I have been working on securing my AWS infrastructure and faced with a difficulty when it come to Network load balancer and Target Groups. Below is the problem.
I have an ECS cluster running on EC2 resources. All containers are managed by a Task which is run by a service with dynamic port mapping. Each container is mapped to a different port and attached to a Target Group.
Target groups are exposed to public via a Application Load Balancer (ALB) and routing is setup to different Target Group with path mappings.
EC2 has a Security group with Allow all traffic from VPC Cider and ALB Security Group.
Now in this setup everything work as expected. Real problem is, I need to expose a MySQL container service and as per my understanding I have to use a Network Load Balancer since it's a TCP connection.
I have created a new Network Load Balancer (NLB) and added listener for port 8080 to Target Group of MySQL Service. Health check passed without a problem as I believe it's initiated within the VPC and and since EC2 Security group is set to allow all traffic from VPC it's working as expected.
However, my external traffic is not allowed to EC2 as I have not explicitly allowed dynamic ports attached to Target Group Instances.
E.g. MySQL instance registered on port 32778 has a healthy status, but I cannot connect to MySQL via 8080 listener on NLB.
Please let me know what I'm doing wrong here and If you get what I'm trying to do, whether there is another approach for the same.
