Amazon Web Service (AWS)


Amazon Elastic Load Balancing (ELB) is a load balancing service for deployments that automatically distributes incoming application traffic across multiple targets and scales resources to meet traffic demands, in one or more Availability Zones (AZs).
  • name - (Optional) The name of the ELB. By default generated by Terraform.
  • name_prefix - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name.
  • access_logs - (Optional) An Access Logs block. Access Logs documented below.
  • availability_zones - (Required for an EC2-classic ELB) The AZ's to serve traffic in.
  • security_groups - (Optional) A list of security group IDs to assign to the ELB. Only valid if creating an ELB within a VPC
  • subnets - (Required for a VPC ELB) A list of subnet IDs to attach to the ELB.
  • instances - (Optional) A list of instance ids to place in the ELB pool.
  • internal - (Optional) If true, ELB will be an internal ELB.
  • listener - (Required) A list of listener blocks. Listeners documented below.
  • health_check - (Optional) A health_check block. Health Check documented below.
  • cross_zone_load_balancing - (Optional) Enable cross-zone load balancing. Default: true
  • idle_timeout - (Optional) The time in seconds that the connection is allowed to be idle. Default: 60
  • connection_draining - (Optional) Boolean to enable connection draining. Default: false
  • connection_draining_timeout - (Optional) The time in seconds to allow for connections to drain. Default: 300
  • desync_mitigation_mode - (Optional) Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are monitor, defensive (default), strictest.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Exactly one of availability_zones or subnets must be specified: this determines if the ELB exists in a VPC or in EC2-classic.

Access Logs (access_logs) support the following:

  • bucket - (Required) The S3 bucket name to store the logs in.
  • bucket_prefix - (Optional) The S3 bucket prefix. Logs are stored in the root if not configured.
  • interval - (Optional) The publishing interval in minutes. Valid values: 5 and 60. Default: 60
  • enabled - (Optional) Boolean to enable / disable access_logs. Default is true

Listeners (listener) support the following:

  • instance_port - (Required) The port on the instance to route to
  • instance_protocol - (Required) The protocol to use to the instance. Valid values are HTTP, HTTPS, TCP, or SSL
  • lb_port - (Required) The port to listen on for the load balancer
  • lb_protocol - (Required) The protocol to listen on. Valid values are HTTP, HTTPS, TCP, or SSL
  • ssl_certificate_id - (Optional) The ARN of an SSL certificate you have uploaded to AWS IAM. Note ECDSA-specific restrictions below. Only valid when lb_protocol is either HTTPS or SSL

Health Check (health_check) supports the following:

  • healthy_threshold - (Required) The number of checks before the instance is declared healthy.
  • unhealthy_threshold - (Required) The number of checks before the instance is declared unhealthy.
  • target - (Required) The target of the check. Valid pattern is "${PROTOCOL}:${PORT}${PATH}", where PROTOCOL values are:
  • HTTP, HTTPS - PORT and PATH are required
  • TCP, SSL - PORT is required, PATH is not supported
  • interval - (Required) The interval between checks.
  • timeout - (Required) The length of time before the check times out.

Associating resources with a
Resources do not "belong" to a
Rather, one or more Security Groups are associated to a resource.
via Terraform:
The following HCL creates a new load balancer

resource "aws_elb" "bar" {
 name               = "foobar-terraform-elb"
 availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]

 access_logs {
   bucket        = "foo"
   bucket_prefix = "bar"
   interval      = 60

 listener {
   instance_port     = 8000
   instance_protocol = "http"
   lb_port           = 80
   lb_protocol       = "http"

 listener {
   instance_port      = 8000
   instance_protocol  = "http"
   lb_port            = 443
   lb_protocol        = "https"
   ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"

 health_check {
   healthy_threshold   = 2
   unhealthy_threshold = 2
   timeout             = 3
   target              = "HTTP:8000/"
   interval            = 30

 instances                   = []
 cross_zone_load_balancing   = true
 idle_timeout                = 400
 connection_draining         = true
 connection_draining_timeout = 400

 tags = {
   Name = "foobar-terraform-elb"

via CLI:

--load-balancer-name <value>
--listeners <value>
[--availability-zones <value>]
[--subnets <value>]
[--security-groups <value>]
[--scheme <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws elb create-load-balancer --load-balancer-name my-load-balancer --listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80" --subnets subnet-15aaab61 --security-groups sg-a61988c3

Best Practices for

Categorized by Availability, Security & Compliance and Cost

ELB not in use
Ensure default security groups are not in use by ELB
Resource is Internet facing via ELB
Explore all the rules our platform covers
All Resources