly resolvable to the public IP addresses of the nodes. Therefore, internet-
facing load balancers can route requests from clients over the internet.

The nodes of an internal load balancer have only private IP addresses. The DNS name of an internal load
balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load balancers
can only route requests from clients with access to the VPC for the load balancer.

Both internet-facing and internal load balancers route requests to your targets using private IP
addresses. Therefore, your targets do not need public IP addresses to receive requests from an internal or
an internet-facing load balancer.

If your application has multiple tiers, you can design an architecture that uses both internal and internet-
facing load balancers. For example, this is true if your application uses web servers that must be
connected to the internet, and application servers that are only connected to the web servers. Create
an internet-facing load balancer and register the web servers with it. Create an internal load balancer
and register the application servers with it. The web servers receive requests from the internet-facing
load balancer and send requests for the application servers to the internal load balancer. The application
servers receive requests from the internal load balancer.

Network MTU for your load balancer

The maximum transmission unit (MTU) of a network connection is the size, in bytes, of the largest
permissible packet that can be passed over the connection. The larger the MTU of a connection, the
more data that can be passed in a single packet. Ethernet packets consist of the frame, or the actual data
you are sending, and the network overhead information that surrounds it. Traﬃc sent over an internet
gateway is limited to 1500 MTU. This means that if packets are over 1500 bytes, they are fragmented, or
they are dropped if the Don't Fragment ﬂag is set in the IP header.

The MTU size on an Application Load Balancer, Network Load Balancer, or Classic Load Balancer node is
not conﬁgurable. Jumbo frames (MTU 9001) are standard across all load balancer nodes. The path MTU
is the maximum packet size that is supported on the path between the originating host and the receiving
host. Path MTU Discovery (PMTUD) is used to determine the path MTU between two devices. Path MTU
Discovery is especially important if the client or target does not support jumbo frames.

When a host sends a packet that is larger than the MTU of the receiving host or larger than the MTU of
a device along the path, the receiving host or device drops the packet, and then returns the following
ICMP message: Destination Unreachable: Fragmentation Needed and Don't Fragment
was Set (Type 3, Code 4). This instructs the transmitting host to split the payload into multiple
smaller packets, and retransmit them.

If packets larger than the MTU size of the client or target interface continue to be dropped, it is likely
that Path MTU Discovery (PMTUD) is not working. To avoid this, ensure that Path MTU Discovery is

7
Elastic Load Balancing User Guide
Network MTU

working end to end, and that you have enabled jumbo frames on your clients and targets. For more
information about Path MTU Discovery and enabling jumbo frames, see Path MTU Discovery in the
Amazon EC2 User Guide.

8
Elastic Load Balancing User Guide
Create an Application Load Balancer

Getting started with Elastic Load

Balancing
Elastic Load Balancing supports the following load balancers: Application Load Balancers, Network Load
Balancers, Gateway Load Balancers, and Classic Load Balancers. You can select the type of load balancer
that best suits your needs. For more information, see Product comparisons.

For demos of common load balancer conﬁgurations, see Elastic Load Balancing demos.

If you have an existing Classic Load Balancer, you can migrate to an Application Load Balancer or a
Network Load Balancer. For more information, see Migrate your Classic Load Balancer (p. 25).

Contents
• Create an Application Load Balancer (p. 9)
• Create a Network Load Balancer (p. 9)
• Create a Gateway Load Balancer (p. 9)
• Create a Classic Load Balancer (p. 9)

Create an Application Load Balancer

To create an Application Load Balancer using the AWS Management Console, see Getting started with
Application Load Balancers in the User Guide for Application Load Balancers.

To create an Application Load Balancer using the AWS CLI, see Create an Application Load Balancer using
the AWS CLI in the User Guide for Application Load Balancers.

Create a Network Load Balancer

To create a Network Load Balancer using the AWS Management Console, see Getting started with
Network Load Balancers in the User Guide for Network Load Balancers.

To create a Network Load Balancer using the AWS CLI, see Create a Network Load Balancer using the
AWS CLI in the User Guide for Network Load Balancers.

Create a Gateway Load Balancer

To create a Gateway Load Balancer using the AWS Management Console, see Getting started with
Gateway Load Balancers in the User Guide for Gateway Load Balancers.

To create a Gateway Load Balancer using the AWS CLI, see Getting started with Gateway Load Balancers
using the AWS CLI in the User Guide for Gateway Load Balancers.

Create a Classic Load Balancer

To create a Classic Load Balancer using the AWS Management Console, see Create a Classic Load
Balancer in the User Guide for Classic Load Balancers.

9
Elastic Load Balancing User Guide
Data protection

Security in Elastic Load Balancing

Cloud security at AWS is the highest priority. As an AWS customer, you beneﬁt from a data center
and network architecture that are built to meet the requirements of the most security-sensitive
organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this
as security of the cloud and security in the cloud:

• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in
the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors
regularly test and verify the eﬀectiveness of our security as part of the AWS compliance programs. To
learn about the compliance programs that apply to Elastic Load Balancing, see AWS services in scope
by compliance program.
• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also
responsible for other factors including the sensitivity of your data, your company's requirements, and
applicable laws and regulations.

This documentation helps you understand how to apply the shared responsibility model when using
Elastic Load Balancing. It shows you how to conﬁgure Elastic Load Balancing to meet your security and
compliance objectives. You also learn how to use other AWS services that help you to monitor and secure
your Elastic Load Balancing resources.

With a Gateway Load Balancer, you are responsible for choosing and qualifying software from appliance
vendors. You must trust the appliance software to inspect or modify traﬃc from the load balancer,
which operates at the layer 3 of the Open Systems Interconnection (OSI) model, the network layer. The
appliance vendors listed as Elastic Load Balancing Partners have integrated and qualiﬁed their appliance
software with AWS. You can place a higher degree of trust in the appliance software from vendors in this
list. However, AWS does not guarantee the security or reliability of software from these vendors.

Contents
• Data protection in Elastic Load Balancing (p. 10)
• Identity and access management for Elastic Load Balancing (p. 11)
• Compliance validation for Elastic Load Balancing (p. 21)
• Resilience in Elastic Load Balancing (p. 21)
• Infrastructure security in Elastic Load Balancing (p. 22)
• Elastic Load Balancing and interface VPC endpoints (p. 23)

Data protection in Elastic Load Balancing

The AWS shared responsibility model applies to data protection in Elastic Load Balancing. As described
in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud.
You are responsible for maintaining control over your content that is hosted on this infrastructure. This
content includes the security conﬁguration and management tasks for the AWS services that you use. For
more information about data privacy, see the Data Privacy FAQ. For information about data protection in
Europe, see the AWS Shared Responsibility Model and GDPR blog post on the AWS Security Blog.

For data protection purposes, we recommend that you protect AWS account credentials and set up
individual user accounts with AWS Identity and Access Management (IAM). That way each user is given
only the permissions necessary to fulﬁll their job duties. We also recommend that you secure your data
in the following ways:

10
Elastic Load Balancing User Guide
Encryption at rest

• Use multi-factor authentication (MFA) with each account.

• Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.
• Set up API and user activity logging with AWS CloudTrail.
• Use AWS encryption solutions, along with all default security controls within AWS services.
• Use advanced managed security services such as Amazon Macie, which assists in discovering and
securing personal data that is stored in Amazon S3.
• If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command
line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints,
see Federal Information Processing Standard (FIPS) 140-2.

We strongly recommend that you never put sensitive identifying information, such as your customers'
account numbers, into free-form ﬁelds such as a Name ﬁeld. This includes when you work with Elastic
Load Balancing or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that
you enter into Elastic Load Balancing or other services might get picked up for inclusion in diagnostic
logs. When you provide a URL to an external server, don't include credentials information in the URL to
validate your request to that server.

Encryption at rest
If you enable server-side encryption with Amazon S3-managed encryption keys (SSE-S3) for your S3
bucket for Elastic Load Balancing access logs, Elastic Load Balancing automatically encrypts each access
log file before it is stored in your S3 bucket. Elastic Load Balancing also decrypts the access log files
when you access them. Each log file is encrypted with a unique key, which is itself encrypted with a
master key that is regularly rotated.

Encryption in transit
Elastic Load Balancing simplifies the process of building secure web applications by terminating HTTPS
and TLS traffic from clients at the load balancer. The load balancer performs the work of encrypting and
decrypting the traffic, instead of requiring each EC2 instance to handle the work for TLS termination.
When you configure a secure listener, you specify the cipher suites and protocol versions that are
supported by your application, and a server certificate to install on your load balancer. You can use
AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) to manage your server
certificates. Application Load Balancers support HTTPS listeners. Network Load Balancers support TLS
listeners. Classic Load Balancers support both HTTPS and TLS listeners.

Identity and access management for Elastic Load

Balancing
AWS uses security credentials to identify you and to grant you access to your AWS resources. You can
use the features of AWS Identity and Access Management (IAM) to allow other users, services, and
applications to use your AWS resources fully or in a limited way. You can do this without sharing your
security credentials.

By default, IAM users don't have permission to create, view, or modify AWS resources. To allow an IAM
user to access resources such as a load balancer, and to perform tasks, you:

1. Create an IAM policy that grants the IAM user permission to use the speciﬁc resources and API actions
they need.
2. Attach the policy to the IAM user or the group that the IAM user belongs to.

11
Elastic Load Balancing User Guide
Grant permissions using IAM policies

When you attach a policy to a user or group of users, it allows or denies the users permission to perform
the speciﬁed tasks on the speciﬁed resources.

For example, you can use IAM to create users and groups under your AWS account. An IAM user can be
a person, a system, or an application. Then you grant permissions to the users and groups to perform
speciﬁc actions on the speciﬁed resources using an IAM policy.

Grant permissions using IAM policies

When you attach a policy to a user or group of users, it allows or denies the users permission to perform
the speciﬁed tasks on the speciﬁed resources.

An IAM policy is a JSON document that consists of one or more statements. Each statement is structured
as shown in the following example.

{
"Version": "2012-10-17",
"Statement":[{
"Effect": "effect",
"Action": "action",
"Resource": "resource-arn",
"Condition": {
"condition": {
"key":"value"
}
}
}]
}

• Effect— The effect can be Allow or Deny. By default, IAM users don't have permission to use resources
and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny
overrides any allows.
• Action— The action is the specific API action for which you are granting or denying permission. For
more information about specifying action, see API actions for Elastic Load Balancing (p. 12).
• Resource— The resource that's affected by the action. With many Elastic Load Balancing API actions,
you can restrict the permissions granted or denied to a specific load balancer. To do so, specify its
Amazon Resource Name (ARN) in this statement. Otherwise, you can use the * wildcard to specify all of
your load balancers. For more information, see Elastic Load Balancing resources (p. 13).
• Condition— You can optionally use conditions to control when your policy is in effect. For more
information, see Condition keys for Elastic Load Balancing (p. 16).

For more information, see the IAM User Guide.

API actions for Elastic Load Balancing

In the Action element of your IAM policy statement, you can specify any API action that Elastic Load
Balancing oﬀers. You must preﬁx the action name with the lowercase string elasticloadbalancing:,
as shown in the following example.

"Action": "elasticloadbalancing:DescribeLoadBalancers"

To specify multiple actions in a single statement, enclose them in square brackets and separate them
with a comma, as shown in the following example.

"Action": [
"elasticloadbalancing:DescribeLoadBalancers",

12
Elastic Load Balancing User Guide
Elastic Load Balancing resources

"elasticloadbalancing:DeleteLoadBalancer"
]

You can also specify multiple actions using the * wildcard. The following example speciﬁes all API action
names for Elastic Load Balancing that start with Describe.

"Action": "elasticloadbalancing:Describe*"

To specify all API actions for Elastic Load Balancing, use the * wildcard, as shown in the following
example.

"Action": "elasticloadbalancing:*"

For the complete list of the API actions for Elastic Load Balancing, see the following documentation:

• Application Load Balancers and Network Load Balancers — API Reference version 2015-12-01
• Classic Load Balancers — API Reference version 2012-06-01

Elastic Load Balancing resources

Resource-level permissions refers to the ability to specify which resources users are allowed to perform
actions on. Elastic Load Balancing has partial support for resource-level permissions. For API actions that
support resource-level permissions, you can control the resources that users are allowed to use with the
action. To specify a resource in a policy statement, you must use its Amazon Resource Name (ARN). When
specifying an ARN, you can use the * wildcard in your paths. For example, you can use the * wildcard
when you do not want to specify the exact load balancer name.

The ARN for an Application Load Balancer has the format shown in the following example.

arn:aws:elasticloadbalancing:region-code:account-id:loadbalancer/app/load-balancer-
name/load-balancer-id

The ARN for a Network Load Balancer has the format shown in the following example.

arn:aws:elasticloadbalancing:region-code:account-id:loadbalancer/net/load-balancer-
name/load-balancer-id

The ARN for a Classic Load Balancer has the format shown in the following example.

arn:aws:elasticloadbalancing:region-code:account-id:loadbalancer/load-balancer-name

The ARNs for a listener and a listener rule for an Application Load Balancer have the format shown in the
following example.

arn:aws:elasticloadbalancing:region-code:account-id:listener/app/load-balancer-name/load-
balancer-id/listener-id
arn:aws:elasticloadbalancing:region-code:account-id:listener-rule/app/load-balancer-
name/load-balancer-id/listener-id/rule-id

The ARN for a listener for a Network Load Balancer has the format shown in the following example.

arn:aws:elasticloadbalancing:region-code:account-id:listener/net/load-balancer-name/load-
balancer-id/listener-id

13
Elastic Load Balancing User Guide
Resource-level permissions for Elastic Load Balancing

The ARN for a target group has the format shown in the following example.

arn:aws:elasticloadbalancing:region-code:account-id:targetgroup/target-group-name/target-
group-id

API actions with no support for resource-level permissions

The following Elastic Load Balancing actions do not support resource-level permissions:

• API version 2015-12-01:

• DescribeAccountLimits
• DescribeListenerCertificates
• DescribeListeners
• DescribeLoadBalancerAttributes
• DescribeLoadBalancers
• DescribeRules
• DescribeSSLPolicies
• DescribeTags
• DescribeTargetGroupAttributes
• DescribeTargetGroups
• DescribeTargetHealth
• API version 2012-06-01:
• DescribeInstanceHealth
• DescribeLoadBalancerAttributes
• DescribeLoadBalancerPolicyTypes
• DescribeLoadBalancers
• DescribeLoadBalancerPolicies
• DescribeTags

For API actions that don't support resource-level permissions, you must specify the resource statement
shown in the following example.

