Skip to main content

ELB load balancers should be internal

  • GG_ID: GG_IAC_0050
  • Severity: HIGH
  • Complexity: MEDIUM
  • Categories: NETWORK
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: True


Elastic Load Balancing automatically distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones.

When you create a load balancer in Virtual Private Cloud (VPC), you must choose whether to make it an internal load balancer or an internet-facing load balancer. If you want clients to be able to connect to your load balancer who are not on the VPC, you need to set it as internet-facing. However, this could lead to accidental exposure of internal resources. You should ensure that the load balancer needs to be connected to the wider internet.


  • possible distributed denial of service (DDoS).
  • potential exposure of private endpoints.

Remediation guidelines#

  • AWS is retiring the EC2-Classic network on August 15th 2022. If the load balancer is in that network, migrate it to a VPC and configure it as internal.
  • If the internet-facing load balancer has a legitimate use-case, configure it to use a secure HTTPS listener.
  • If not, create a new internal load balancer and delete the previous one.

External documentation#