AWS ECS: Unhealthy containers

1
votes

In my AWS account, I have the following setup:

  • 1x ECS cluster with 2 services (service-a and service-b)
  • Each service has their own target group
  • service-a binds the port on 443
  • service-b binds the port on 8888 (I needed to do that, because 443 might be already allocated by service-a) Both services are reachable with HTTPS protocol
  • 1x ALB which will be used in both service to load balance traffic
  • 1x HTTPS Listener on the ALB (balances traffic by path)
  • 1x Security group for the ALB (only allows inbound traffic from a given network)
  • 1x Security group for all ECS EC2 Instances which are allowing inbound traffic from the ALB (on port 443 (HTTPS) and 8888 (Custom TCP Rule))

However:

service-b is always unhealthy.

I tried to add a new HTTPS Listener on the ALB which listens on port 8888 and this listener forwards the traffic to my service-b-target-group as expected.

Does anyone have any clue?

Thanks in advance!

1
amazon-web-serviceshttpsamazon-ecs
I honestly dont want to force my customers to enter port 8888 in the browser... everything should just work over the well-known port 443Christopher Schmidt
How are your ALB Health-Checks configured?MaiKaY
they are simply checking a public resource and evaluates its status code. in my case: both are trying to retrieve a js file which is definitely available - i triple checked it locallyChristopher Schmidt
Yes. But how is the Health-Check configured? Which Ping-Port?MaiKaY
to clarify things concerning the health check: the health check on service-a is working very well... :-) only service-b is always unhealthy.. i also found a hint: in my target group configuration there is port 80 for the listener port.. but my service is available on port 8888... i dont know why he is telling me port 80 because i configured https during the configuration of serviceChristopher Schmidt

1 Answers

0
votes

Did you configure an advanced health check of your target group for service b?

it should look like this picture here

The default setting of the target group is "traffic port". If you have configured an path-based routing, the traffic port is the same for both target groups.

Request on url.com:443/service-a and url.com:443/service-b will try to do health checks on port 443 on both target groups

For service-b you should define an advanced health check on a specific port, because your service listens on that port (8888 in your case)