How to Track Configuration Changes to Classic Load Balancers Using AWS Config

Recently, AWS Config announced support for Classic Load Balancer in all public regions and AWS GovCloud (US). You can now start tracking the current and historical configurations of your Classic Load Balancers, and get notified via Amazon SNS when your configurations change. You can also use three new managed AWS Config rules to verify whether your Classic Load Balancers are using SSL certificates provided by AWS Certificate Manager, and whether the SSL listeners are using specific policies.

Tracking configuration changes to your Classic Load Balancers is valuable from an operations perspective. You can use AWS Config to troubleshoot common operational issues with your Classic Load Balancers such as health check failures, connectivity issues, sticky session failures, SSL certificate issues, etc.

In this post, I walk you through two possible use cases:

1. Monitoring your Classic Load Balancer for configuration changes (two parts)
2. Verifying whether the SSL certificate installed on your Classic Load Balancer is provided by AWS Certificate Manager (ACM).

AWS services

AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against the configurations you want. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines.

Elastic Load Balancing offers two types of load balancers that both feature high availability, automatic scaling, and robust security. These include the Classic Load Balancer that routes traffic based on either application or network level information, and the Application Load Balancer that routes traffic based on advanced application-level information that includes the content of the request. The Classic Load Balancer is ideal for simple load balancing of traffic across multiple EC2 instances.

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services such as Elastic Load Balancing.

Use case: Monitoring a Classic Load Balancer for configuration changes (Part 1)

Your customers are reporting connectivity issues to your Classic Load Balancer. Here’s how you can use AWS Config to quickly identify the issues and minimize production downtime.

For this example, a Classic Load Balancer is created with the following health check parameters and listener configurations:

In this configuration, your application is running on HTTP port 80. Now, imagine that someone accidentally updates the load balancer and sets the health check and listener ports to 8080. Because the application is not listening on port 8080, the health check fails and the EC2 instances behind the load balancer become unhealthy. Also, there would be connectivity issues because the load balancer is no longer listening on port 80. Until both of these changes are reverted, there would be an impact on production traffic.

AWS Config helps you troubleshoot these types of issues.

1. Log in to the AWS Config console.
2. For Resources, choose ElasticLoadBalancing:LoadBalancer.
3. Choose Look up to see the list of Classic Load Balancers that AWS Config has automatically discovered in your account.

The following screenshot shows an example Classic Load Balancer on the Resource inventory page:

Look at the Config timeline for the ProductionLB. The following screenshot shows the timeline and configuration details:

At the top, you see a timeline of all changes that have occurred to the load balancer after creation.

You can see the configuration of the load balancer under Configuration Details. This includes the Amazon Resource Name (ARN), Resource ID, DNS name, and Listeners.

In this scenario, there were 3 changes on September 8th at 07:01:36 PM. You can drill down further to see what those changes were. The load balancer health check and listener ports were changed to 8080.

AWS Config also sends an SNS notification each time that a configuration change is detected, so that you can be alerted of changes to your Classic Load Balancers.

Use case: Monitoring a Classic Load Balancer for configuration changes (Part 2)

Your customers intermittently observe blank pages on your website. The session information is stored in the application running on the EC2 instances behind the load balancer. For this reason, you have enabled session stickiness on your load balancer, as seen in the following screenshot:

If someone accidentally disables the cross-zone load balancing, the load balancer would not forward requests to EC2 instances across Availability Zones. This breaks the session stickiness for your application and your customers observe intermittent blank pages on your website.

You can track the configuration changes to your load balancer using AWS Config, as explained in the previous example. In this case, AWS Config shows that cross-zone load balancing was disabled. You can enable it again to fix the issue.

Use case: Verifying the SSL certificate installed on a Classic Load Balancer

In addition to tracking the configuration changes on your Classic Load Balancers, you can use AWS Config rules to check your Classic Load Balancers against best practices and internal policies.

For example, you can use the prebuilt rule elb-acm-certificate-required to verify whether your Classic Load Balancers are using SSL certificates provided by ACM.

Note: ACM makes it easier to enable SSL/TLS for a website or application on AWS. ACM eliminates many of the manual processes previously associated with using SSL/TLS and managing SSL/TLS certificates. ACM can also help you avoid downtime due to misconfigured, revoked, or expired certificates by managing renewals. You get SSL/TLS protection and easy certificate management.

The following illustration shows compliant and noncompliant states for this rule. The Classic Load Balancer that you created earlier is showing as noncompliant with this rule because it doesn’t have an SSL certificate installed using ACM.

After installing an SSL certificate provided by ACM, you can see that the compliance status changes to the compliant state.

Additional AWS Config rules

In addition to the managed Config rule described above, you can use the elb-predefined-security-policy-ssl-check and elb-custom-security-policy-ssl-check rules to verify that the SSL listeners on the Classic Load Balancer are using specific custom or predefined policies.

Summary

With support for Classic Load Balancers in AWS Config, you can now continuously track configuration changes such as health check parameters, listener configuration changes, sticky session configuration changes, and cross-zone load balancing. You can then use managed Config rules to evaluate these configuration changes against your desired configuration and verify your compliance with best practices.

About the Authors

Parth Shah is a Solutions Architect at Amazon Web Services. He enjoys working with customers in cloud adoption and business strategy as well as helping them design applications and services on AWS. Outside of work, he enjoys playing cricket, traveling, and spending time with his friends and family.

Sid Gupta is a Sr. Product Manager for AWS Config. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Sid enjoys working with customers and helping them implement cloud security best practices. In his spare time, he enjoys hiking, reading, and spending time with his kids.