AWS GovCloud (US)
User Guide

Elastic Load Balancing

Classic Load Balancer (CLB) and Application Load Balancer (ALB) are supported in AWS GovCloud (US). Network Load Balancers are not yet supported in this region.

The following list details the differences for using this service in the AWS GovCloud (US) Region compared to other AWS regions:

  • Elastic Load Balancing (CLB/ALB) must run in an Amazon VPC.

  • Because Elastic Load Balancing must run in an Amazon VPC, Elastic Load Balancing does not provide IPV6 capability that is offered in standard AWS regions when running outside of a VPC. Application Load Balancer supports IPv6 in VPCs in all regions including AWS GovCloud (US).

  • ITAR data must be encrypted in transit outside of the ITAR boundary. Because Elastic Load Balancing uses global DNS servers, ITAR traffic across Elastic Load Balancing must be encrypted.

    • You can use SSL certificates on your load balancers (CLB/ALB). For more information, see Replace the SSL Certificate for Your Load Balancer. The Elastic Load Balancing SSL termination is not FIPS 140-2 compliant.

    • You can also use Classic Load Balancer to pass TCP traffic and terminate SSL on your web server.

  • Elastic Load Balancing uses the following account ID. For information about when it is used, see Attach a Policy to Your Amazon S3 Bucket.

    Region Elastic Load Balancing Account ID
    us-gov-west-1 048591011584

For more information about Elastic Load Balancing, see the Elastic Load Balancing documentation.

ITAR Boundary

The ITAR boundary defines where customers are allowed to store ITAR-regulated data for this service in the AWS GovCloud (US) Region. You must comply with the boundaries in order to maintain ITAR compliance. If you do not have any ITAR-regulated data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • All data transmitted through Elastic Load Balancing must be encrypted if it contains ITAR-regulated data. Encryption must be used both between clients and the load balancer and between the load balancer and registered instances. It is strongly recommended that Backend Authentication is enabled to enforce public key authentication of the registered instance.

  • All customer parameters provided as input to Elastic Load Balancing (via console, APIs, or other mechanism) are not permitted to contain ITAR-regulated data. Examples include the names of load balancers and the names of load balancer policies.

  • Do not enter ITAR-regulated data in the following fields:

    • Resource tags

If you are processing ITAR-regulated data with this service, use the SSL (HTTPS) endpoint to maintain ITAR compliance. For a list of endpoints, see AWS GovCloud (US) Endpoints.

On this page: