Ensure Cross-Zone Load Balancing is Enabled for Classic Load Balancers

Overview

This check verifies that your Classic Load Balancers (CLBs) have cross-zone load balancing enabled. When enabled, the load balancer distributes incoming traffic evenly across all registered instances in all Availability Zones, rather than only routing traffic to instances in the same zone as the load balancer node that received the request.

Risk

Without cross-zone load balancing:

• Traffic may concentrate in a single Availability Zone, causing performance hotspots
• Uneven instance utilization can lead to some instances being overwhelmed while others sit idle
• During partial AZ outages, the impact is more severe since traffic cannot be redistributed effectively
• Overall application availability and fault tolerance are reduced

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify Elastic Load Balancing resources
• The name of the Classic Load Balancer you need to update

AWS Console Method

1. Open the Amazon EC2 Console at https://console.aws.amazon.com/ec2/
2. In the left navigation pane, under Load Balancing, select Load Balancers
3. Select the Classic Load Balancer you want to modify
4. Choose the Attributes tab in the details pane
5. Find Cross-zone load balancing and click Edit
6. Check the box to Enable cross-zone load balancing
7. Click Save

AWS CLI (optional)

To enable cross-zone load balancing using the AWS CLI:

aws elb modify-load-balancer-attributes \
    --load-balancer-name <your-load-balancer-name> \
    --load-balancer-attributes '{"CrossZoneLoadBalancing":{"Enabled":true}}' \
    --region us-east-1

Replace <your-load-balancer-name> with the actual name of your Classic Load Balancer.

To verify the change:

aws elb describe-load-balancer-attributes \
    --load-balancer-name <your-load-balancer-name> \
    --region us-east-1

You should see "Enabled": true under CrossZoneLoadBalancing in the output.

CloudFormation (optional)

To create or update a Classic Load Balancer with cross-zone load balancing enabled, use the CrossZone property:

AWSTemplateFormatVersion: '2010-09-09'
Description: Classic Load Balancer with Cross-Zone Load Balancing Enabled

Parameters:
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: Subnets for the load balancer (at least 2 in different AZs)

Resources:
  ClassicLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      LoadBalancerName: my-classic-lb
      Subnets: !Ref SubnetIds
      CrossZone: true
      Listeners:
        - LoadBalancerPort: 80
          InstancePort: 80
          Protocol: HTTP
      HealthCheck:
        Target: HTTP:80/health
        HealthyThreshold: 2
        UnhealthyThreshold: 5
        Interval: 30
        Timeout: 5
      Tags:
        - Key: Name
          Value: my-classic-lb

Outputs:
  LoadBalancerDNSName:
    Description: DNS name of the load balancer
    Value: !GetAtt ClassicLoadBalancer.DNSName
  LoadBalancerName:
    Description: Name of the load balancer
    Value: !Ref ClassicLoadBalancer

The key setting is CrossZone: true which enables cross-zone load balancing.

Terraform (optional)

To create or update a Classic Load Balancer with cross-zone load balancing enabled:

variable "subnet_ids" {
  description = "List of subnet IDs for the load balancer"
  type        = list(string)
}

variable "instance_ids" {
  description = "List of EC2 instance IDs to register with the load balancer"
  type        = list(string)
  default     = []
}

resource "aws_elb" "classic_lb" {
  name    = "my-classic-lb"
  subnets = var.subnet_ids

  # Enable cross-zone load balancing
  cross_zone_load_balancing = true

  listener {
    instance_port     = 80
    instance_protocol = "HTTP"
    lb_port           = 80
    lb_protocol       = "HTTP"
  }

  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 5
    timeout             = 5
    target              = "HTTP:80/health"
    interval            = 30
  }

  instances = var.instance_ids

  tags = {
    Name = "my-classic-lb"
  }
}

output "elb_dns_name" {
  description = "DNS name of the Classic Load Balancer"
  value       = aws_elb.classic_lb.dns_name
}

The key setting is cross_zone_load_balancing = true.

Verification

After making changes, verify that cross-zone load balancing is enabled:

1. In the EC2 Console, navigate to Load Balancers
2. Select your Classic Load Balancer
3. Check the Attributes tab
4. Confirm that Cross-zone load balancing shows as Enabled

CLI verification

aws elb describe-load-balancer-attributes \
    --load-balancer-name <your-load-balancer-name> \
    --region us-east-1 \
    --query 'LoadBalancerAttributes.CrossZoneLoadBalancing.Enabled'

This should return true.

Additional Resources

• AWS Documentation: Configure Cross-Zone Load Balancing for Classic Load Balancers
• AWS Documentation: Classic Load Balancer Overview
• Prowler Check Documentation

Notes

• Classic Load Balancers are legacy: AWS recommends migrating to Application Load Balancers (ALB) or Network Load Balancers (NLB) for new applications. ALBs have cross-zone load balancing enabled by default.
• No additional cost: Enabling cross-zone load balancing does not incur extra charges for Classic Load Balancers.
• Immediate effect: The change takes effect immediately without requiring a load balancer restart.
• Best practice: Deploy your load balancer across at least two Availability Zones with balanced capacity in each zone for optimal fault tolerance.