"Resource": "*"

Resource-level permissions for Elastic Load Balancing

The following tables describe the Elastic Load Balancing actions that support resource-level permissions,
and the supported resources for each action.

API version 2015-12-01

API action Resource ARNs

AddListenerCertificates listener

AddTags load balancer, target group

CreateListener load balancer

CreateLoadBalancer load balancer

CreateRule listener

14
Elastic Load Balancing User Guide
Resource-level permissions for Elastic Load Balancing

API action Resource ARNs

CreateTargetGroup target group

DeleteListener listener

DeleteLoadBalancer load balancer

DeleteRule listener rule

DeleteTargetGroup target group

DeregisterTargets target group

ModifyListener listener

ModifyLoadBalancerAttributes load balancer

ModifyRule listener rule

ModifyTargetGroup target group

ModifyTargetGroupAttributes target group

RegisterTargets target group

RemoveListenerCertificates listener

RemoveTags load balancer, target group

SetIpAddressType load balancer

SetRulePriorities listener rule

SetSecurityGroups load balancer

SetSubnets load balancer

API version 2012-06-01

API action Resource ARNs

AddTags load balancer

ApplySecurityGroupsToLoadBalancer load balancer

AttachLoadBalancerToSubnets load balancer

ConfigureHealthCheck load balancer

CreateAppCookieStickinessPolicy load balancer

CreateLBCookieStickinessPolicy load balancer

CreateLoadBalancer load balancer

CreateLoadBalancerListeners load balancer

CreateLoadBalancerPolicy load balancer

DeleteLoadBalancer load balancer

15
Elastic Load Balancing User Guide
Condition keys for Elastic Load Balancing

API action Resource ARNs

DeleteLoadBalancerListeners load balancer

DeleteLoadBalancerPolicy load balancer

DeregisterInstancesFromLoadBalancer load balancer

DetachLoadBalancerFromSubnets load balancer

DisableAvailabilityZonesForLoadBalancer load balancer

EnableAvailabilityZonesForLoadBalancer load balancer

ModifyLoadBalancerAttributes load balancer

RegisterInstancesWithLoadBalancer load balancer

RemoveTags load balancer

SetLoadBalancerListenerSSLCertificate load balancer

SetLoadBalancerPoliciesForBackendServer load balancer

SetLoadBalancerPoliciesOfListener load balancer

Condition keys for Elastic Load Balancing

When you create a policy, you can specify the conditions that control when the policy is in eﬀect. Each
condition contains one or more key-value pairs. There are global condition keys and service-speciﬁc
condition keys.

You cannot use the aws:SourceIp condition key with Elastic Load Balancing.

The elasticloadbalancing:ResourceTag/key condition key is speciﬁc to Elastic Load Balancing.

The following actions support this condition key:

API version 2015-12-01

• AddTags
• CreateListener
• CreateLoadBalancer
• DeleteLoadBalancer
• DeleteTargetGroup
• DeregisterTargets
• ModifyLoadBalancerAttributes
• ModifyTargetGroup
• ModifyTargetGroupAttributes
• RegisterTargets
• RemoveTags
• SetIpAddressType
• SetSecurityGroups
• SetSubnets

16
Elastic Load Balancing User Guide
Predeﬁned AWS managed policies

API version 2012-06-01

• AddTags
• ApplySecurityGroupsToLoadBalancer
• AttachLoadBalancersToSubnets
• ConfigureHealthCheck
• CreateAppCookieStickinessPolicy
• CreateLBCookieStickinessPolicy
• CreateLoadBalancer
• CreateLoadBalancerListeners
• CreateLoadBalancerPolicy
• DeleteLoadBalancer
• DeleteLoadBalancerListeners
• DeleteLoadBalancerPolicy
• DeregisterInstancesFromLoadBalancer
• DetachLoadBalancersFromSubnets
• DisableAvailabilityZonesForLoadBalancer
• EnableAvailabilityZonesForLoadBalancer
• ModifyLoadBalancerAttributes
• RegisterInstancesWithLoadBalancer
• RemoveTags
• SetLoadBalancerListenerSSLCertificate
• SetLoadBalancerPoliciesForBackendServer
• SetLoadBalancerPoliciesOfListener

For more information about global condition keys, see AWS global condition context keys in the IAM User
Guide.

The following actions support the aws:RequestTag/key and aws:TagKeys condition keys:

• AddTags
• CreateLoadBalancer
• RemoveTags

Predeﬁned AWS managed policies

The managed policies created by AWS grant the required permissions for common use cases. You can
attach these policies to your IAM users, based on the access to Elastic Load Balancing that they require:

• ElasticLoadBalancingFullAccess — Grants full access required to use Elastic Load Balancing features.
• ElasticLoadBalancingReadOnly — Grants read-only access to Elastic Load Balancing features.

For more information about the permissions required by each Elastic Load Balancing action, see Elastic
Load Balancing API permissions (p. 18).

17
Elastic Load Balancing User Guide
API permissions

Elastic Load Balancing API permissions

You must grant IAM users permission to call the Elastic Load Balancing API actions they need, as
described in API actions for Elastic Load Balancing (p. 12). In addition, for some Elastic Load Balancing
actions, you must grant IAM users permission to call speciﬁc actions from the Amazon EC2 API.

Required permissions for the 2015-12-01 API

When calling the following actions from the 2015-12-01 API, you must grant IAM users permission to
call the speciﬁed actions.

CreateLoadBalancer
• elasticloadbalancing:CreateLoadBalancer
• ec2:DescribeAccountAttributes
• ec2:DescribeAddresses
• ec2:DescribeInternetGateways
• ec2:DescribeSecurityGroups
• ec2:DescribeSubnets
• ec2:DescribeVpcs
• iam:CreateServiceLinkedRole
CreateTargetGroup
• elasticloadbalancing:CreateTargetGroup
• ec2:DescribeInternetGateways
• ec2:DescribeVpcs
RegisterTargets
• elasticloadbalancing:RegisterTargets
• ec2:DescribeInstances
• ec2:DescribeInternetGateways
• ec2:DescribeSubnets
• ec2:DescribeVpcs
SetIpAddressType
• elasticloadbalancing:SetIpAddressType
• ec2:DescribeSubnets
SetSubnets
• elasticloadbalancing:SetSubnets
• ec2:DescribeSubnets

Required permissions for the 2012-06-01 API

When calling the following actions from the 2012-06-01 API, you must grant IAM users permission to
call the speciﬁed actions.

