Elastic Load Balancing
Developer Guide (API Version 2012-06-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Create an HTTPS Load Balancer

You can create an HTTPS load balancer with SSL negotiation configurations and with back-end application instance authentication.

For information about adding an HTTPS listener to an existing load balancer, see Configure an HTTPS Listener for Your Load Balancer.

Prerequisites

Before you get started, be sure that you've met the following prerequisites:

  • Complete the steps in Setting Up Elastic Load Balancing.

  • Launch the EC2 instances that you plan to register with your load balancer in the Availability Zones you plan to use for your load balancer. These instances must be configured to receive requests from the Internet.

  • The EC2 instances must respond to the target of the health check with an HTTP status code 200. For more information, see Configure Health Checks.

  • If you plan to enable the keep-alive option on your EC2 instances, we recommend that you set the keep-alive settings to at least the idle timeout settings of your load balancer. If you want to ensure that the load balancer is responsible for closing the connections to your back-end instance, make sure that the value set on your instance for the keep-alive time is greater than the idle timeout setting on your load balancer. For more information, see Configure the Idle Connection Timeout for Your Load Balancer.

  • To enable HTTPS support for our listeners, you must create an SSL certificate and then install it on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the back-end instances. For more information, see SSL Certificates for Elastic Load Balancing.

Create an HTTPS/SSL Load Balancer Using the Console

To create an HTTPS/SSL load balancer, complete the following tasks.

Step 1: Define Your Load Balancer

First, provide some basic configuration information for your load balancer, such as the name, network, and listeners.

A listener is a process that listens for connection requests. It is configured with a protocol and a port number for front-end (client to load balancer) and back-end (load balancer to back-end instance) connections. For information about the ports, protocols and the listener configurations supported by Elastic Load Balancing, see Listeners for Your Load Balancer.

In this example, you configure two listeners for your load balancer. The first listener accepts HTTP requests on port 80 and sends them to the back-end instances on port 80 using HTTP. The second listener accepts HTTPS requests on port 443 and sends them to the back-end instances using HTTPS on port 443.

Because the second listener uses HTTPS for the front-end connection, you must install an SSL sever certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the back-end instances. Before you can install the SSL certificate on your load balancer, you must create the certificate, get the certificate signed by a Certificate Authority (CA), and then upload the certificate. For more information about creating and uploading SSL certificates, see SSL Certificates for Elastic Load Balancing

To define your load balancer

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under NETWORK & SECURITY, click Load Balancers.

  3. Click Create Load Balancer.

  4. In Load Balancer name, enter a name for your load balancer.

    The name of your load balancer must be unique within your set of load balancers, can have a maximum of 32 characters, and can contain only alphanumeric characters and hyphens.

  5. From Create LB inside, select the same network that you selected for your instances: EC2-Classic or a specific VPC.

  6. [Default VPC] If you selected a default VPC and would like to choose the subnets for your load balancer, select Enable advanced VPC configuration.

  7. Under Listener Configuration, leave the default listener, and click Add to add another listener. From the Load Balancer Protocol column for the new listener, select HTTPS (Secure HTTP). This updates the Load Balancer Port, Instance Protocol, and Instance Port columns. From the Instance Protocol column, select HTTPS (Secure HTTP). This also updates the Instance Port column.

    Define a load balancer with an HTTPS listener
  8. [EC2-VPC] Under Select Subnets, select at least one available subnet. The available subnets for the VPC for your load balancer are displayed under Available Subnets. Click the icon in the Action column for each subnet to attach. These subnets are moved under Selected Subnets.

    Note

    If you selected EC2-Classic as your network, or you have a default VPC but did not select Enable advanced VPC configuration, you do not see Select Subnets.

    You can select at most one subnet per Availability Zone. If you select a second subnet in an Availability Zone, it replaces the previously selected subnet for that Availability Zone. To improve the availability of your load balancer, select subnets from more than one Availability Zone.

    Select Subnets
  9. Click Next: Assign Security Groups.

