The section contains all best practices mentioned in the guide.

Security

Data Protection

• [ALB, NLB] Use HTTPS / TLS listeners (more details)

• [ALB] Use HTTP to HTTPS redirection rule. (more details)

• [ALB, NLB] Use the most restrict security policy that is compatible with clients. (more details)

• [ALB, NLB] Use AWS Certificate Manager for TLS certificates. (more details)

• [ALB, NLB] For end-to-end encryption, use TLS/HTTPS on both the load balancer listener and target group. (more details)

Incident Response

• [ALB, NLB] Enable access logs. (more details)

• [ALB, NLB] Consolidate access logs in the Log Archive account. (more details)

• [ALB, NLB] Use a tool to analyze access logs. (more details)

• [ALB, NLB] Monitor events using AWS Health. (more details)

• [ALB, NLB] Include contacting AWS in your security incident playbooks. (more details)

Infrastructure Protection

• [ALB, NLB] For DDoS protection against sophisticated, frequent and large attacks enable AWS Shield Advanced. (more details)

• [ALB, NLB] For enhanced DDoS resilience, allow untracked flows in the security group. (more details)

• [ALB, NLB] For DDoS protection and mitigation, know the normal behaviour of your clients. (more details)

• [ALB, NLB] For DDoS mitigation, scale the targets to absorb the traffic. (more details)

• [ALB] For DDoS protection, use AWS WAF integrated with ALB for Application layer defense. (more details)

• [ALB] For DDoS protection, use AWS WAF rate-based rules. (more details)

• [ALB, NLB] For DDoS protection, leverage AWS Edge locations by integrating either CloudFront or Global Accelerator to your load balancer. (more details)

• [ALB] When using CloudFront, restrict users from directly accessing the Application Load Balancer. (more details)

• [ALB, NLB] When using CloudFront, lock down the load balancer security group to accept connections only from CloudFront. (more details)

• [ALB, NLB] Lock down the target security groups to receive traffic only from the load balancer. (more details)

Security Assurance

• [ALB, NLB] Use automated security and compliance checks. (more details)

Vulnerability Management

• [ALB] Use Strictest mode for desync mitigation. (more details)

Reliability

Failure Management

• [ALB, NLB] Configure deep health check, that include the application's dependencies. (more details)

• [ALB, NLB] Configure your Health Check to match your availability goals. (more details)

• [ALB] Use the "weighted random" algorithm with anomaly mitigation enabled on your target groups. (more details)

• [ALB, NLB] Implement fail-fast logic in the clients. (more details)

• [ALB, NLB] Implement retry with exponential back-off and jitter to avoid retry storm. (more details)

• [ALB, NLB] Make sure clients and local DNS servers respect DNS TTL (time to live) of 60 seconds, and do not cache DNS results longer than the TTL. (more details)

• [ALB, NLB] Configure clients to reconnect to other IP after a connection failure. (more details)

• [ALB, NLB] Use Amazon Route 53 Application Recovery Controller for zonal shift. (more details)

Workload Achitecture

• [ALB, NLB] Configure your load balancers to use at least two Availability Zones. (more details)

• [ALB, NLB] All target groups should have targets registered in all Availability Zones configured in the load balancer. (more details)

• [ALB, NLB] Turn off cross-zone load balancing to achieve Availability Zone Independence (AZI). (more details)

• [ALB, NLB] For high availability needs, consider adopting the static stability pattern. (more details)

• [ALB, NLB] For multi-region deployments, consider using AWS Global Accelerator with your load balancer. (more details)

• [ALB, NLB] Avoid using a single load balancer for multiple workloads. (more details)