Classic Load Balancer Connection Draining Enabled

Overview

This check verifies that Classic Load Balancers have connection draining enabled. Connection draining ensures that when an instance is removed from the load balancer (due to scaling, health issues, or maintenance), existing connections are allowed to complete gracefully rather than being terminated abruptly.

Risk

Without connection draining, removing an instance causes all active connections to be dropped immediately. This can result in:

• Broken user sessions - Users may see error pages or partial responses
• Failed transactions - In-progress operations (like form submissions or file uploads) may fail
• Data inconsistency - Incomplete database transactions could leave data in an inconsistent state
• Poor user experience - Users must retry their requests, leading to frustration

Remediation Steps

Prerequisites

You need permission to modify Classic Load Balancer attributes. Typically this requires the elasticloadbalancing:ModifyLoadBalancerAttributes IAM permission.

AWS Console Method

1. Open the EC2 console at https://console.aws.amazon.com/ec2/
2. In the left navigation, under Load Balancing, click Load Balancers
3. Select the Classic load balancer you want to modify
4. Click the Attributes tab
5. Click Edit attributes
6. Find Connection draining and check the box to enable it
7. Set the Timeout value (default is 300 seconds; adjust based on your typical request duration)
8. Click Save

AWS CLI (optional)

Enable connection draining with default 300-second timeout:

aws elb modify-load-balancer-attributes \
    --load-balancer-name my-classic-elb \
    --load-balancer-attributes '{"ConnectionDraining":{"Enabled":true,"Timeout":300}}' \
    --region us-east-1

Enable with a custom timeout (e.g., 60 seconds for fast requests):

aws elb modify-load-balancer-attributes \
    --load-balancer-name my-classic-elb \
    --load-balancer-attributes '{"ConnectionDraining":{"Enabled":true,"Timeout":60}}' \
    --region us-east-1

Replace my-classic-elb with your actual load balancer name.

CloudFormation (optional)

Add or update the ConnectionDrainingPolicy property in your AWS::ElasticLoadBalancing::LoadBalancer resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: Classic Load Balancer with Connection Draining Enabled

Parameters:
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: Subnet IDs for the load balancer

Resources:
  ClassicLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      LoadBalancerName: my-classic-elb
      Subnets: !Ref SubnetIds
      Listeners:
        - LoadBalancerPort: 80
          InstancePort: 80
          Protocol: HTTP
      ConnectionDrainingPolicy:
        Enabled: true
        Timeout: 300
      HealthCheck:
        Target: HTTP:80/health
        HealthyThreshold: 2
        UnhealthyThreshold: 5
        Interval: 30
        Timeout: 5
      Tags:
        - Key: Name
          Value: my-classic-elb

Outputs:
  LoadBalancerDNSName:
    Description: DNS name of the load balancer
    Value: !GetAtt ClassicLoadBalancer.DNSName

Key configuration:

• ConnectionDrainingPolicy.Enabled: Set to true
• ConnectionDrainingPolicy.Timeout: Time in seconds to wait for connections to drain (default: 300)

Terraform (optional)

Use the connection_draining and connection_draining_timeout arguments in the aws_elb resource:

resource "aws_elb" "example" {
  name               = "my-classic-elb"
  subnets            = var.subnet_ids

  listener {
    instance_port     = 80
    instance_protocol = "HTTP"
    lb_port           = 80
    lb_protocol       = "HTTP"
  }

  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 5
    timeout             = 5
    target              = "HTTP:80/health"
    interval            = 30
  }

  # Enable connection draining with 300 second timeout
  connection_draining         = true
  connection_draining_timeout = 300

  tags = {
    Name = "my-classic-elb"
  }
}

Key arguments:

• connection_draining: Set to true to enable
• connection_draining_timeout: Seconds to wait for connections to complete (default: 300)

Verification

After enabling connection draining, verify the setting is active:

1. In the EC2 console, select your load balancer
2. Click the Attributes tab
3. Confirm Connection draining shows as Enabled with your configured timeout

Verify via AWS CLI

aws elb describe-load-balancer-attributes \
    --load-balancer-name my-classic-elb \
    --region us-east-1 \
    --query 'LoadBalancerAttributes.ConnectionDraining'

Expected output when properly configured:

{
    "Enabled": true,
    "Timeout": 300
}

Additional Resources

• AWS Documentation: Configure Connection Draining for Your Classic Load Balancer
• AWS Classic Load Balancer User Guide
• Prowler Check Documentation

Notes

• Timeout selection: Choose a timeout based on your application's typical request duration. For quick API calls, 30-60 seconds may suffice. For long-running requests (file uploads, report generation), consider 300+ seconds.

• Classic vs. Application Load Balancers: This check applies only to Classic Load Balancers. Application Load Balancers (ALB) and Network Load Balancers (NLB) use a different mechanism called "deregistration delay" which is enabled by default.

• Auto Scaling integration: Connection draining is especially important when using Auto Scaling. It ensures that instances being terminated during scale-in events complete their in-flight requests before shutdown.

• No downtime: Enabling connection draining does not cause any service interruption. It only affects future instance deregistration events.