Step 2: Assign Security Groups to Your Load Balancer in a VPC

If you selected a VPC as your network, you must assign your load balancer a security group that allows inbound traffic to the ports that you specified for your load balancer and the health checks for your load balancer.

Note

If you selected EC2-Classic as your network, you can continue to the next step. By default, Elastic Load Balancing provides a security group for load balancers in EC2-Classic.

To assign security group to your load balancer

  1. On the Assign Security Groups page, select Create a new security group.

  2. Enter a name and description for your security group, or leave the default name and description. This new security group contains a rule that allows traffic to the port that you configured your load balancer to use.

    Select security groups
  3. Click Next: Configure Security Settings.

Step 3: Configure Security Settings

When you use HTTPS or SSL for your front-end listener, you must install an SSL certificate on your load balancer. The load balancer uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the back-end instances.

You must also specify a security policy. Elastic Load Balancing provides security policies that have predefined SSL negotiation configurations. You can select one of the predefined security policies, or you can create your own custom security policy. For more information, see SSL Negotiation Configurations for Elastic Load Balancing.

If you have HTTPS/SSL on the back-end connection, you can enable authentication on your back-end instance. This authentication can be used to ensure that back-end instances accept only encrypted communication and to ensure that the back-end instance has the correct certificates.

To configure security settings

  1. Under Select Certificate, do one of the following:

    • If you have uploaded your SSL certificate, select Choose from an existing SSL Certificate. Select your certificate from Certificate Name.

    • If you have a signed certificate ready to upload, select Upload a new SSL Certificate. Enter the name of the certificate. In Private Key, copy and paste the contents of the private key file (PEM-encoded). In Public Key Certificate, copy and paste the contents of the public key certificate file (PEM-encoded). In Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded), unless you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.

      Upload SSL Certificate
  2. Under Select a Cipher, do one of the following:

    • (Recommended) Verify that Predefined Security Policy is selected and set to ELBSecurityPolicy-2015-05.

    • Click Predefined Security Policy, and then select a policy.

    • Click Custom Security Policy and enable at least one protocol and one cipher. Under SSL Protocols, select one or more protocols to enable or disable. Under SSL Options, leave Server Order Preference selected, unless you do not want to use server order preference for SSL negotiation. Under SSL Ciphers, select one or more ciphers to enable or disable.

      Tip

      The DSA and RSA ciphers are specific to the signing algorithm. If you already have your SSL certificate, you must enable the cipher that was used to create your certificate.

  3. (Optional) Under Backend Certificate, do the following:

    1. Select Enable backend authentication.

    2. In Certificate Name, enter the name of the public key certificate.

    3. In Certificate Body (pem encoded), copy and paste the contents of the certificate.

    4. To add another certificate, click Add another backend certificate.

  4. Click Next: Configure Health Check.

Step 4: Configure Health Checks

Elastic Load Balancing automatically checks the health of the registered EC2 instances for your load balancer. If Elastic Load Balancing finds an unhealthy instance, it stops sending traffic to the instance and reroutes traffic to the healthy instances. For more information about configuring health checks, see Configure Health Checks.

To configure health checks for your instances

  1. On the Configure Health Check page, select a ping protocol and ping port. Your EC2 instances must accept the specified traffic on the specified ping port.

  2. In the Ping Path field, replace the default value with a single forward slash ("/"). This tells Elastic Load Balancing to send health check queries to the default home page for your web server, such as index.html or default.html.

    Configure Health Check
  3. Leave the other fields at their default values.

  4. Click Next: Add EC2 Instances.

Step 5: Register EC2 Instances with Your Load Balancer

Your load balancer distributes traffic between the instances that are registered to it. You can select EC2 instances in a single Availability Zone or multiple Availability Zones within the same region. For more information, see Back-end Instances for Your Load Balancer.

Note

When you register an instance with an elastic network interface (ENI) attached, the load balancer routes traffic to the primary IP address of the primary interface (eth0) of the instance.

To register EC2 instances with your load balancer

  1. On the Add EC2 Instances page, select the instances to register with your load balancer.

  2. Click Next: Add Tags.

Step 6: Tag Your Load Balancer (Optional)

You can tag your load balancer, or continue to the next step.

