Identify potential risks in your Classic Load Balancer and Application Load Balancer (ALB) instances. These risks involve public network settings, whitelists, multi-zone disaster recovery, instance renewal and expiration, and change management. Applying these best practices for Server Load Balancer (SLB) helps you avoid security risks and improve system reliability. This topic describes the default rules for SLB application best practices.
Rule name | Rule description |
An SLB instance is compliant if it has an active HTTPS listener on a specified port. The rule is not applicable if the SLB instance only has TCP or UDP listeners. | |
A Classic Load Balancer instance is compliant if access logs are enabled. This rule is not applicable to instances that do not have Layer 7 listeners, because they do not support access logs. | |
Use multi-zone SLB instances and configure resources from multiple zones for server groups | An SLB instance is compliant if it is a multi-zone instance and all server groups used by its listeners contain resources from multiple zones. |
An ALB instance is compliant if the resources attached to its server groups are distributed across multiple zones. This rule is not applicable if no resources are attached to the ALB server group. | |
An SLB instance is compliant if it has at least one running listener. This rule is not applicable if the instance was created within a specified number of days. The default is 7 days. | |
An ALB instance is compliant if at least one backend server is added to each of its listeners. This rule is not applicable if the instance was created within a specified number of days. The default is 7 days. | |
Use specified security policy suites for SLB HTTPS listeners | An SLB instance is compliant if all its HTTPS listeners use the security policy suite version specified in the parameters. This rule is not applicable to SLB instances that do not have HTTPS listeners. |
Configure health checks for all ALB listeners and forwarding rules | An ALB instance is compliant if health checks are configured for all its listeners and forwarding rules. |
Health checks are enabled for all Server Load Balancer listeners. | An SLB instance is compliant if health checks are enabled for all its running listeners. |
An ALB instance is compliant if it is a multi-zone instance. If you select only one zone, a failure in that zone can affect the ALB instance and impact your service stability. | |
ALB access control whitelist contains specified IP addresses or CIDR blocks | An ALB instance is compliant if the access control whitelist of any of its listeners contains the specified IP addresses or CIDR blocks. |
An ALB instance is compliant if access control is configured for all its running listeners. This rule is not applicable to instances that have no listeners configured. | |
An SLB instance is compliant if access control is configured for all its running listeners. This rule is not applicable to instances that have no listeners configured. | |
SLB access control whitelist contains specified IP addresses or CIDR blocks | An SLB instance is compliant if the access control whitelist of any of its listeners contains the specified IP addresses or CIDR blocks. |
A subscription SLB instance is compliant if auto-renewal is enabled. | |
Renew subscription resources in advance to prevent service interruptions due to payment issues. An instance is compliant if its expiration date is more than a specified number of days from the check date. The default is 30 days. Instances with auto-renewal enabled are also compliant. This rule is not applicable to pay-as-you-go instances. | |
An SLB access control list is compliant if it does not contain an entry for 0.0.0.0/0. | |
If parameters are set, the instance is compliant if its associated virtual private cloud (VPC) is within the specified range. If no parameters are set, the instance is compliant if its network type is VPC. | |
An SLB instance is compliant if deletion protection is enabled. | |
An SLB instance is compliant if it is a guaranteed-performance instance. | |
An SLB instance is compliant if the weight of its backend servers is not set to 0. | |
An SLB instance is compliant if its listening ports do not include any specified risk ports. | |
Enable deletion protection to prevent accidental instance release. An instance is compliant if deletion protection is configured. | |
An ALB instance is compliant if its network type is private network. | |
An SLB instance is compliant if it is not associated with a public IP address. If your application does not require public network access, do not associate a public IP address directly with the SLB instance. If you need public network access, purchase elastic IP addresses (EIPs) and associate them with the SLB instance. EIPs offer more flexibility and can reduce costs when used with Internet Shared Bandwidth. |