Notes about using AWS's Application Load Balancer

Some general notes for consideration when using an ALB

by Hadley Bradley

Application Load Balancer

An Application Load Balancer (ALB) automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. For me, I’m using the application load balancer as the front door to a Lambda serverless web application. The ALB monitors the health of its registered targets, and routes traffic only to the healthy targets.

You can read about all the benefits of using an ALB within your architecture at the AWS documentation

General Configuration

Under the general configuration tab you should enable:

Listeners - Harden the security policy

By default, a listener uses the security policy ELBSecurityPolicy-2016-08 which provides the most support as it allows clients with older TLS versions and some older less secure ciphers to connect.

However, as I’m mainly writing medical applications I change the security policy to ELBSecurityPolicy-FS-1-2019-08 which drops support for TLS v1 and TLS v1.1 and drops six of the older weaker ciphers. This will give your application load balancer a higher security score when using an independent SSL test like SSL Labs.

You can see a list of the supported polices here.

Processing the access logs

It’s important to process and monitor your access logs to see who is making requests to your application and from where. I use the same technique as for processing CloudFront logs. I use the AWS command line utility to download the log files to my local machine and then use GoAccess to process the logs and create a meaningful report.

Example command showing pulling the log files for March:

aws s3 sync
    s3://sample-alb/AWSLogs/8410/elasticloadbalancing/eu-west-2/2021/03/
    logs --exclude "*" --include "*.log.gz"

GoAccess doesn’t support the ALB log format natively, so you need to pass in a custom log format and date format so that it knows how to process the logs. The GoAccess command is shown below:

goaccess access.log
    --log-format='%^ %dT%t.%^ %v %h:%^ %^ %T %^ %^ %s %^ %b %^ "%r" "%u" %^'
    --date-format='%Y-%m-%d'
    --time-format=%T
    --color-scheme=1
    --html-report-title="TESTING ENVIRONMENT" > report.html