Notes about using AWS's Application Load Balancer
Some general notes for consideration when using an ALB
Application Load Balancer
An Application Load Balancer (ALB) automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. For me, I’m using the application load balancer as the front door to a Lambda serverless web application. The ALB monitors the health of its registered targets, and routes traffic only to the healthy targets.
You can read about all the benefits of using an ALB within your architecture at the AWS documentation
Under the general configuration tab you should enable:
- Access Logs - which delivers detailed logs of all requests made to the load balancer to an S3 bucket.
- Drop invalid headers - if the HTTP headers of the incoming request are malformed or invalid, then the request is dropped.
- Desync mitigation mode - determines how the load balancer handles requests that may pose as a security risk to your application. This can be set to either Defensive or Strictest.
Listeners - Harden the security policy
By default, a listener uses the security policy ELBSecurityPolicy-2016-08 which provides the most support as it allows clients with older TLS versions and some older less secure ciphers to connect.
However, as I’m mainly writing medical applications I change the security policy to ELBSecurityPolicy-FS-1-2019-08 which drops support for TLS v1 and TLS v1.1 and drops six of the older weaker ciphers. This will give your application load balancer a higher security score when using an independent SSL test like SSL Labs.
You can see a list of the supported polices here.
Processing the access logs
It’s important to process and monitor your access logs to see who is making requests to your application and from where. I use the same technique as for processing CloudFront logs. I use the AWS command line utility to download the log files to my local machine and then use GoAccess to process the logs and create a meaningful report.
Example command showing pulling the log files for March:
aws s3 sync s3://sample-alb/AWSLogs/8410/elasticloadbalancing/eu-west-2/2021/03/ logs --exclude "*" --include "*.log.gz"
GoAccess doesn’t support the ALB log format natively, so you need to pass in a custom log format and date format so that it knows how to process the logs. The GoAccess command is shown below:
goaccess access.log --log-format='%^ %dT%t.%^ %v %h:%^ %^ %T %^ %^ %s %^ %b %^ "%r" "%u" %^' --date-format='%Y-%m-%d' --time-format=%T --color-scheme=1 --html-report-title="TESTING ENVIRONMENT" > report.html