ApplySecurityGroupsToLoadBalancer
• elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
• ec2:DescribeAccountAttributes
• ec2:DescribeSecurityGroups

18
Elastic Load Balancing User Guide
Service-linked role

AttachLoadBalancerToSubnets
• elasticloadbalancing:AttachLoadBalancerToSubnets
• ec2:DescribeSubnets
CreateLoadBalancer
• elasticloadbalancing:CreateLoadBalancer
• ec2:CreateSecurityGroup
• ec2:DescribeAccountAttributes
• ec2:DescribeInternetGateways
• ec2:DescribeSecurityGroups
• ec2:DescribeSubnets
• ec2:DescribeVpcs
• iam:CreateServiceLinkedRole
DeregisterInstancesFromLoadBalancer
• elasticloadbalancing:DeregisterInstancesFromLoadBalancer
• ec2:DescribeClassicLinkInstances
• ec2:DescribeInstances
DescribeInstanceHealth
• elasticloadbalancing:DescribeInstanceHealth
• ec2:DescribeClassicLinkInstances
• ec2:DescribeInstances
DescribeLoadBalancers
• elasticloadbalancing:DescribeLoadBalancers
• ec2:DescribeSecurityGroups
DisableAvailabilityZonesForLoadBalancer
• elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer
• ec2:DescribeAccountAttributes
• ec2:DescribeInternetGateways
• ec2:DescribeVpcs
EnableAvailabilityZonesForLoadBalancer
• elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer
• ec2:DescribeAccountAttributes
• ec2:DescribeInternetGateways
• ec2:DescribeSubnets
• ec2:DescribeVpcs
RegisterInstancesWithLoadBalancer
• elasticloadbalancing:RegisterInstancesWithLoadBalancer
• ec2:DescribeAccountAttributes
• ec2:DescribeClassicLinkInstances
• ec2:DescribeInstances
• ec2:DescribeVpcClassicLink

Elastic Load Balancing service-linked role

Elastic Load Balancing uses a service-linked role for the permissions that it requires to call other AWS
services on your behalf. For more information, see Using service-linked roles in the IAM User Guide.

19
Elastic Load Balancing User Guide
Service-linked role

Permissions granted by the service-linked role

Elastic Load Balancing uses the service-linked role named AWSServiceRoleForElasticLoadBalancing to
call the following actions on your behalf:

• ec2:DescribeAddresses
• ec2:DescribeInstances
• ec2:DescribeNetworkInterfaces
• ec2:DescribeSubnets
• ec2:DescribeSecurityGroups
• ec2:DescribeVpcs
• ec2:DescribeInternetGateways
• ec2:DescribeAccountAttributes
• ec2:DescribeClassicLinkInstances
• ec2:DescribeVpcClassicLink
• ec2:CreateSecurityGroup
• ec2:CreateNetworkInterface
• ec2:DeleteNetworkInterface
• ec2:ModifyNetworkInterfaceAttribute
• ec2:AuthorizeSecurityGroupIngress
• ec2:AssociateAddress
• ec2:DisassociateAddress
• ec2:AttachNetworkInterface
• ec2:DetachNetworkInterface
• ec2:AssignPrivateIpAddresses
• ec2:AssignIpv6Addresses
• ec2:UnassignIpv6Addresses
• logs:CreateLogDelivery
• logs:GetLogDelivery
• logs:UpdateLogDelivery
• logs:DeleteLogDelivery
• logs:ListLogDeliveries

AWSServiceRoleForElasticLoadBalancing trusts the elasticloadbalancing.amazonaws.com

service to assume the role.

Create the service-linked role

You don't need to manually create the AWSServiceRoleForElasticLoadBalancing role. Elastic Load
Balancing creates this role for you when you create a load balancer.

For Elastic Load Balancing to create a service-linked role on your behalf, you must have the required
permissions. For more information, see Service-linked role permissions in the IAM User Guide.

If you created a load balancer before January 11, 2018, Elastic Load Balancing created
AWSServiceRoleForElasticLoadBalancing in your AWS account. For more information, see A new role
appeared in my AWS account in the IAM User Guide.

20
Elastic Load Balancing User Guide
Compliance validation

Edit the service-linked role

You can edit the description of AWSServiceRoleForElasticLoadBalancing using IAM. For more
information, see Editing a service-linked role in the IAM User Guide.

Delete the service-linked role

If you no longer need to use Elastic Load Balancing, we recommend that you delete
AWSServiceRoleForElasticLoadBalancing.

You can delete this service-linked role only after you delete all load balancers in your AWS account.
This ensures that you can't inadvertently remove permission to access your load balancers. For more
information, see Delete an Application Load Balancer, Delete a Network Load Balancer, and Delete a
Classic Load Balancer.

You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For more
information, see Deleting a service-linked role in the IAM User Guide.

After you delete AWSServiceRoleForElasticLoadBalancing, Elastic Load Balancing creates the role again
if you create a load balancer.

Compliance validation for Elastic Load Balancing

Third-party auditors assess the security and compliance of Elastic Load Balancing as part of multiple
AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others.

For a list of AWS services in scope of speciﬁc compliance programs, see AWS services in scope by
compliance program. For general information, see AWS compliance programs.

You can download third-party audit reports using AWS Artifact. For more information, see Downloading
reports in AWS Artifact.

Your compliance responsibility when using Elastic Load Balancing is determined by the sensitivity of
your data, your company's compliance objectives, and applicable laws and regulations. AWS provides the
following resources to help with compliance:

• Security and compliance quick start guides – These deployment guides discuss architectural
considerations and provide steps for deploying security- and compliance-focused baseline
environments on AWS.
• Architecting for HIPAA security and compliance whitepaper – This whitepaper describes how
companies can use AWS to create HIPAA-compliant applications.
• AWS compliance resources – This collection of workbooks and guides might apply to your industry and
location.
• Evaluating resources with rules in the AWS Config Developer Guide – AWS Config; assesses how well
your resource configurations comply with internal practices, industry guidelines, and regulations.
• AWS Security Hub – This AWS service provides a comprehensive view of your security state within AWS
that helps you check your compliance with security industry standards and best practices.

Resilience in Elastic Load Balancing

The AWS global infrastructure is built around AWS Regions and Availability Zones. Regions provide
multiple physically separated and isolated Availability Zones, which are connected through low-latency,
high-throughput, and highly redundant networking. With Availability Zones, you can design and operate

21
Elastic Load Balancing User Guide
Infrastructure security

applications and databases that automatically fail over between zones without interruption. Availability
Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data
center infrastructures.

For more information about AWS Regions and Availability Zones, see AWS Global Infrastructure.

