Ensure Cross-Zone Load Balancing is Enabled for Network and Gateway Load Balancers

Overview

This check verifies that Network Load Balancers (NLBs) and Gateway Load Balancers (GWLBs) have cross-zone load balancing enabled. When enabled, each load balancer node distributes traffic across all registered targets in all Availability Zones, rather than only to targets in its own zone.

Note: Application Load Balancers (ALBs) have cross-zone load balancing enabled by default and cannot be changed. This check applies only to NLBs and GWLBs.

Risk

Without cross-zone load balancing enabled:

• Uneven traffic distribution: Traffic may concentrate in a single Availability Zone, overloading some targets while others remain idle
• Reduced fault tolerance: During a zonal outage, only the targets in that zone lose traffic distribution capability
• Performance degradation: Some targets may become saturated while others are underutilized, leading to connection drops and increased latency
• Partial service failures: If one zone has fewer healthy targets, clients routed to that zone experience degraded service

Remediation Steps

Prerequisites

You need permissions to modify load balancer attributes. This typically requires the elasticloadbalancing:ModifyLoadBalancerAttributes permission.

AWS Console Method

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
2. In the left navigation pane, under Load Balancing, choose Load Balancers
3. Select your Network Load Balancer or Gateway Load Balancer
4. Choose the Attributes tab
5. Click Edit
6. Under Cross-zone load balancing, select On
7. Click Save changes

AWS CLI

Use the modify-load-balancer-attributes command to enable cross-zone load balancing.

Enable cross-zone load balancing:

aws elbv2 modify-load-balancer-attributes \
    --region us-east-1 \
    --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/my-nlb/1234567890abcdef \
    --attributes Key=load_balancing.cross_zone.enabled,Value=true

Replace the ARN with your actual load balancer ARN.

Find your load balancer ARN:

aws elbv2 describe-load-balancers \
    --region us-east-1 \
    --query "LoadBalancers[?Type=='network' || Type=='gateway'].[LoadBalancerName,LoadBalancerArn]" \
    --output table

Check current cross-zone setting for a specific load balancer:

aws elbv2 describe-load-balancer-attributes \
    --region us-east-1 \
    --load-balancer-arn <your-load-balancer-arn> \
    --query "Attributes[?Key=='load_balancing.cross_zone.enabled']"

CloudFormation

Use the LoadBalancerAttributes property to enable cross-zone load balancing when creating or updating a load balancer.

AWSTemplateFormatVersion: '2010-09-09'
Description: Network Load Balancer with Cross-Zone Load Balancing enabled

Parameters:
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: Subnet IDs for the load balancer (at least two in different AZs)

Resources:
  NetworkLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: my-nlb-cross-zone
      Type: network
      Scheme: internal
      Subnets: !Ref SubnetIds
      LoadBalancerAttributes:
        - Key: load_balancing.cross_zone.enabled
          Value: "true"
      Tags:
        - Key: Name
          Value: my-nlb-cross-zone

Outputs:
  LoadBalancerArn:
    Description: ARN of the Network Load Balancer
    Value: !Ref NetworkLoadBalancer
  LoadBalancerDNSName:
    Description: DNS name of the Network Load Balancer
    Value: !GetAtt NetworkLoadBalancer.DNSName

For Gateway Load Balancers, change Type: network to Type: gateway and remove the Scheme property (GWLBs don't support scheme specification).

Terraform

Use the enable_cross_zone_load_balancing argument in the aws_lb resource.

variable "subnet_ids" {
  description = "Subnet IDs for the load balancer"
  type        = list(string)
}

# Network Load Balancer with cross-zone load balancing enabled
resource "aws_lb" "network" {
  name               = "my-nlb-cross-zone"
  internal           = true
  load_balancer_type = "network"
  subnets            = var.subnet_ids

  enable_cross_zone_load_balancing = true

  tags = {
    Name = "my-nlb-cross-zone"
  }
}

# Gateway Load Balancer with cross-zone load balancing enabled
resource "aws_lb" "gateway" {
  name               = "my-gwlb-cross-zone"
  load_balancer_type = "gateway"
  subnets            = var.subnet_ids

  enable_cross_zone_load_balancing = true

  tags = {
    Name = "my-gwlb-cross-zone"
  }
}

output "nlb_arn" {
  description = "ARN of the Network Load Balancer"
  value       = aws_lb.network.arn
}

output "gwlb_arn" {
  description = "ARN of the Gateway Load Balancer"
  value       = aws_lb.gateway.arn
}

Verification

After enabling cross-zone load balancing, verify the change:

1. In the EC2 console, select your load balancer and check the Attributes tab
2. Confirm that Cross-zone load balancing shows as On

CLI Verification

aws elbv2 describe-load-balancer-attributes \
    --region us-east-1 \
    --load-balancer-arn <your-load-balancer-arn> \
    --query "Attributes[?Key=='load_balancing.cross_zone.enabled'].Value" \
    --output text

The output should be true.

Verify all NLBs and GWLBs have cross-zone enabled:

for arn in $(aws elbv2 describe-load-balancers --region us-east-1 --query "LoadBalancers[?Type=='network' || Type=='gateway'].LoadBalancerArn" --output text); do
    name=$(aws elbv2 describe-load-balancers --region us-east-1 --load-balancer-arns "$arn" --query "LoadBalancers[0].LoadBalancerName" --output text)
    cross_zone=$(aws elbv2 describe-load-balancer-attributes --region us-east-1 --load-balancer-arn "$arn" --query "Attributes[?Key=='load_balancing.cross_zone.enabled'].Value" --output text)
    echo "$name: cross_zone=$cross_zone"
done

Additional Resources

• Cross-zone load balancing for Network Load Balancers
• Cross-zone load balancing for Gateway Load Balancers
• AWS CLI elbv2 modify-load-balancer-attributes

Notes

• Cost consideration: Enabling cross-zone load balancing on NLBs may incur additional data transfer charges for traffic that crosses Availability Zone boundaries. Review AWS pricing for inter-AZ data transfer.
• Application Load Balancers: ALBs have cross-zone load balancing enabled by default and it cannot be disabled. This check only applies to NLBs and GWLBs.
• Target distribution: For optimal results, ensure you have roughly equal numbers of healthy targets registered in each Availability Zone.
• No downtime: Enabling cross-zone load balancing does not cause downtime or require load balancer recreation.