Unused AWS ELB Resources

Risk level: Low

Rule ID: ELBv2-001

Find any unused Amazon Application Load Balancers (ALBs) and Network Load Balancers (NLBs) and remove them from your account in order to help lower the cost of your monthly AWS bill.

An AWS ELBv2 load balancer is considered "unused" when the associated target group has no EC2 target instance registered or when the registered target instances are not healthy anymore.

This rule can help you work with the AWS Well-Architected Framework.

You are charged for each hour or partial hour that an AWS ELBv2 load balancer is running, regardless whether you are using the resource or not. Removing unused AWS resources like an Application Load Balancer (ALB) or a Network Load Balancer (NLB) will help you avoid unexpected charges on your AWS bill.

Audit

Case A: Target Groups with no registered instances

 

Using AWS Console

1. Sign in to the AWS Management Console.
 
2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
 
3. In the left navigation panel, under LOAD BALANCING, choose Target Groups.
 
4. Select the target group associated with the AWS ELBv2 load balancer (ALB or NLB) that you want to examine. To determine the resources association, verify the Load balancer attribute value available on the Description tab.
 
5. Select Targets tab from the dashboard bottom panel to access the list with the registered targets.
 
6. Under Registered targets, check for EC2 target instances registered to the selected target group. If there are no target instances currently registered to the group, i.e.
 

 
the selected ELBv2 load balancer is considered unused and can be safely removed from your AWS account in order to avoid unexpected service charges.
 
7. Repeat steps no. 4 – 6 to verify other target groups associated with your load balancers for registered target instances, available within the current region.
 
8. Change the AWS region from the navigation bar and repeat the audit process for other regions.
 

Using AWS CLI

1. Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all existing AWS ELBv2 load balancers available in the selected region:

aws elbv2 describe-load-balancers \\
	--region us-east-1 \\
	--query 'LoadBalancers[*].LoadBalancerArn'

 
2. The command output should return a table with the requested ARNs:

[
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/net/elasticsearch-default/056ec84090110de7",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/siq-jenkins-alb/151ac68961700c00",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/EC2Co-EcsEl-1WMKXR6B8SLDB/11ce1b2bbac3c847",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/TestALB/4659fc3b5e923aa8",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/6connex-alb/1b93bbe8d8ce3082"
]

 
3. Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as identifier and custom query filters to expose the Amazon Resource Name (ARN) of the target group associated with the selected ELBv2 resource:

aws elbv2 describe-target-groups \\
	--region us-east-1 \\
	--load-balancer-arn "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/TestALB/4659fc3b5e923aa8" \\
	--query 'TargetGroups[*].TargetGroupArn'

 
4. The command output should return the ARN of the associated target groups:

[
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:targetgroup/abctest/fc6b87952261db86",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:targetgroup/ecs-efab-t-efab-test-service/9b09430c3fb52b02"
]

 
5. Run describe-target-health command (OSX/Linux/UNIX) using each of the ARN of the target group returned at the previous step as identifier and custom query filters to list the IDs of the target instances registered to the selected AWS ELBv2 load balancer:

Query 1: Target Group1
aws elbv2 describe-target-health \\
	--region us-east-1 \\
	--target-group-arn "arn:aws:elasticloadbalancing:us-east-1:695292474035:targetgroup/abctest/fc6b87952261db86" \\
	--query 'TargetHealthDescriptions[*].Target.Id'
Query 2: Target Group2
aws elbv2 describe-target-health \\
	--region us-east-1 \\
	--target-group-arn "arn:aws:elasticloadbalancing:us-east-1:695292474035:targetgroup/ecs-efab-t-efab-test-service/9b09430c3fb52b02" \\
	--query 'TargetHealthDescriptions[*].Target.Id'

 
6. The command output(s) should return an array that contains the ID(s) of the registered EC2 target instance(s):

[]
[]

If the describe-target-health custom command output (for all target groups associated with the load balancer) returns an empty array (i.e. []), as shown in the example above, there are no EC2 target instances currently registered to any of the target groups, therefore the selected ELBv2 load balancer is considered unused and can be safely removed from your AWS account.
 
7. Repeat steps no. 3 – 6 to verify other target groups associated with your load balancers for registered target instances, available in the current region.
 
8. Change the AWS region by updating the --region command parameter value and repeat steps no. 1 -7 to perform the entire audit process for other regions.
 

Audit

Case B: Target Groups have unhealthy targets

 

Using AWS Console

1. Sign in to the AWS Management Console.
 
2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
 
3. In the left navigation panel, under LOAD BALANCING section, choose Target Groups.
 
4. Select the target group associated with the AWS ELBv2 load balancer that you want to examine. To determine the resources association, verify the Load balancer attribute value available on the Description tab.
 
5. Select Targets tab from the dashboard bottom panel to access the list with the registered targets.
 
6. In the Registered targets section, check the health check status, listed in the Status column, for each EC2 target instance registered to the selected target group. If none of the registered EC2 instances are healthy, i.e.
 

 
the selected ELBv2 load balancer is considered "unused" and can be safely removed from your AWS account in order to stop incurring charges for the resource.
 
