Elastic Load Balancer V2 (ELBv2) is Configured Across Multiple Availability Zones (AZs)
Overview
This check verifies that your Application, Network, or Gateway Load Balancer is configured to operate across at least two Availability Zones (AZs). Running a load balancer in multiple AZs ensures your application remains available even if one zone experiences problems.
Risk
If your load balancer operates in only one Availability Zone, you have a single point of failure. An AZ outage, zonal degradation, or capacity issues in that single zone could cause:
- Application downtime
- Dropped connections
- Service unavailability for your users
Spreading your load balancer across multiple AZs protects against these scenarios.
Remediation Steps
Prerequisites
You need:
- Access to the AWS Console with permissions to modify load balancers
- At least two subnets in different Availability Zones within the same VPC
AWS Console Method
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
- In the left navigation pane, choose Load Balancers
- Select the load balancer you want to modify
- Choose the Network mapping tab
- Click Edit subnets
- Select at least two subnets from different Availability Zones
- Each subnet must be in a different AZ
- Subnets should have sufficient IP addresses for your expected traffic
- Click Save changes
AWS CLI (optional)
Use the set-subnets command to configure your load balancer across multiple AZs:
# List your current load balancers
aws elbv2 describe-load-balancers \
--region us-east-1 \
--query 'LoadBalancers[*].[LoadBalancerName,LoadBalancerArn,AvailabilityZones[*].ZoneName]' \
--output table
# Update the load balancer to use subnets in multiple AZs
aws elbv2 set-subnets \
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \
--subnets subnet-0123456789abcdef0 subnet-0fedcba9876543210 \
--region us-east-1
Replace:
arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188with your load balancer ARNsubnet-0123456789abcdef0andsubnet-0fedcba9876543210with your actual subnet IDs from different AZs
Finding subnets in your VPC:
# List subnets with their Availability Zones
aws ec2 describe-subnets \
--region us-east-1 \
--query 'Subnets[*].[SubnetId,AvailabilityZone,VpcId,CidrBlock]' \
--output table
CloudFormation (optional)
This template creates an Application Load Balancer configured across two Availability Zones:
AWSTemplateFormatVersion: '2010-09-09'
Description: Application Load Balancer configured across multiple Availability Zones
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Description: VPC ID where the load balancer will be created
SubnetIdA:
Type: AWS::EC2::Subnet::Id
Description: Subnet ID in Availability Zone A
SubnetIdB:
Type: AWS::EC2::Subnet::Id
Description: Subnet ID in Availability Zone B
Resources:
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for the Application Load Balancer
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: ALB-SecurityGroup
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: multi-az-alb
Type: application
Scheme: internet-facing
IpAddressType: ipv4
Subnets:
- !Ref SubnetIdA
- !Ref SubnetIdB
SecurityGroups:
- !Ref LoadBalancerSecurityGroup
Tags:
- Key: Name
Value: MultiAZ-ALB
Outputs:
LoadBalancerArn:
Description: ARN of the Application Load Balancer
Value: !Ref ApplicationLoadBalancer
LoadBalancerDNS:
Description: DNS name of the Application Load Balancer
Value: !GetAtt ApplicationLoadBalancer.DNSName
Deploy the stack:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name multi-az-load-balancer \
--parameter-overrides \
VpcId=vpc-0123456789abcdef0 \
SubnetIdA=subnet-0123456789abcdef0 \
SubnetIdB=subnet-0fedcba9876543210 \
--region us-east-1
Terraform (optional)
This configuration creates an Application Load Balancer across multiple Availability Zones:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "vpc_id" {
description = "VPC ID where the load balancer will be created"
type = string
}
variable "subnet_ids" {
description = "List of subnet IDs across multiple Availability Zones"
type = list(string)
}
resource "aws_security_group" "alb_sg" {
name = "alb-security-group"
description = "Security group for Application Load Balancer"
vpc_id = var.vpc_id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "ALB-SecurityGroup"
}
}
resource "aws_lb" "multi_az_alb" {
name = "multi-az-alb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.alb_sg.id]
subnets = var.subnet_ids
enable_cross_zone_load_balancing = true
tags = {
Name = "MultiAZ-ALB"
}
}
output "load_balancer_arn" {
description = "ARN of the Application Load Balancer"
value = aws_lb.multi_az_alb.arn
}
output "load_balancer_dns" {
description = "DNS name of the Application Load Balancer"
value = aws_lb.multi_az_alb.dns_name
}
Deploy with Terraform:
terraform init
terraform plan -var="vpc_id=vpc-0123456789abcdef0" -var='subnet_ids=["subnet-0123456789abcdef0","subnet-0fedcba9876543210"]'
terraform apply -var="vpc_id=vpc-0123456789abcdef0" -var='subnet_ids=["subnet-0123456789abcdef0","subnet-0fedcba9876543210"]'
Verification
After making changes, verify your load balancer is configured across multiple AZs:
- In the EC2 Console, select your load balancer
- Check the Network mapping section
- Confirm you see at least two different Availability Zones listed
CLI verification
aws elbv2 describe-load-balancers \
--load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \
--region us-east-1 \
--query 'LoadBalancers[0].AvailabilityZones[*].[ZoneName,SubnetId]' \
--output table
You should see at least two different Availability Zones (e.g., us-east-1a and us-east-1b).
Additional Resources
- AWS ELB User Guide: Availability Zones
- Application Load Balancer Documentation
- Network Load Balancer Documentation
- AWS Well-Architected Framework: Reliability Pillar
Notes
- Application Load Balancers require subnets from at least two Availability Zones
- Network Load Balancers can operate in one or more AZs, but two or more is recommended for high availability
- Gateway Load Balancers can operate in one or more AZs, but you cannot remove existing subnets (only add new ones)
- Consider enabling cross-zone load balancing to distribute traffic evenly across all registered targets in all enabled AZs
- Ensure each selected subnet has enough available IP addresses for your expected traffic load
- If you use Auto Scaling groups behind your load balancer, make sure they also span the same AZs