The default rules of the BestPracticesForLoadBalancer compliance package template help you check whether the following items are exposed to risks: public networks and whitelist settings of Classic Load Balancer (CLB) and Application Load Balancer (ALB) instances, cross-zone disaster recovery capabilities, instance renewal and expiration, and change management. This ensures that CLB and ALB instances can be used as expected, reduces network security risks, and improves system stability. This topic describes the default rules of the BestPracticesForLoadBalancer compliance package template.
Rule name | Description |
Checks whether an HTTPS listener is enabled on the specified ports of each Server Load Balancer (SLB) instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which only a TCP or UDP listener is enabled. | |
Checks whether the access log feature is enabled for each CLB instance. If so, the evaluation result is Compliant. This rule does not apply to CLB instances for which Layer 7 monitoring is disabled. | |
Checks whether each SLB instance uses the multi-zone architecture and the resources of multiple zones are added to the server group that is used by all listeners of the SLB instance. If so, the evaluation result is Compliant. | |
Checks whether the associated resources of the server groups of each ALB instance are distributed across multiple zones. If so, the evaluation result is Compliant. This rule applies only to ALB instances whose server groups have associated resources. | |
Checks whether at least one listener is running on each SLB instance. If so, the evaluation result is Compliant. If the duration between the creation date of an SLB instance and the current date is less than or equal to a specified number of days, this rule does not apply to the SLB instance. Default value: 7. Unit: days. | |
Checks whether at least one backend server is added to all listeners of each ALB instance. If so, the evaluation result is Compliant. If the duration between the creation date of an ALB instance and the current date is less than or equal to a specified number of days, this rule does not apply to the SLB instance. Default value: 7. Unit: days. | |
Checks whether the HTTPS listeners of each SLB instance use a specified security policy suite version. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which no HTTPS listener is configured. | |
Checks whether the health check feature is enabled for all listeners and forwarding rules of each ALB instance. If so, the evaluation result is Compliant. | |
Checks whether the health check feature is enabled for all listeners of each SLB instance. If so, the evaluation result is Compliant. | |
Checks whether each ALB instance uses the multi-zone architecture. If so, the evaluation result is Compliant. If a failure occurs on an ALB instance when you deploy the instance in only one zone, business may be disrupted. | |
Checks whether an access control whitelist of a listener of each ALB instance includes specified IP addresses or CIDR blocks. If so, the evaluation result is Compliant. | |
Checks whether the access control feature is enabled for all listeners of each ALB instance. If so, the evaluation result is Compliant. This rule does not apply to ALB instances for which no listeners are configured. | |
Checks whether the access control feature is configured for the listeners of each SLB instance. If so, the evaluation result is Compliant. This rule does not apply to SLB instances for which no listeners are configured. | |
Checks whether the whitelist of a listener of each SLB instance allows access from a specified IP address or CIDR block. If so, the evaluation result is Compliant. | |
Checks whether the auto-renewal feature is enabled for each subscription SLB instance. If so, the evaluation result is Compliant. | |
If you use subscription instances, you must renew the instances before they expire. This prevents your instances from being stopped due to expired resources. Checks whether the duration between the expiration date and the check date of each subscription instance is greater than a specified number of days. If so, the evaluation result is Compliant. Default value: 30. Unit: days. Checks whether the auto-renewal feature is enabled for each instance. If so, the evaluation result is Compliant. This rule does not apply to pay-as-you-go instances. | |
Checks whether the access control list (ACL) of each SLB instance does not include 0.0.0.0/0. If so, the evaluation result is Compliant. | |
Checks whether the VPC where each SLB instance resides is within a specified set of VPCs if you configure the vpcIds parameter. If so, the evaluation result is Compliant. Checks whether the network type of each SLB instance is VPC if you do not configure the vpcIds parameter. If so, the evaluation result is Compliant. | |
Checks whether the release protection feature is enabled for each SLB instance. If so, the evaluation result is Compliant. | |
Checks whether each SLB instance in use is a high-performance instance, the evaluation result is Compliant. | |
Checks whether the weight of the backend server of each SLB instance is not set to 0. If so, the evaluation result is Compliant. | |
Checks whether a specified risky port is added to a listener of each SLB instance. If not, the evaluation result is Compliant. | |
You can enable the deletion protection feature to prevent ALB instances from being released by misoperations. Checks whether the deletion protection feature is enabled for each ALB instance. If so, the evaluation result is Compliant. | |
Checks whether the Network Type parameter of each ALB instance is Intranet. If so, the evaluation result is Compliant. | |
Checks whether a public IP address is associated with each SLB instance. If not, the evaluation result is Compliant. If you do not want an SLB instance to access public networks, we recommend that you do not bind a public IP address to an SLB instance. If you want an SLB instance to access public networks, we recommend that you purchase an elastic IP address (EIP) and bind the EIP to the required SLB instance. EIPs provide more flexibility. You can also use an EIP bandwidth plan to reduce costs. |