To add tags to your load balancer

  1. On the Add Tags page, specify a key and a value for the tag.

  2. To add another tag, click Create Tag and specify a key and a value for the tag.

  3. After you are finished adding tags, click Review and Create.

Step 7: Create and Verify Your Load Balancer

Before you create the load balancer, review the settings that you selected. After creating the load balancer, you can verify that it's sending traffic to your EC2 instances.

To finish creating your load balancer

  1. On the Review page, check your settings. If you need to make changes, click the corresponding link to edit the settings.

  2. Click Create to create your load balancer.

  3. After you are notified that your load balancer was created, click Close.

  4. Select your new load balancer.

  5. In the bottom pane, on the Description tab, check the Status row. If it indicates that some of your instances are not in service, its probably because they are still in the registration process. For more information, see Troubleshooting Elastic Load Balancing: Registering Instances.

  6. After you've verified that at least one of your EC2 instances is InService, you can test your load balancer. Copy the string from the DNS Name field and paste it into the address field of an Internet-connected web browser. (For example, my-load-balancer-1234567890.us-west-2.elb.amazonaws.com.) If your load balancer is working, you see the default page of your HTTP server.

Step 8: Delete Your Load Balancer (Optional)

As soon as your load balancer becomes available, you are billed for each hour or partial hour that you keep it running. When you no longer need the load balancer, you can delete it. As soon as the load balancer is deleted, you stop incurring charges for it.

To delete your load balancer

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under NETWORK & SECURITY, click Load Balancers.

  3. Select the load balancer.

  4. Click Actions, and then click Delete.

  5. When prompted for confirmation, click Yes, Delete.

  6. (Optional) After you delete a load balancer, the EC2 instances associated with the load balancer continue to run, and you are billed for each hour or partial hour that you keep them running. For information about stopping or terminating your instances, see Stop and Start Your Instance or Terminate Your Instance in the Amazon EC2 User Guide for Linux Instances.

Create an HTTPS/SSL Load Balancer Using the AWS CLI

Use the following instructions to create an HTTPS/SSL load balancer using the AWS CLI.

Step 1: Configure Listeners

A listener is a process that listens for connection requests. It is configured with a protocol and a port number for front-end (client to load balancer) and back-end (load balancer to back-end instance) connections. For information about the ports, protocols and the listener configurations supported by Elastic Load Balancing, see Listeners for Your Load Balancer.

In this example, you configure two listeners for your load balancer by specifying the ports and protocols to use for front-end connection (client to load balancer) and back-end connection (load balancer to back-end instance). The first listener accepts HTTP requests on port 80 and sends the request to the back-end application instances on port 80 using HTTP. The second listener accepts HTTPS requests on port 443 and sends the request to back-end application instances using HTTPS on port 443.

Since the second listener uses HTTPS for the front-end connection, you will have to install SSL sever certificate on your load balancer. The load balancer uses the certificate to terminate and then decrypt requests before sending them to the back-end instances. Before you can install the SSL certificate on your load balancer, you must create the certificate, get the certificate signed by a Certificate Authority (CA), and then upload the certificate using the AWS Identity and Access Management (AWS IAM) service. For information about creating and uploading SSL certificates, see SSL Certificates for Elastic Load Balancing

To configure listeners for your load balancer

  1. If you have an SSL certificate and have uploaded it using IAM, use the get-server-certificate command to get the ARN of the certificate.

    If you have not created and uploaded an SSL server certificate, complete the instructions described in SSL Certificates for Elastic Load Balancing. Note the ARN of the certificate.

  2. Use the following create-load-balancer command to configure the listner:

    aws elb create-load-balancer --load-balancer-name my-loadbalancer --listeners "Protocol=http,LoadBalancerPort=80,InstanceProtocol=http,InstancePort=80" "Protocol=https,LoadBalancerPort=443,InstanceProtocol=https,InstancePort=443, SSLCertificateId=arn:aws:iam::123456789012:server-certificate/my-server-certificate" --availability-zones us-west-2a

    The following is an example response:

    {
      "DNSName": "my-loadbalancer-012345678.us-west-2.elb.amazonaws.com"
    }
  3. Save the DNS name in a safe place. You'll need it to connect to the load balancer.

Step 2: Configure the SSL Security Policy

You can select either one of the predefined security policies, or you can create your own custom security policy. By default, Elastic Load Balancing configures your load balancer with the latest predefined security policy, ELBSecurityPolicy-2015-05. We recommend that you use the default security policy. For more information about security policies, see SSL Negotiation Configurations for Elastic Load Balancing.

To verify that your load balancer is associated with the default security policy

Use the following describe-load-balancers command:

aws elb describe-load-balancers --load-balancer-name my-loadbalancer

The following is an example response. Note that ELBSecurityPolicy-2015-05 is associated with the load balancer on port 443.

{
    "LoadBalancerDescriptions": [
        {
            ...
            "ListenerDescriptions": [
                {
                    "Listener": {
                        "InstancePort": 443, 
                        "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", 
                        "LoadBalancerPort": 443, 
                        "Protocol": "HTTPS", 
                        "InstanceProtocol": "HTTPS"
                    }, 
                    "PolicyNames": [
                        "ELBSecurityPolicy-2015-05"
                    ]
                }, 
                {
                    "Listener": {
                        "InstancePort": 80, 
                        "LoadBalancerPort": 80, 
                        "Protocol": "HTTP", 
                        "InstanceProtocol": "HTTP"
                    }, 
                    "PolicyNames": []
                }
            ],
            ...
        }
    ]
}

If you prefer, you can configure the SSL security policy for your load balancer instead of using the default.

To use a predefined SSL security policy

  1. Use the following describe-load-balancer-policies command to list the names of the predefined security policies:

    aws elb describe-load-balancer-policies

    For information about the configuration for the predefined security policies, see Predefined SSL Security Policies.

  2. Use the following create-load-balancer-policy command to create an SSL negotiation policy using one of the predefined security policies that you described in the previous step:

    aws elb create-load-balancer-policy --load-balancer-name my-loadbalancer
    --policy-name my-SSLNegotiation-policy --policy-type-name SSLNegotiationPolicyType 
    --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=predefined-policy
  3. (Optional) Use the following describe-load-balancer-policies command to verify that the policy is created:

    aws elb describe-load-balancer-policies --load-balancer-name my-loadbalancer --policy-name my-SSLNegotiation-policy

    The response includes the description of the policy.

  4. Use the following set-load-balancer-policies-of-listener command to enable the policy on load balancer port 443:

    aws elb set-load-balancer-policies-of-listener --load-balancer-name my-loadbalancer --load-balancer-port 443 --policy-names my-SSLNegotiation-policy
  5. (Optional) Use the following describe-load-balancers command to verify that the policy is enabled:

    aws elb describe-load-balancers --load-balancer-name my-loadbalancer

    The following is an example response showing that the policy is enabled on port 443.

    {
        "LoadBalancerDescriptions": [
            {
                ....
                "ListenerDescriptions": [
                    {
                        "Listener": {
                            "InstancePort": 443, 
                            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", 
                            "LoadBalancerPort": 443, 
                            "Protocol": "HTTPS", 
                            "InstanceProtocol": "HTTPS"
                        }, 
                        "PolicyNames": [
                            "my-SSLNegotiation-policy"
                        ]
                    }, 
                    {
                        "Listener": {
                            "InstancePort": 80, 
                            "LoadBalancerPort": 80, 
                            "Protocol": "HTTP", 
                            "InstanceProtocol": "HTTP"
                        }, 
                        "PolicyNames": []
                    }
                ],
                ...
            }
        ]
    }

When you create a custom security policy, you must enable at least one protocol and one cipher. The DSA and RSA ciphers are specific to the signing algorithm and are used to create the SSL certificate. If you already have your SSL certificate, make sure to enable the cipher that was used to create your certificate. The name of your custom policy must not begin with ELBSecurityPolicy- or ELBSample-, as these prefixes are reserved for the names of the predefined security policies.

