Amazon Web Services
Amazon Elastic Load Balancing (ELB) is a load balancing service for deployments that automatically distributes incoming application traffic across multiple targets and scales resources to meet traffic demands, in one or more Availability Zones (AZs).
Terraform Name
  • name - (Optional) The name of the ELB. By default generated by Terraform.
  • name_prefix - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name.
  • access_logs - (Optional) An Access Logs block. Access Logs documented below.
  • availability_zones - (Required for an EC2-classic ELB) The AZ's to serve traffic in.
  • security_groups - (Optional) A list of security group IDs to assign to the ELB. Only valid if creating an ELB within a VPC
  • subnets - (Required for a VPC ELB) A list of subnet IDs to attach to the ELB.
  • instances - (Optional) A list of instance ids to place in the ELB pool.
  • internal - (Optional) If true, ELB will be an internal ELB.
  • listener - (Required) A list of listener blocks. Listeners documented below.
  • health_check - (Optional) A health_check block. Health Check documented below.
  • cross_zone_load_balancing - (Optional) Enable cross-zone load balancing. Default: true
  • idle_timeout - (Optional) The time in seconds that the connection is allowed to be idle. Default: 60
  • connection_draining - (Optional) Boolean to enable connection draining. Default: false
  • connection_draining_timeout - (Optional) The time in seconds to allow for connections to drain. Default: 300
  • desync_mitigation_mode - (Optional) Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are monitor, defensive (default), strictest.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Exactly one of availability_zones or subnets must be specified: this determines if the ELB exists in a VPC or in EC2-classic.

Access Logs (access_logs) support the following:

  • bucket - (Required) The S3 bucket name to store the logs in.
  • bucket_prefix - (Optional) The S3 bucket prefix. Logs are stored in the root if not configured.
  • interval - (Optional) The publishing interval in minutes. Valid values: 5 and 60. Default: 60
  • enabled - (Optional) Boolean to enable / disable access_logs. Default is true

Listeners (listener) support the following:

  • instance_port - (Required) The port on the instance to route to
  • instance_protocol - (Required) The protocol to use to the instance. Valid values are HTTP, HTTPS, TCP, or SSL
  • lb_port - (Required) The port to listen on for the load balancer
  • lb_protocol - (Required) The protocol to listen on. Valid values are HTTP, HTTPS, TCP, or SSL
  • ssl_certificate_id - (Optional) The ARN of an SSL certificate you have uploaded to AWS IAM. Note ECDSA-specific restrictions below. Only valid when lb_protocol is either HTTPS or SSL

Health Check (health_check) supports the following:

  • healthy_threshold - (Required) The number of checks before the instance is declared healthy.
  • unhealthy_threshold - (Required) The number of checks before the instance is declared unhealthy.
  • target - (Required) The target of the check. Valid pattern is "${PROTOCOL}:${PORT}${PATH}", where PROTOCOL values are:
  • HTTP, HTTPS - PORT and PATH are required
  • TCP, SSL - PORT is required, PATH is not supported
  • interval - (Required) The interval between checks.
  • timeout - (Required) The length of time before the check times out.

Associating resources with a
Resources do not "belong" to a
Rather, one or more Security Groups are associated to a resource.
via Terraform:
The following HCL creates a new load balancer

# Create a new load balancer
resource "aws_elb" "bar" {
 name               = "foobar-terraform-elb"
 availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]

 access_logs {
   bucket        = "foo"
   bucket_prefix = "bar"
   interval      = 60

 listener {
   instance_port     = 8000
   instance_protocol = "http"
   lb_port           = 80
   lb_protocol       = "http"

 listener {
   instance_port      = 8000
   instance_protocol  = "http"
   lb_port            = 443
   lb_protocol        = "https"
   ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"

 health_check {
   healthy_threshold   = 2
   unhealthy_threshold = 2
   timeout             = 3
   target              = "HTTP:8000/"
   interval            = 30

 instances                   = []
 cross_zone_load_balancing   = true
 idle_timeout                = 400
 connection_draining         = true
 connection_draining_timeout = 400

 tags = {
   Name = "foobar-terraform-elb"

via CLI:

--load-balancer-name <value>
--listeners <value>
[--availability-zones <value>]
[--subnets <value>]
[--security-groups <value>]
[--scheme <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws elb create-load-balancer --load-balancer-name my-load-balancer --listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80" --subnets subnet-15aaab61 --security-groups sg-a61988c3

aws cost
The cost of using Elastic Load Balancer (ELB) depends on the number of Load Balancer Capacity Units (LCUs) and the amount of data processed through the load balancer. Basic data transfer costs for ELB started at $0.008 per GB and decreased as the amount of data processed increased, while the LCU cost started at $0.025 per hour.
Direct Cost





Indirect Cost
No items found.
Best Practices for

Categorized by Availability, Security & Compliance and Cost

Access allowed from VPN
No items found.
Auto Scaling Group not in use
No items found.
Connections towards DynamoDB should be via VPC endpoints
No items found.
Container in CrashLoopBackOff state
No items found.
EC2 with GPU capabilities
No items found.
EC2 with high privileged policies
No items found.
ECS cluster delete alarm
No items found.
ECS task with Admin access (*:*)
ECS task with high privileged policies
No items found.
EKS cluster delete alarm
No items found.
ElastiCache cluster delete alarm
No items found.
Ensure Container liveness probe is configured
No items found.
Ensure ECS task definition has memory limit
No items found.
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services