What's the target group port for, when using Application Load Balancer + EC2 Container Service

36
votes

I'm trying to setup an ALB which listens on port 443, load balancing to ECS Docker containers on random ports, lets say I have 2 container instances of the same task definition, listening on port 30000 and 30001.

When I try to create a target group in the AWS EC2 Management console, there's a "port" input field with 1-65535 range. What number should I put there?

And when I try to create a new service in the AWS EC2 Container Service console, together with a new target group to connect to a existing ALB, there's no input field for a target group "port". After it's created, navigating to the EC2 console, the new target group has port "80". Do I have to listen on port 80? But the health check happens against the "traffic port", which is the container port, 30000 and 30001, so what's the point?

4
amazon-web-servicesamazon-ec2amazon-elbamazon-ecs

4 Answers

47
votes

Turns out, when combined with ECS, the target group's port doesn't mean anything. You don't need to listen on that port.

8
votes

I ran into this situation myself at work. I noticed the target group port and the port of the registered instance were different. I've typically set them up to be the same thing so wondered what this was all about which led me to this thread. I couldn't find a good answer on AWS docs, but found this in the Terraform docs for aws_lb_target_group resource:

port - (Optional, Forces new resource) The port on which targets receive traffic, unless overridden when registering a specific target.

So, I guess it's just the default port used unless you override it. Makes sense.

-1
votes

The port in the target group is used in conjunction with auto-scaling groups and if you ever plan to use those you want to use the right port from the start. Why? Because you can not change it after the target group has been created and auto-scaling will simply not work if you set the port wrong.

-1
votes

I think what he's referring to is the health checks. If your ELB is listening on port 443 but your target group is set for port 80, then every health check for the target group will attempt a request on port 80 and get redirected to port 443 by the load balancer. This results in a 301 code, which is considered unhealthy. Only 200 codes are supposed to be considered healthy. At that point you either have all unhealthy targets all the time or you add 301 to the list of healthy codes which defeats the whole point in health checks because it will always return a 301 for port 80. You might as well just match the ports.