Elastic Load Balancing - AWS GovCloud (US)

Elastic Load Balancing

Elastic Load Balancing automatically distributes your incoming application traffic across multiple targets, such as EC2 instances. It monitors the health of registered targets and routes traffic only to the healthy targets. Elastic Load Balancing supports three types of load balancers: Application Load Balancers, Network Load Balancers, and Classic Load Balancers.

Elastic Load Balancing supports three types of load balancers: Application Load Balancer, Network Load Balancer, and Classic Load Balancer. All three types of load balancers are supported in AWS GovCloud (US) Regions.

How Elastic Load Balancing Differs for AWS GovCloud (US)

  • Your load balancer must run in a virtual private cloud (VPC).

  • Because Elastic Load Balancing must run in a VPC, Classic Load Balancer does not provide IPV6 capability that is offered in standard AWS Regions when running outside of a VPC. Application Load Balancer supports IPv6 in VPCs in all regions including AWS GovCloud (US) Regions.

  • ITAR data must be encrypted in transit outside of the ITAR boundary. Because Elastic Load Balancing uses global DNS servers, ITAR traffic across Elastic Load Balancing must be encrypted.

    • You can use TLS/SSL certificates on your Classic, Application and Network load balancers. For more information, see Replace the SSL Certificate for Your Load Balancer. The Elastic Load Balancing SSL termination is not FIPS 140-2 compliant.

    • You can also use Network Load Balancer to pass TCP traffic and terminate SSL on your web server.

Documentation for Elastic Load Balancing

Elastic Load Balancing documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • All data transmitted through Elastic Load Balancing must be encrypted if it contains ITAR-regulated data. Encryption must be used both between clients and the load balancer and between the load balancer and registered instances. It is strongly recommended that Backend Authentication is enabled to enforce public key authentication of the registered instance.

  • All customer parameters provided as input to Elastic Load Balancing (via console, APIs, or other mechanism) are not permitted to contain ITAR-regulated data. Examples include the names of load balancers and the names of load balancer policies.

  • Do not enter ITAR-regulated data in the following fields:

    • Resource tags

If you are processing ITAR-regulated data with this service, use the SSL (HTTPS) endpoint to maintain ITAR compliance. For a list of endpoints, see Service Endpoints.