In addition to the AWS Global Infrastructure, Elastic Load Balancing provides the following features to
support your data resiliency:

• Distributes incoming traffic across multiple instances in a single Availability Zone or multiple
Availability Zones.
• You can use AWS Global Accelerator with your Application Load Balancers to distribute incoming traffic
across multiple load balancers in one or more AWS Regions. For more information, see the AWS Global
Accelerator Developer Guide.
• Amazon ECS enables you to run, stop, and manage Docker containers on a cluster of EC2 instances.
You can configure your Amazon ECS service to use a load balancer to distribute incoming traffic across
the services in a cluster. For more information, see the Amazon Elastic Container Service Developer
Guide.

Infrastructure security in Elastic Load Balancing

As a managed service, Elastic Load Balancing is protected by the AWS global network security procedures
that are described in the Amazon Web Services: Overview of security processes whitepaper.

You use AWS published API calls to access Elastic Load Balancing through the network. Clients must
support Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later. Clients must also
support cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diﬃe-Hellman (DHE) or
Elliptic Curve Ephemeral Diﬃe-Hellman (ECDHE). Most modern systems such as Java 7 and later support
these modes.

Additionally, requests must be signed using an access key ID and a secret access key that is associated
with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary
security credentials to sign requests.

Network isolation
A virtual private cloud (VPC) is a virtual network in your own logically isolated area in the AWS Cloud.
A subnet is a range of IP addresses in a VPC. When you create a load balancer, you can specify one or
more subnets for the load balancer nodes. You can deploy EC2 instances in the subnets of your VPC and
register them with your load balancer. For more information about VPC and subnets, see the Amazon
VPC User Guide.

When you create a load balancer in a VPC, it can be either internet-facing or internal. An internal load
balancer can only route requests that come from clients with access to the VPC for the load balancer.

Your load balancer sends requests to its registered targets using private IP addresses. Therefore, your
targets do not need public IP addresses in order to receive requests from a load balancer.

To call the Elastic Load Balancing API from your VPC without sending traﬃc over the public
internet, use AWS PrivateLink. For more information, see Elastic Load Balancing and interface VPC
endpoints (p. 23).

Controlling network traﬃc

Elastic Load Balancing supports three types of load balancers: Application Load Balancers, Network Load
Balancers, and Classic Load Balancers. Application Load Balancers operate at the request level (layer 7) of

22
Elastic Load Balancing User Guide
Interface VPC endpoints

the Open Systems Interconnection (OSI) model. Network Load Balancers operate at the connection level
(layer 4) of the OSI model. Classic Load Balancers operate at both the request and connection levels.

Consider the following options for securing network traﬃc when you use a load balancer:

• Use secure listeners to support encrypted communication between clients and your load balancers.
Application Load Balancers support HTTPS listeners. Network Load Balancers support TLS listeners.
Classic Load Balancers support both HTTPS and TLS listeners. You can choose from predefined security
policies for your load balancer to specify the cipher suites and protocol versions that are supported by
your application. You can use AWS Certificate Manager (ACM) or AWS Identity and Access Management
(IAM) to manage the server certificates installed on your load balancer. You can use the Server
Name Indication (SNI) protocol to serve multiple secure websites using a single secure listener. SNI is
automatically enabled for your load balancer when you associate more than one server certificate with
a secure listener.
• Configure the security groups for your Application Load Balancers and Classic Load Balancers to accept
traffic only from specific clients. These security groups must allow inbound traffic from clients on the
listener ports and outbound traffic to the clients.
• Configure the security groups for your Amazon EC2 instances to accept traffic only from the load
balancer. These security groups must allow inbound traffic from the load balancer on the listener ports
and the health check ports.
• Configure your Application Load Balancer to securely authenticate users through an identity provider
or using corporate identities. For more information, see Authenticate users using an Application Load
Balancer.
• Use AWS WAF with your Application Load Balancers to allow or block requests based on the rules in a
web access control list (web ACL).

Elastic Load Balancing and interface VPC

endpoints
You can establish a private connection between your virtual private cloud (VPC) and the Elastic Load
Balancing API by creating an interface VPC endpoint. You can use this connection to call the Elastic Load
Balancing API from your VPC without sending traﬃc over the internet. The endpoint provides reliable,
scalable connectivity to the Elastic Load Balancing API, versions 2015-12-01 and 2012-06-01. It does
this without requiring an internet gateway, NAT instance, or VPN connection.

Interface VPC endpoints are powered by AWS PrivateLink, a feature that enables private communication
between AWS services using private IP addresses. For more information, see AWS PrivateLink.

Limit

AWS PrivateLink does not support a Network Load Balancer with more than 50 listeners.

Create an interface endpoint for Elastic Load

Balancing
Create an endpoint for Elastic Load Balancing using the following service name:

com.amazonaws.region.elasticloadbalancing

For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

23
Elastic Load Balancing User Guide
Create a VPC endpoint policy for Elastic Load Balancing

Create a VPC endpoint policy for Elastic Load

Balancing
You can attach a policy to your VPC endpoint to control access to the Elastic Load Balancing API. The
policy speciﬁes:

• The principal that can perform actions.

• The actions that can be performed.
• The resource on which the actions can be performed.

The following example shows a VPC endpoint policy that denies everyone permission to create a load
balancer through the endpoint. The example policy also grants everyone permission to perform all other
actions.

{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
},
{
"Action": "elasticloadbalancing:CreateLoadBalancer",
"Effect": "Deny",
"Resource": "*",
"Principal": "*"
}
]
}

For more information, see Using VPC endpoint policies in the Amazon VPC User Guide.

24
Elastic Load Balancing User Guide
Step 1: Create a new load balancer

Migrate your Classic Load Balancer

Elastic Load Balancing provides three types of load balancers: Classic Load Balancers, Application Load
Balancers, and Network Load Balancers. For information about the diﬀerent features of each load
balancer type, see Comparison of Elastic Load Balancing products.

Migration scenarios

1. If you have an existing Classic Load Balancer in a VPC, verify that an Application Load Balancer or
Network Load Balancer meets your needs and then migrate your Classic Load Balancer to one of these
load balancer types.
2. If you have an existing Classic Load Balancer in EC2-Classic, verify that an Application Load Balancer
or Network Load Balancer meets your need and then migrate your Classic Load Balancer to one of
these load balancer types. Otherwise, migrate to a Classic Load Balancer in a VPC. You can leave your
instances in EC2-Classic and enable ClassicLink to link the instances to the load balancer VPC, or you
can migrate your instances from EC2-Classic to a VPC.

Migration Process
• Step 1: Create a new load balancer (p. 25)
• Step 2: Gradually redirect traﬃc to your new load balancer (p. 28)
• Step 3: Update policies, scripts, and code (p. 28)
• Step 4: Delete the old load balancer (p. 29)

Step 1: Create a new load balancer

Create a load balancer with a conﬁguration that is equivalent to the Classic Load Balancer to migrate.
After you have completed the migration process, you can take advantage of the features of your new
load balancer.

