Updated on 2025-08-25 GMT+08:00

Load Balancers Should Not Use EIPs

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

elb-loadbalancers-no-public-ip

Identifier

Load Balancers Should Not Use EIPs

Description

If a load balancer has an EIP attached, this load balancer is non-compliant.

Tag

elb

Trigger Type

Configuration change

Filter Type

elb.loadbalancers

Rule Parameters

None

Application Scenarios

Load balancers work on both public and private networks. For details, see Load Balancing on a Public or Private Network.

If a load balancer uses an EIP, it forwards public network traffic requests. This may bring the following risks:

  • Public network exposure: The load balancer may become a target of attacks.
  • DDoS attacks: The EIP can be a target of DDoS attacks, which may make the service unavailable or exhaust resources.
  • Data leakage: If backend services are not encrypted or are incorrectly configured, attackers may steal sensitive data through the EIP.

Solution

If your load balancer needs to work over the public network, you do not need this check policy. However, you are advised to use security groups and network ACLs to restrict the access scope and configure WAF instances for ELB.

If your load balancer does not need to work over the public network, unbind the EIPs from the load balancer.

Rule Logic

  • If a load balancer has an EIP attached, this load balancer is non-compliant.
  • If no EIP is attached to a load balancer, this load balancer is compliant.