To use a custom SSL security policy

  1. Use the create-load-balancer-policy command to create an SSL negotiation policy using a custom security policy. For example:

    aws elb create-load-balancer-policy --load-balancer-name my-loadbalancer 
     --policy-name my-SSLNegotiation-policy --policy-type-name SSLNegotiationPolicyType 
     --policy-attributes AttributeName=Protocol-TLSv1.2,AttributeValue=true 
     AttributeName=Protocol-TLSv1.1,AttributeValue=true 
     AttributeName=DHE-RSA-AES256-SHA256,AttributeValue=true 
     AttributeName=Server-Defined-Cipher-Order,AttributeValue=true
  2. (Optional) Use the following describe-load-balancer-policies command to verify that the policy is created:

    aws elb describe-load-balancer-policies --load-balancer-name my-loadbalancer --policy-name my-SSLNegotiation-policy

    The response includes the description of the policy.

  3. Use the following set-load-balancer-policies-of-listener command to enable the policy on load balancer port 443:

    aws elb set-load-balancer-policies-of-listener --load-balancer-name my-loadbalancer --load-balancer-port 443 --policy-names my-SSLNegotiation-policy
  4. (Optional) Use the following describe-load-balancers command to verify that the policy is enabled:

    aws elb describe-load-balancers --load-balancer-name my-loadbalancer

    The following is an example response showing that the policy is enabled on port 443.

    {
        "LoadBalancerDescriptions": [
            {
                ....
                "ListenerDescriptions": [
                    {
                        "Listener": {
                            "InstancePort": 443, 
                            "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", 
                            "LoadBalancerPort": 443, 
                            "Protocol": "HTTPS", 
                            "InstanceProtocol": "HTTPS"
                        }, 
                        "PolicyNames": [
                            "my-SSLNegotiation-policy"
                        ]
                    }, 
                    {
                        "Listener": {
                            "InstancePort": 80, 
                            "LoadBalancerPort": 80, 
                            "Protocol": "HTTP", 
                            "InstanceProtocol": "HTTP"
                        }, 
                        "PolicyNames": []
                    }
                ],
                ...
            }
        ]
    }

Step 3: Configure Back-end Server Authentication (Optional)

If you have HTTPS/SSL on the back-end connection, you can choose to enable authentication on your back-end instance. This authentication can be used to ensure that back-end instances accept only encrypted communication and to ensure that the back-end instance has the correct certificates.

You enable the back-end server authentication by creating a public key policy that uses a public key for authentication. You use this public key policy to create a back-end server authentication policy. Finally, you enable the back-end server authentication by setting the back-end server authentication policy with the back-end server port. In this example, the back-end server is listening with SSL/HTTPS protocol set to instance port 443.

The value of the public key policy is the public key of the certificate that the back-end servers present to the load balancer. You can retrieve the public key using OpenSSL.

To configure back-end server authentication

  1. Use the command to retrieve the public key:

    openssl x509 -in your X509 certificate PublicKey -pubkey -noout
  2. Use the following create-load-balancer-policy command to create a public key policy:

    aws elb create-load-balancer-policy --load-balancer-name my-loadbalancer --policy-name my-PublicKey-policy --policy-type-name PublicKeyPolicyType --policy-attributes AttributeName=PublicKey,AttributeValue=MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
    VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
    b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
    BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
    MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
    VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
    b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
    YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
    21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
    rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
    Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
    nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
    FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
    NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=

    Note

    To specify a public key value for the policy-attributes argument, remove the first and last lines of the public key (the line containing "-----BEGIN PUBLIC KEY-----" and the line containing "-----END PUBLIC KEY-----"). The AWS CLI does not accept white space characters inside the value for the policy-attributes argument.