To create an Application Load Balancer or Network Load Balancer to replace a Classic Load Balancer in a
VPC, use one of the following options:

• Option 1: Use the migration wizard in the console (p. 25)

• Option 2: Use the load balancer copy utility from github (p. 26)
• Option 3: Migrate manually to an Application Load Balancer or Network Load Balancer (p. 27)

To create a Classic Load Balancer in a VPC to replace a Classic Load Balancer in EC2-Classic, use the
following option:

• Option 4: Migrate manually to a Classic Load Balancer in a VPC (p. 27)

Option 1: Use the migration wizard in the console

The migration wizard creates an Application Load Balancer or Network Load Balancer based on the
conﬁguration of your Classic Load Balancer in a VPC. The type of load balancer that is created depends
on the conﬁguration of the Classic Load Balancer.

25
Elastic Load Balancing User Guide
Option 2: Use the load balancer copy utility from github

Migration wizard release notes

• The Classic Load Balancer must be in a VPC.

• If the Classic Load Balancer has an HTTP or HTTPS listener, the wizard creates an Application Load
Balancer. If the Classic Load Balancer has a TCP listener, the wizard creates a Network Load Balancer.
• If the name of the Classic Load Balancer matches the name of an existing Application Load Balancer or
Network Load Balancer, the wizard requires that you specify a different name during migration.
• If the Classic Load Balancer has one subnet, the wizard requires that you specify a second subnet when
creating an Application Load Balancer.
• If the Classic Load Balancer has registered instances in EC2-Classic, they are not registered with the
target group for the new load balancer.
• If the Classic Load Balancer has registered instances of the following types, they are not registered
with the target group for a Network Load Balancer: C1, CC1, CC2, CG1, CG2, CR1, CS1, G1, G2, HI1,
HS1, M1, M2, M3, and T1.
• If the Classic Load Balancer has HTTP/HTTPS listeners but uses TCP health checks, the wizard changes
them to HTTP health checks. Then it sets the path to "/" by default when creating the Application Load
Balancer.
• If the Classic Load Balancer is migrated to a Network Load Balancer, the health check settings are
changed to meet the requirements for Network Load Balancers.
• If the Classic Load Balancer has multiple HTTPS listeners, the wizard chooses one and uses its
certificate and policy. If there is an HTTPS listener on port 443, the wizard chooses this listener. If the
listener that is chosen uses a custom policy or a policy not supported for Application Load Balancers,
the wizard changes to the default security policy.
• If the Classic Load Balancer has a secure TCP listener, the Network Load Balancer uses a TCP listener.
But it does not use the certificate or security policy.
• If the Classic Load Balancer has multiple listeners, the wizard uses the listener port with the lowest
value for the target group port. Each instance registered with these listeners is registered with the
target group on the listener ports for all the listeners.
• If the Classic Load Balancer has tags with the aws prefix in the tag name, these tags are not added to
the new load balancer.

To migrate a Classic Load Balancer using the migration wizard

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.
3. Select your Classic Load Balancer.
4. On the Migration tab, choose Launch ALB Migration Wizard or Launch NLB Migration Wizard. The
button that is displayed depends on the load balancer type that was selected by the wizard after
examining your Classic Load Balancer.
5. On the Review page, verify the configuration options selected by the wizard. To change an option,
choose Edit.
6. When you are finished configuring the new load balancer, choose Create.

Option 2: Use the load balancer copy utility from

github
This load balancer copy utility is available on GitHub. For more information, see Elastic Load Balancing
Tools.

26
Elastic Load Balancing User Guide
Option 3: Migrate manually to an Application
Load Balancer or Network Load Balancer

Option 3: Migrate manually to an Application Load

Balancer or Network Load Balancer
The following information provides general instructions for manually creating a new Application Load
Balancer or Network Load Balancer based on an existing Classic Load Balancer in a VPC. You can migrate
using the AWS Management Console, the AWS CLI, or an AWS SDK. For more information, see Getting
started with Elastic Load Balancing (p. 9).

1. Create a new load balancer, with the same scheme (internet-facing or internal), subnets, and security
groups as the Classic Load Balancer.
2. Create one target group for your load balancer, with the same health check settings that you have for
your Classic Load Balancer.
3. Do one of the following:
• If your Classic Load Balancer is attached to an Auto Scaling group, attach your target group to the
Auto Scaling group. This also registers the Auto Scaling instances with the target group.
• Register your EC2 instances with your target group.
4. Create one or more listeners, each with a default rule that forwards requests to the target group. If
you create an HTTPS listener, you can specify the same certiﬁcate that you speciﬁed for your Classic
Load Balancer. We recommend that you use the default security policy.
5. If your Classic Load Balancer has tags, review them and add the relevant tags to your new load
balancer.

Option 4: Migrate manually to a Classic Load

Balancer in a VPC
The following information provides general instructions for manually creating a new Classic Load
Balancer in a VPC based on a Classic Load Balancer in EC2-Classic. You can migrate using the AWS
Management Console, the AWS CLI, or an AWS SDK. For more information, see Tutorial: Create a Classic
Load Balancer in the User Guide for Classic Load Balancers.

1. Do one of the following:

• Enable ClassicLink on your VPC and link your EC2-Classic instances to the VPC. For more
information, see Use ClassicLink for an incremental migration in the Amazon EC2 User Guide.
• Migrate your EC2 resources, such as instances and security groups, from EC2-Classic to a VPC. For
more information, see Migrate your resources to a VPC in the Amazon EC2 User Guide.
2. Create a new Classic Load Balancer in a VPC.
3. When you create the load balancer, select the VPC that you prepared (either the VPC with ClassicLink
enabled or the VPC that you used when migrating your instances from EC2-Classic). Select one subnet
from each Availability Zone that contains the instances that you plan to register with the new load
balancer.
4. When you are prompted to assign a security group, if the VPC is enabled with ClassicLink, select the
same security group that you speciﬁed when you enabled ClassicLink.
5. When prompted, select the instances to register with the load balancer.
6. If your old Classic Load Balancer has tags, review them and add the relevant tags to your new Classic
Load Balancer.

27
Elastic Load Balancing User Guide
Step 2: Gradually redirect traﬃc to your new load balancer

Step 2: Gradually redirect traﬃc to your new load

balancer
After your instances are registered with your new load balancer, you can begin the process of redirecting
traﬃc from the old load balancer to the new load balancer. This enables you to test your new load
balancer while minimizing risk to the availability of your application.

To redirect traﬃc gradually to your new load balancer

1. Paste the DNS name of your new load balancer into the address field of an internet-connected web
browser. If everything is working, the browser displays the default page of your application.
2. Create a new DNS record that associates your domain name with your new load balancer. If your
DNS service supports weighting, specify a weight of 1 in the new DNS record and a weight of 9 in
the existing DNS record for your old load balancer. This directs 10% of the traffic to the new load
balancer and 90% of the traffic to the old load balancer.
3. Monitor your new load balancer to verify that it is receiving traffic and routing requests to your
instances.
Important
The time-to-live (TTL) in the DNS record is 60 seconds. This means that any DNS server that
resolves your domain name keeps the record information in its cache for 60 seconds, while
the changes propagate. Therefore, these DNS servers can still route traffic to your old load
balancer for up to 60 seconds after you complete the previous step. During propagation,
traffic could be directed to either load balancer.
4. Continue to update the weight of your DNS records until all traffic is directed to your new load
balancer. When you are finished, you can delete the DNS record for your old load balancer.

