Auto Scaling Group ELB Health Check Enabled

Overview

This check verifies that EC2 Auto Scaling groups attached to load balancers have ELB health checks enabled. By default, Auto Scaling groups only use EC2 instance status checks, which may not detect when an application becomes unresponsive to user traffic.

ELB health checks use the load balancer's target health assessment, which tests whether your application is actually responding to requests.

Risk

Without ELB health checks enabled, your Auto Scaling group may keep running instances that fail load balancer probes. This can cause:

• Reduced availability - Traffic gets routed to unhealthy instances that can't serve requests
• Higher error rates - Users experience failures when their requests hit bad targets
• Increased costs - You pay for instances that aren't serving useful traffic, and scaling decisions are based on incomplete health data

Remediation Steps

Prerequisites

You need:

• Access to the AWS Console with permissions to modify Auto Scaling groups
• The name of the Auto Scaling group to update

Required IAM permissions

To modify Auto Scaling group health check settings, you need the following IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:DescribeAutoScalingGroups"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the EC2 Console
2. In the left navigation, scroll down and click Auto Scaling Groups
3. Select the Auto Scaling group you want to update
4. Click the Health checks tab (or find the Health checks section on the Details tab)
5. Click Edit
6. Under Health check type, check the box for Turn on Elastic Load Balancing health checks
7. Set an appropriate Health check grace period (default is 300 seconds)
8. Click Update

Note: The health check grace period gives new instances time to start up before health checks begin. Set this longer than your application's startup time to avoid premature termination.

AWS CLI (optional)

Enable ELB health checks for an existing Auto Scaling group:

aws autoscaling update-auto-scaling-group \
  --auto-scaling-group-name <your-asg-name> \
  --health-check-type ELB \
  --health-check-grace-period 300 \
  --region us-east-1

Replace <your-asg-name> with your Auto Scaling group name.

To verify the change:

aws autoscaling describe-auto-scaling-groups \
  --auto-scaling-group-names <your-asg-name> \
  --query 'AutoScalingGroups[0].{Name:AutoScalingGroupName,HealthCheckType:HealthCheckType,GracePeriod:HealthCheckGracePeriod}' \
  --region us-east-1

Expected output should show "HealthCheckType": "ELB".

CloudFormation (optional)

To create or update an Auto Scaling group with ELB health checks enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: Auto Scaling Group with ELB Health Check enabled

Parameters:
  AutoScalingGroupName:
    Type: String
    Description: Name for the Auto Scaling group
  LaunchTemplateId:
    Type: String
    Description: ID of the launch template
  VPCZoneIdentifier:
    Type: List<AWS::EC2::Subnet::Id>
    Description: List of subnet IDs for the Auto Scaling group
  TargetGroupARN:
    Type: String
    Description: ARN of the target group to attach

Resources:
  AutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      AutoScalingGroupName: !Ref AutoScalingGroupName
      LaunchTemplate:
        LaunchTemplateId: !Ref LaunchTemplateId
        Version: !GetAtt LaunchTemplate.LatestVersionNumber
      MinSize: '1'
      MaxSize: '4'
      DesiredCapacity: '2'
      VPCZoneIdentifier: !Ref VPCZoneIdentifier
      TargetGroupARNs:
        - !Ref TargetGroupARN
      HealthCheckType: ELB
      HealthCheckGracePeriod: 300

  LaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        ImageId: ami-0123456789abcdef0
        InstanceType: t3.micro

Outputs:
  AutoScalingGroupName:
    Description: Name of the Auto Scaling group
    Value: !Ref AutoScalingGroup

Key properties:

• HealthCheckType: ELB - Enables ELB-based health checks
• HealthCheckGracePeriod: 300 - Gives instances 5 minutes to start before health checks begin
• TargetGroupARNs - Links the ASG to your load balancer's target group

Terraform (optional)

To create or update an Auto Scaling group with ELB health checks enabled:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "asg_name" {
  description = "Name of the Auto Scaling group"
  type        = string
}

variable "launch_template_id" {
  description = "ID of the launch template"
  type        = string
}

variable "subnet_ids" {
  description = "List of subnet IDs for the Auto Scaling group"
  type        = list(string)
}

variable "target_group_arns" {
  description = "List of target group ARNs to attach"
  type        = list(string)
}

resource "aws_autoscaling_group" "example" {
  name                      = var.asg_name
  min_size                  = 1
  max_size                  = 4
  desired_capacity          = 2
  vpc_zone_identifier       = var.subnet_ids
  target_group_arns         = var.target_group_arns
  health_check_type         = "ELB"
  health_check_grace_period = 300

  launch_template {
    id      = var.launch_template_id
    version = "$Latest"
  }

  tag {
    key                 = "Name"
    value               = var.asg_name
    propagate_at_launch = true
  }
}

output "asg_name" {
  description = "Name of the Auto Scaling group"
  value       = aws_autoscaling_group.example.name
}

Key arguments:

• health_check_type = "ELB" - Enables ELB-based health checks
• health_check_grace_period = 300 - Gives instances 5 minutes to start before health checks begin
• target_group_arns - Links the ASG to your load balancer's target group(s)

Verification

After making the change, verify that ELB health checks are enabled:

1. In the EC2 Console, go to Auto Scaling Groups
2. Select your Auto Scaling group
3. Check the Health checks tab
4. Confirm that Elastic Load Balancing health checks shows as enabled

CLI verification

aws autoscaling describe-auto-scaling-groups \
  --auto-scaling-group-names <your-asg-name> \
  --query 'AutoScalingGroups[0].HealthCheckType' \
  --output text \
  --region us-east-1

The output should be ELB.

Additional Resources

• AWS Auto Scaling Health Checks Documentation
• Add Elastic Load Balancing Health Checks
• AWS::AutoScaling::AutoScalingGroup CloudFormation Reference
• Terraform aws_autoscaling_group Resource

Notes

• Health check grace period: Set this value longer than your application's startup time. If instances are terminated before they finish starting, increase the grace period.

• Existing instances: Changing the health check type does not immediately affect running instances. The new setting applies to future health evaluations.

• Load balancer configuration: Make sure your load balancer's target group has appropriate health check settings (path, interval, thresholds) that match your application's behavior.

• Multiple load balancers: If your Auto Scaling group is attached to multiple target groups, an instance is considered unhealthy if ANY of the target groups report it as unhealthy.