7. Repeat steps no. 4 – 6 to verify the health status of the target instances registered to other target groups available within the current region.
 
8. Change the AWS region from the navigation bar and repeat the entire audit process for other regions.
 

Using AWS CLI

1. Run describe-load-balancers command (OSX/Linux/UNIX) using custom query filters to list the ARNs of all existing AWS ELBv2 load balancers available in the selected region:

aws elbv2 describe-load-balancers \\
	--region us-east-1 \\
	--query 'LoadBalancers[*].LoadBalancerArn'

 
2. The command output should return a table with the requested ARNs:

[
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/net/elasticsearch-default/056ec84090110de7",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/siq-jenkins-alb/151ac68961700c00",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/EC2Co-EcsEl-1WMKXR6B8SLDB/11ce1b2bbac3c847",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/TestALB/4659fc3b5e923aa8",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/6connex-alb/1b93bbe8d8ce3082"
]

 
3. Run describe-target-groups command (OSX/Linux/UNIX) using the ARN of the load balancer that you want to examine as identifier and custom query filters to expose the Amazon Resource Name (ARN) of the target group associated with the selected ELBv2 resource:

aws elbv2 describe-target-groups \\
	--region us-east-1 \\
	--load-balancer-arn "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/net/elasticsearch-default/056ec84090110de7" \\
	--query 'TargetGroups[*].TargetGroupArn'

 
4. The command output should return the ARN of the associated target groups:

[
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:targetgroup/elasticsearch-data-nodes-tg/bb5f4ec30873b4d8",
    "arn:aws:elasticloadbalancing:us-east-1:695292474035:targetgroup/elasticsearch-master-nodes-tg/664a508de6952203"
]

5. Run describe-target-health command (OSX/Linux/UNIX) using each of the ARN of the target group returned at the previous step as identifier and custom query filters to list the IDs of the target instances registered to the selected AWS ELBv2 load balancer:

Query 1 : Target Group1

aws elbv2 describe-target-health \\
	--region us-east-1 \\
	--target-group-arn "arn:aws:elasticloadbalancing:us-east-1:695292474035:targetgroup/elasticsearch-data-nodes-tg/bb5f4ec30873b4d8" \\
	--query 'TargetHealthDescriptions[*].Target.Id'
Query 2 : Target Group2
aws elbv2 describe-target-health \\
	--region us-east-1 \\
	--target-group-arn "arn:aws:elasticloadbalancing:us-east-1:695292474035:targetgroup/elasticsearch-master-nodes-tg/664a508de6952203" \\
	--query 'TargetHealthDescriptions[*].Target.Id'

 
6. The command output should return an array that contains the ID of each registered EC2 target instance and its health status:

Ouput 1:
[
    [
        "i-0d7630e3b0511fd98",
        "unhealthy"
    ],
    [
        "i-011eac7e3eb0134dc",
        "unhealthy"
    ]
]

Output 2:
[]

If the health status for each EC2 target instance returned by the describe-target-health command output is set to "unhealthy", there are no healthy target instances currently registered to the associated target group, therefore the selected ELBv2 load balancer is considered "unused" and can be safely removed from your AWS account.
 
7. Repeat steps no. 3 – 6 to verify the health status of the target instances registered to other target groups available in the current region.
 
8. Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the audit process for other regions.
 

Remediation / Resolution

To delete any unused Application Load Balancers (ALBs) or Network Load Balancers (NLBs) currently available within your AWS account, perform the following actions:

 

Using AWS Console

1. Sign in to the AWS Management Console.
 
2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
 
3. In the left navigation panel, under LOAD BALANCING, choose Load Balancers.
 
4. Select the load balancer that you want to remove (see Audit section part I to identify the right AWS ALB/NLB resource).
 
5. Click the Actions dropdown button from the dashboard top menu and select Delete.
 
6. Inside the Delete Load Balancer confirmation box, review the selected load balancer identifier then click Yes, Delete to confirm the action.
 
7. Repeat steps no. 4 – 6 to remove any other unused Application Load Balancers or Network Load Balancers provisioned in the current region.
 
8. Change the AWS region from the navigation bar and repeat the remediation/resolution process for other regions.

Using AWS CLI

1. Run delete-load-balancer command (OSX/Linux/UNIX) using the resource ARN as identifier (see Audit section part II to identify the right Amazon ALB/NLB resource), to delete the selected unused load balancer (the command does not produce an output):

aws elbv2 delete-load-balancer \\
	--region us-east-1 \\
	--load-balancer-arn "arn:aws:elasticloadbalancing:us-east-1:695292474035:loadbalancer/app/TestALB/4659fc3b5e923aa8"

 
2. Repeat step no. 1 to delete any other unused Application Load Balancers or Network Load Balancers provisioned within the current region.
 
3. Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.
 

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.