Connection Draining in CloudGuard Network for AWS Auto Scaling Groups

Connection draining (also referred to as "instance draining" or "graceful termination") is a mechanism used to gracefully remove compute instances from service while maintaining application availability.

It ensures that when a virtual machine (VM) is removed from an Auto Scaling Group due to rolling updates or health check failures, existing connections are allowed to complete before the instance is terminated.

Connection Draining Overview

Connection draining is a key capability for enabling the graceful shutdown or decommissioning of compute instances. It allows in-flight requests to complete before the instance is removed from service, minimizing service disruption during maintenance events or manual interventions.

In AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., connection draining is implemented using Elastic Load Balancers (Classic or Application Load Balancers) in conjunction with Auto Scaling Groups (ASG).

When an instance is marked for termination, connection draining allows the Load Balancer to:

  • Stop routing new requests to the instance.

  • Allow existing connections to complete within a defined draining timeout period.

  • Terminate the instance when all connections have closed or the timeout expires.

Connection Draining Use Cases

  • Rolling updates

    Connection draining helps avoid dropped connections during version or template upgrades.

  • Auto-scaling operations

    Connection draining allows smooth removal of VMs in a scale-in event.

  • Persistent connections

    Connection draining minimizes connection loss for long-lived HTTP/TCP sessions.

Connection Draining Setup

In AWS, connection draining is configured on Load Balancers to ensure graceful handling of in-flight connections during instance termination. Many Load Balancers have connection draining enabled by default, with a timeout (Deregistration Delay) typically set to 300 seconds.

Best Practice - Always make sure that connection draining is enabled and that the configured timeout value aligns with your application requirements.

The Deregistration Delay value can be configured between 5 and 60 minutes.

Load Balancer Type

Default Deregistration Delay

Configurable Value

Application Load Balancer

5 minutes (300 seconds)

60 minutes (3600 seconds)

Network Load Balancer

5 minutes (300 seconds)

60 minutes (3600 seconds)

Gateway Load Balancer

5 minutes (300 seconds)

60 minutes (3600 seconds)

To configure connection draining on existing AWS Load Balancers, do these steps:

  1. Go to the EC2 Console.

  2. On the left menu, click Target Groups.

  3. Select the target group used by the Load Balancers.

  4. Go to the Attributes tab. Check if the Deregistration Delay parameter is enabled and has a value.

  5. If the Deregistration Delay value is not specified, click Edit.

  6. Set the Deregistration Delay parameter value in seconds.

  7. Click Save Changes.

This ensures the Load Balancer waits before fully removing the instance from service during scale-in.

Connection Draining During Scale-In

When a scale-in event is triggered and a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. instance is marked for termination, connection draining enables the following behavior:

  1. The External Load Balancer stops routing new requests to the marked Security Gateway instance.

  2. The existing connections are completed within the specified timeout period.

  3. AWS Auto Scale terminates the marked Security Gateway instance only after all active sessions have completed or the timeout has expired.

This approach minimizes user disruption and ensures in-flight sessions are preserved wherever possible.

When Deregistration Delay is set for the Target Group, no further action is needed.

Connection Draining During Instance Reboot

Follow these steps for a graceful reboot:

  1. Go to the Target Group.

  2. Select the Target Group for your Auto Scale Group.

  3. Click Targets.

  4. Select the instance you want to reboot.

  5. Click Deregister.

  6. Wait for the instance to be fully drained (health checks will show Draining or Unused status).

  7. Then reboot the instance.

  8. After reboot, re-register the target.

Connection Draining During Instance Termination

Follow these steps:

  1. Go to Auto Scale Groups in the EC2 console.

  2. Select your Auto Scale Group.

  3. Select the Instance management tab.

  4. Click the instance you want to terminate.

  5. Under Instance state, select Terminate.

    Note - If you terminate an instance and you don’t meet your minimal instance requirements, a new instance will be deployed and configured.