  3. Use the following create-load-balancer-policy command to create a back-end server authentication policy by referring to my-PublicKey-policy. You can refer to multiple public key policies. When multiple public key policies are used, the load balancer tries all the keys, one at a time, for authentication. If one of the public keys matches the server certificate, authentication passes.

    aws elb create-load-balancer-policy --load-balancer-name my-loadbalancer --policy-name my-authentication-policy --policy-type-name BackendServerAuthenticationPolicyType --policy-attributes AttributeName=PublicKeyPolicyName,AttributeValue=my-PublicKey-policy
  4. Use the following set-load-balancer-policies-for-backend-server command to set my-authentication-policy to the instance (back-end server) port.

    aws elb set-load-balancer-policies-for-backend-server --load-balancer-name my-loadbalancer --instance-port 443 --policy-names my-authentication-policy
  5. (Optional) Use the following describe-load-balancer-policies command to list all the policies for your load balancer:

    aws elb describe-load-balancer-policies --load-balancer-name my-loadbalancer
  6. (Optional) Use the following describe-load-balancer-policies command to view details of the policy:

    aws elb describe-load-balancer-policies --load-balancer-name my-loadbalancer --policy-names my-authentication-policy

Step 4: Configure Health Checks (Optional)

Elastic Load Balancing regularly checks the health of each registered EC2 instance based on the health check configuration that you specify. If Elastic Load Balancing finds an unhealthy instance, it stops sending traffic to the instance and reroutes traffic to the healthy instances. For more information, see Configure Health Checks.

When you create your load balancer, Elastic Load Balancing uses default settings for the health checks. If you prefer, you can change the health check configuration for your load balancer instead of using the default settings.

To configure the health checks for your back-end instances

Use the following configure-health-check command:

aws elb configure-health-check --load-balancer-name my-loadbalancer --health-check Target=HTTP:80/png,Interval=30,UnhealthyThreshold=2,HealthyThreshold=2,Timeout=3

The following is an example response:

{
    "HealthCheck": {
        "HealthyThreshold": 2,
        "Interval": 30,
        "Target": "HTTP:80/png",
        "Timeout": 3,
        "UnhealthyThreshold": 2
    }
}

Step 5: Register EC2 Instances

After you create your load balancer, you must register your EC2 instances with the load balancer. Your EC2 instances can be within a single Availability Zone or span multiple Availability Zones within a single region. For more information, see Back-end Instances for Your Load Balancer.

Use the register-instances-with-load-balancer command as follows:

aws elb register-instances-with-load-balancer --load-balancer-name my-loadbalancer --instances i-4f8cf126 i-0bb7ca62

The following is an example response:

{
    "Instances": [
        {
            "InstanceId": "i-4f8cf126"
        },
        {
            "InstanceId": "i-0bb7ca62"
        }
    ]
}

Step 6: Verify the Instances

Your load balancer is usable as soon as any one of your registered instances is in the InService state.

To check the state of your newly registered EC2 instances, use the following describe-instance-health command:

aws elb describe-instance-health  --load-balancer-name my-loadbalancer --instances i-4f8cf126 i-0bb7ca62

The following is an example response:

{
    "InstanceStates": [
        {
            "InstanceId": "i-4f8cf126", 
            "ReasonCode": "N/A", 
            "State": "InService", 
            "Description": "N/A"
        }, 
        {
            "InstanceId": "i-0bb7ca62", 
            "ReasonCode": "Instance", 
            "State": "OutOfService", 
            "Description": "Instance registration is still in progress"
        }
    ]
}

If State field for an instance is OutOfService, it's probably because your instances are still registering. For more information, see Troubleshooting Elastic Load Balancing: Registering Instances.

After the state of at least one of your instances is InService, you can test your load balancer. To test your load balancer, copy the DNS Name of the load balancer and paste it into the address field of an Internet-connected web browser. If your load balancer is working, you see the default page of your HTTP server.

Step 7: Delete Your Load Balancer (Optional)

Deleting a the load balancer automatically de-registers its associated EC2 instances. As soon as the load balancer is deleted, you stop incurring charges for that load balancer. However, the EC2 instances continue run and you continue to incur charges.

To delete your load balancer, use the following delete-load-balancer command:

aws elb delete-load-balancer --load-balancer-name my-loadbalancer

To stop your EC2 instances, use the stop-instances command. To terminate your EC2 instances, use the terminate-instances command.