Step 3: Update policies, scripts, and code

If you migrated your Classic Load Balancer to an Application Load Balancer or Network Load Balancer, be
sure to do the following:

• Update IAM policies that use API version 2012-06-01 to use version 2015-12-01.
• Update processes that use CloudWatch metrics in the AWS/ELB namespace to use metrics from the
AWS/ApplicationELB or AWS/NetworkELB namespace.
• Update scripts that use aws elb AWS CLI commands to use aws elbv2 AWS CLI commands.
• Update AWS CloudFormation templates that use the
AWS::ElasticLoadBalancing::LoadBalancer resource to use the
AWS::ElasticLoadBalancingV2 resources.
• Update code that uses Elastic Load Balancing API version 2012-06-01 to use version 2015-12-01.

Resources

• elbv2 in the AWS CLI Command Reference

• Elastic Load Balancing API Reference version 2015-12-01
• Identity and access management for Elastic Load Balancing (p. 11)
• Application Load Balancer metrics in the User Guide for Application Load Balancers
• Network Load Balancer metrics in the User Guide for Network Load Balancers
• AWS::ElasticLoadBalancingV2::LoadBalancer in the AWS CloudFormation User Guide

28
Elastic Load Balancing User Guide
Step 4: Delete the old load balancer

Step 4: Delete the old load balancer

You can delete the old Classic Load Balancer after:

• You have redirected all traﬃc from the old load balancer to the new load balancer.
• All existing requests that were routed to the old load balancer have completed.

