Load Balancers Should Not Use EIPs
Rule Details
Parameter |
Description |
---|---|
Rule Name |
elb-loadbalancers-no-public-ip |
Identifier |
Load Balancers Should Not Use EIPs |
Description |
If a load balancer has an EIP attached, this load balancer is non-compliant. |
Tag |
elb |
Trigger Type |
Configuration change |
Filter Type |
elb.loadbalancers |
Rule Parameters |
None |
Application Scenarios
Load balancers work on both public and private networks. For details, see Load Balancing on a Public or Private Network.
If a load balancer uses an EIP, it forwards public network traffic requests. This may bring the following risks:
- Public network exposure: The load balancer may become a target of attacks.
- DDoS attacks: The EIP can be a target of DDoS attacks, which may make the service unavailable or exhaust resources.
- Data leakage: If backend services are not encrypted or are incorrectly configured, attackers may steal sensitive data through the EIP.
Solution
If your load balancer needs to work over the public network, you do not need this check policy. However, you are advised to use security groups and network ACLs to restrict the access scope and configure WAF instances for ELB.
If your load balancer does not need to work over the public network, unbind the EIPs from the load balancer.
Rule Logic
- If a load balancer has an EIP attached, this load balancer is non-compliant.
- If no EIP is attached to a load balancer, this load balancer is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot