Skip to main content

πŸ›‘οΈ AWS ELB Load Balancer Cross-Zone Load Balancing is not enabled🟒

  • Contextual name: πŸ›‘οΈ Load Balancer Cross-Zone Load Balancing is not enabled🟒
  • ID: /ce/ca/aws/elb/load-balancer-cross-zone
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY, PERFORMANCE

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS ELB Load Balancers (Classic, Application, Network, and Gateway) that are not configured to use cross-zone load balancing. Cross-zone load balancing helps distribute traffic evenly across all registered instances in all enabled Availability Zones, reducing the need to maintain an equal number of instances per zone and improving application resilience.

Rationale​

Enabling cross-zone load balancing allows the load balancer to route requests evenly across all available instances, regardless of the Availability Zone where the request originated. Without this feature, traffic is distributed only among instances in the same Availability Zone as the request, which can lead to uneven load distribution if instances are not balanced across zones or if traffic patterns vary.

Impact​

If cross-zone load balancing is disabled, the application becomes more susceptible to performance degradation and service disruptions. An outage or heavy traffic in one Availability Zone could overload its instances while leaving instances in other zones underutilized, resulting in poor performance, reduced fault tolerance, or complete service unavailability.

... see more

Remediation​

Open File

Remediation​

Enable Cross-Zone Load Balancing​

From Command Line​
For Network and Gateway Load Balancers​

Enable cross-zone load balancing by updating the load balancer attributes:

aws elbv2 modify-load-balancer-attributes \
    --load-balancer-arn {{load-balancer-arn}} \
    --attributes "Key=load_balancing.cross_zone.enabled,Value=true"
For Classic Load Balancers​
aws elb modify-load-balancer-attributes \
    --load-balancer-name {{load-balancer-name}} \
    --load-balancer-attributes "{\"CrossZoneLoadBalancing\":{\"Enabled\":true}}"
For Application Load Balancers​

Since cross-zone load balancing is always enabled at the load balancer level, enable it for associated target groups instead:

aws elbv2 modify-target-group-attributes \
    --target-group-arn {{target-group-arn}} \
    --attributes "Key=load_balancing.cross_zone.enabled,Value=true"

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.9] Classic Load Balancers should have cross-zone load balancing enabled1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό PERF04-BP04 Use load balancing to distribute traffic across multiple resources3no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Performance Tuning4no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration38no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)7no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)28no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)8no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)18no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations14no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process8no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed8no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed8no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives7no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution68no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy7no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-36 Distributed Processing and Storage25no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability7no data