Amazon - SOA-C02.vMay-2024.by .Isac .132q
No ratings yet
Amazon - SOA-C02.vMay-2024.by .Isac .132q
53 pages
Module 1 - Activity 1 - Install and Configure The AWS CLI
No ratings yet
Module 1 - Activity 1 - Install and Configure The AWS CLI
9 pages
Ebg Nca 6 5
No ratings yet
Ebg Nca 6 5
20 pages
RH Training Courses in The Partner Training Portal 2022 02
No ratings yet
RH Training Courses in The Partner Training Portal 2022 02
2 pages
OSGi Tutorial PDF
No ratings yet
OSGi Tutorial PDF
45 pages
Changes
No ratings yet
Changes
60 pages
Transcript: Kouame Romeo Kouadio 1. Vmware Learning Zone Basic Subscription
0% (1)
Transcript: Kouame Romeo Kouadio 1. Vmware Learning Zone Basic Subscription
13 pages
Asterisk Priyesh Thesis
No ratings yet
Asterisk Priyesh Thesis
74 pages
Aws General
No ratings yet
Aws General
509 pages
Ec2 Ug
No ratings yet
Ec2 Ug
1,044 pages
Final Year Project - Directory and System Analysis
No ratings yet
Final Year Project - Directory and System Analysis
25 pages
Chapter 1 - Introduction To The Internet of Things
No ratings yet
Chapter 1 - Introduction To The Internet of Things
14 pages
Nutanix Kubernetes Platform v2 12
No ratings yet
Nutanix Kubernetes Platform v2 12
1,190 pages
AWS Certified Solutions Architect Associate Practice Test 01
No ratings yet
AWS Certified Solutions Architect Associate Practice Test 01
88 pages
Load Balancing 101 Nuts and Bolts
No ratings yet
Load Balancing 101 Nuts and Bolts
11 pages
AWS Certified Solutions Architect Associate Exam Guide
No ratings yet
AWS Certified Solutions Architect Associate Exam Guide
8 pages
AWS Certified Solutions Architect Associate Practice Test 03
No ratings yet
AWS Certified Solutions Architect Associate Practice Test 03
72 pages
AWS - Capstone Project
No ratings yet
AWS - Capstone Project
12 pages
Tibco Ems On The Aws Cloud
100% (1)
Tibco Ems On The Aws Cloud
19 pages
Installation Guide VCS 6.0
No ratings yet
Installation Guide VCS 6.0
527 pages
Docker Usage and Cheat Sheet
No ratings yet
Docker Usage and Cheat Sheet
6 pages
General S3 FAQs
No ratings yet
General S3 FAQs
45 pages
Benefits of Cloudendure
No ratings yet
Benefits of Cloudendure
7 pages
Configure A Reverse Proxy System Architecture With ArcGIS Server
No ratings yet
Configure A Reverse Proxy System Architecture With ArcGIS Server
13 pages
Session 4 CSharp Inheritance Polymorphism Interfaces AbstractClass
No ratings yet
Session 4 CSharp Inheritance Polymorphism Interfaces AbstractClass
79 pages
Veeam Agent Linux 1 0 User Guide en
No ratings yet
Veeam Agent Linux 1 0 User Guide en
191 pages
1 3 PL300 Multifunction Relay PDF
No ratings yet
1 3 PL300 Multifunction Relay PDF
20 pages
Aws Csa
No ratings yet
Aws Csa
83 pages
Class26 Aws Iam
No ratings yet
Class26 Aws Iam
6 pages
VSICM55 M12 PatchManagement PDF
No ratings yet
VSICM55 M12 PatchManagement PDF
32 pages
Aindump2go Saa-C03 Vce 2023-Jun-20 by Timothy 236q Vce
No ratings yet
Aindump2go Saa-C03 Vce 2023-Jun-20 by Timothy 236q Vce
13 pages
Durability & Availability: Durability Can Be Described As The Probability That You Will Eventually Be
No ratings yet
Durability & Availability: Durability Can Be Described As The Probability That You Will Eventually Be
12 pages
AWS ELB Interview Questions What Is Elastic Load Balancing in AWS?
No ratings yet
AWS ELB Interview Questions What Is Elastic Load Balancing in AWS?
9 pages
Palo Vm-Series-Deployment
No ratings yet
Palo Vm-Series-Deployment
1,094 pages
ArcSight ILO SetUp Procedure
No ratings yet
ArcSight ILO SetUp Procedure
9 pages
VPC Architecture
No ratings yet
VPC Architecture
10 pages
Solaris 10 Handbook PDF
No ratings yet
Solaris 10 Handbook PDF
198 pages
Organizations Userguide
No ratings yet
Organizations Userguide
329 pages
Developing WebLogic Server Applications
No ratings yet
Developing WebLogic Server Applications
125 pages
AWS Certified Developer Associate - Exam Guide
No ratings yet
AWS Certified Developer Associate - Exam Guide
16 pages
Session 14 Alerting
No ratings yet
Session 14 Alerting
24 pages
Skybox Virtual Appliance Quick Start Guide
No ratings yet
Skybox Virtual Appliance Quick Start Guide
45 pages
Blue
100% (1)
Blue
6 pages
AWS All Questions
No ratings yet
AWS All Questions
65 pages
745 PL300
No ratings yet
745 PL300
30 pages
BMCBlade Logic Administration
0% (1)
BMCBlade Logic Administration
354 pages
Aws 1713927989
No ratings yet
Aws 1713927989
31 pages
Comptia LX0 102
No ratings yet
Comptia LX0 102
5 pages
AWS Certified Solutions Architect Associate Practice Test 02
No ratings yet
AWS Certified Solutions Architect Associate Practice Test 02
75 pages
System Center 2012 Configuration
100% (1)
System Center 2012 Configuration
30 pages
Web API Reference
No ratings yet
Web API Reference
30 pages
Opentext Host Explorer PDF
No ratings yet
Opentext Host Explorer PDF
278 pages
Download Quick Start Guide to Large Language Models Second Edition Sinan Ozdemir ebook All Chapters PDF
100% (6)
Download Quick Start Guide to Large Language Models Second Edition Sinan Ozdemir ebook All Chapters PDF
81 pages
Docklight Manual
No ratings yet
Docklight Manual
55 pages
Must Ask VMware Engineer Interview Questions
No ratings yet
Must Ask VMware Engineer Interview Questions
3 pages
Azure Hands-On Lab (HOL) Build Your Infrastructure in The Cloud Using Windows Azure Infrastructure Services
No ratings yet
Azure Hands-On Lab (HOL) Build Your Infrastructure in The Cloud Using Windows Azure Infrastructure Services
18 pages
UBA-5 2 0-ReleaseNotes
100% (1)
UBA-5 2 0-ReleaseNotes
14 pages
Autosys EEM Implementation Guide
No ratings yet
Autosys EEM Implementation Guide
71 pages
Ultimate AWS Certified Solutions Architect Associate Exam Guide: Master Designing Resilient, Scalable Architectures with Core and Advanced AWS Services to Crack the SAA-C03 Certification (English Edition)
From Everand
Ultimate AWS Certified Solutions Architect Associate Exam Guide: Master Designing Resilient, Scalable Architectures with Core and Advanced AWS Services to Crack the SAA-C03 Certification (English Edition)
Venkata Sasi Kanumuri
No ratings yet
IBM Integration Bus Third Edition
From Everand
IBM Integration Bus Third Edition
Gerardus Blokdyk
No ratings yet
FortiOS 7.0.0 New Features Guide
No ratings yet
FortiOS 7.0.0 New Features Guide
355 pages
FortiOS 7.0 AWS Administration Guide
No ratings yet
FortiOS 7.0 AWS Administration Guide
185 pages
Aws s2s VPN User Guide
No ratings yet
Aws s2s VPN User Guide
136 pages
WiMAP 4GUserManual
No ratings yet
WiMAP 4GUserManual
365 pages
Datasheet of DS 3E1518P SI Smart Managed 16 Port Gigabit PoE Switch
No ratings yet
Datasheet of DS 3E1518P SI Smart Managed 16 Port Gigabit PoE Switch
5 pages
GT06N
50% (2)
GT06N
8 pages
Network Model Analysis in Opnet Simulation: Electronic Transfer of Data and or Information
No ratings yet
Network Model Analysis in Opnet Simulation: Electronic Transfer of Data and or Information
5 pages
Wireless Cable Gateway CG3000D-1CXNAS: User Manual
No ratings yet
Wireless Cable Gateway CG3000D-1CXNAS: User Manual
52 pages
UNIT 1 NOTES (PART 1) CN
No ratings yet
UNIT 1 NOTES (PART 1) CN
39 pages
9.2.1.10 Packet Tracer Configuring Standard ACLs Instructions IG - Alexis Pedroza
No ratings yet
9.2.1.10 Packet Tracer Configuring Standard ACLs Instructions IG - Alexis Pedroza
8 pages
Sap Router Installation
No ratings yet
Sap Router Installation
70 pages
Alcatel-Lucent Omniswitch 6865: Hardened Ethernet Switches
No ratings yet
Alcatel-Lucent Omniswitch 6865: Hardened Ethernet Switches
9 pages
11.10.2 Lab - Design and Implement A VLSM Addressing Scheme
No ratings yet
11.10.2 Lab - Design and Implement A VLSM Addressing Scheme
8 pages
Mani MPLS TE Training
No ratings yet
Mani MPLS TE Training
93 pages
Atm Networks Concepts and Protocols
50% (2)
Atm Networks Concepts and Protocols
19 pages
cn unit 3 notes
No ratings yet
cn unit 3 notes
23 pages
MPLS - Troubleshooting Guide
75% (4)
MPLS - Troubleshooting Guide
176 pages
VLAN Routing: Huawei Technologies Co., LTD
No ratings yet
VLAN Routing: Huawei Technologies Co., LTD
14 pages
How To Stop A SYN Flood Attack
No ratings yet
How To Stop A SYN Flood Attack
13 pages
Comandos Switch
No ratings yet
Comandos Switch
8 pages
F5923 3G Soho Mobile Router User Manual
No ratings yet
F5923 3G Soho Mobile Router User Manual
19 pages
Dell Powerconnect 8024, 8024F, M8024, and M8024-K: Switch Configuration Guide For Equallogic Sans
No ratings yet
Dell Powerconnect 8024, 8024F, M8024, and M8024-K: Switch Configuration Guide For Equallogic Sans
21 pages
Congestion Control Algorithms
No ratings yet
Congestion Control Algorithms
9 pages
Industrial Communication: Chapter 4: Ethernet Modbus TCP/IP
75% (4)
Industrial Communication: Chapter 4: Ethernet Modbus TCP/IP
66 pages
PG Metro Ethernet
No ratings yet
PG Metro Ethernet
8 pages
MTCNA Sample Exam
No ratings yet
MTCNA Sample Exam
6 pages
MPSWAN Signoff Required 1ST NEW
No ratings yet
MPSWAN Signoff Required 1ST NEW
101 pages
CCNA IP Addressing VLSM Cheat Sheet
100% (1)
CCNA IP Addressing VLSM Cheat Sheet
4 pages
PoE - Configuring Power Over Ethernet
No ratings yet
PoE - Configuring Power Over Ethernet
16 pages
CCNA 200-301 Official Cert Guide, Volume 2-18
No ratings yet
CCNA 200-301 Official Cert Guide, Volume 2-18
3 pages
FortiGate IPS
No ratings yet
FortiGate IPS
18 pages
Rip Protocol Configuration Guide With Examples
No ratings yet
Rip Protocol Configuration Guide With Examples
13 pages
9.5.2.6 Packet Tracer - Configuring IPv6 ACLs Instructions IG
No ratings yet
9.5.2.6 Packet Tracer - Configuring IPv6 ACLs Instructions IG
7 pages
ARR600_Novi_Gateway
No ratings yet
ARR600_Novi_Gateway
20 pages