Application Load Balancer with ECS Fargate

4
votes

I am trying to configure load-balancing for Fargate ECS. My understanding is that there are at least two target groups. One target group gets created along with the Application Load Balancer, and one target group gets created along with the ECS service.

My containers are running their service on TCP port 5000. I want the load balancer only to expose HTTPS over the regular 443 port, and redirect HTTP to HTTPS, or if that is difficult, just drop HTTP.

I see that Listeners allows specifying a whole bunch of things. However, I am confused by the target group created with the service. It - the IP -type group, listens on port 80. Whether I select HTTP or HTTPS during the service creation/configuration.

My containers never get any traffic. I enabled load-balancer logging, it seems that the balancer does not understand what I want it to do. There "forward" "-" "-" "-" "-" "-" "-"in the log at end of every request.

I ran aws elbv2 describe-target-groups to get the definitions.

{
  "TargetGroups": [
    {
        "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:505963211XXX:targetgroup/ecs-fargate-api-service-tg/1ebb89754b34d072",
        "TargetGroupName": "ecs-fargate-api-service-tg",
        "Protocol": "HTTPS",
        "Port": 80,
        "VpcId": "vpc-e623dd9b",
        "HealthCheckProtocol": "HTTPS",
        "HealthCheckPort": "traffic-port",
        "HealthCheckEnabled": true,
        "HealthCheckIntervalSeconds": 30,
        "HealthCheckTimeoutSeconds": 5,
        "HealthyThresholdCount": 5,
        "UnhealthyThresholdCount": 2,
        "HealthCheckPath": "/cookie-policy",
        "Matcher": {
            "HttpCode": "200"
        },
        "LoadBalancerArns": [
            "arn:aws:elasticloadbalancing:us-east-1:505963211XXX:loadbalancer/app/node-api-lb/f5e512a2678688f5"
        ],
        "TargetType": "ip"
    },
    {
        "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:505963211XXX:targetgroup/node-api-tg/7544b53ab1720e0d",
        "TargetGroupName": "node-api-tg",
        "Protocol": "HTTPS",
        "Port": 443,
        "VpcId": "vpc-e623dd9b",
        "HealthCheckProtocol": "HTTPS",
        "HealthCheckPort": "traffic-port",
        "HealthCheckEnabled": true,
        "HealthCheckIntervalSeconds": 300,
        "HealthCheckTimeoutSeconds": 5,
        "HealthyThresholdCount": 5,
        "UnhealthyThresholdCount": 2,
        "HealthCheckPath": "/cookie-policy",
        "Matcher": {
            "HttpCode": "200"
        },
        "LoadBalancerArns": [
            "arn:aws:elasticloadbalancing:us-east-1:505963211XXX:loadbalancer/app/node-api-lb/f5e512a2678688f5"
        ],
        "TargetType": "instance"
    }
  ]
}

What am I doing wrong? How should I go about setting up an application load-balancer for ECS Fargate to have HTTPS on the outside and route everything to the correct container PORT?

1
amazon-web-servicesamazon-ecsamazon-elb
If you have only 1 ECS service, you should have 1 ALB. Not sure why you have two. ALso, your "Protocol": "HTTPS", which means that your containers operate in HTTPS, they have proper SSL certicates? Or you meant HTTP here as usually is done? - Marcin
I wrote why there are two target groups. You cannot create an application load balancer without specifying the target group. Can you? The SSL certificate needs to given to the ALB, which it pulls from ACM. The containers do not need them. - Igor Shmukler
Off course you can have 1 TG. Not sure how did you create two of them. You also specified HealthCheckProtocol": "HTTPS which means that your ECS service will always be unhealthy if your containers use HTTP only. - Marcin
Change "Protocol": "HTTPS", to "Protocol": "HTTP",, and set healtchcecks to HTTP if your containers use HTTP. Also you don't need second TG with port 443 as you don't use HTTPS in your containers. - Marcin
Sorry, I'm not sure what is your setup. Could you please clarify what is router instance? The ECS fargate setup is generally very easy - 1 TG for 1 service. Maybe you could provide some screenshot which would better illustrate your setup? - Marcin

1 Answers

3
votes

Based on the comments, the screenshots.

First create ALB

You can create your TG when you create your ALB (ALB is called dddd in my example), or beforehand. ALso, I named my target group my-tg-for-fargate. I used port 80 (you probably need 5000) as I used nginxdemos/hello as my container. Make sure to create IP target type, not instance. Farget will not work with instance TGs, explaining why you can't see them in ECS console when creating your ECS service.

enter image description here

Create ECS Fargate service

When you create your Fargate service in ECS console, you will have option to choose existing ALB (in my case dddd) and existing target group (in my case called my-tg-for-fargate. You don't need to create second tg:

enter image description here