(aws-ecs-patterns) ALB pattern sets protocol/port to HTTP/80 when attaching certificate

[vjain16]

when attaching the certificate to ApplicationLoadBalancedEc2Service or ApplicationLoadBalancedFargateService target group is not changing to HTTPS and 8443
Target group , port and protocol is defaulted to HTTP and 80

export interface ApplicationLoadBalancedServiceBaseProps {
	...
    const `**targetProps**` = {
      port: 80
    };

    if (props.certificate !== undefined && props.protocol !== undefined && props.protocol !== ApplicationProtocol.HTTPS) {
      throw new Error('The HTTPS protocol must be used when a certificate is given');
    }
    const protocol = props.protocol !== undefined ? props.protocol : (props.certificate ? ApplicationProtocol.HTTPS : ApplicationProtocol.HTTP);

    this.listener = this.loadBalancer.addListener('PublicListener', {
      protocol,
      open: true
    });
    this.targetGroup = this.listener.addTargets('ECS', **targetProps**);

Its a problem when your docker application is running on 8443
there should be a way in the "ApplicationLoadBalancedServiceBase" class to override the port .

[piradeepk]

@vjain16 can you provide more information as to why you'd like to set the Target Group protocol/port differently?

In the case of an Ec2/Fargate Load Balanced Service, the target group port is actually overridden by the container port that you define (which is why the target group port is not configurable) and most users perform TLS termination on the Load Balancer, and not the individual hosts. If you have a different use case though, please let us know, we would love to help!

[vjain16]

Yes that the point , my docker application is running on 8443 and i set the container port as 8443 but my target group is defaulting it to 80 , also if i run my docker application to http and 8080 also the target group port is still defaulting to 80 .

I think i got the point of termination the TLS on the load balancer and pass only the http traffic to the docker application but in that case also defaulting it to port 80 is just a restriction

But we have an existing docker application which is running on https , 8443 for this we need a way to override the protocol and port .

[piradeepk]

Can you provide the construct that you're initializing as well as the input properties that you're passing it?

[vjain16]

const loadBalancedService = new ecsPatterns.ApplicationLoadBalancedEc2Service(this, name.concat('LoadBalancedSvc'), {
            memoryLimitMiB: 1024,
            cluster: mycluster,
            cpu: 512,
            certificate: cert.Certificate.fromCertificateArn(this , " my certificate" ,certificateARN ),            
            domainName : "MyDomain.com”
            domainZone : route53.HostedZone.fromHostedZoneId(this , "myZone" , “ZoneId"),
            taskImageOptions: {
                image: ecs.ContainerImage.fromEcrRepository(
                    Repository.fromRepositoryArn(this, name.concat('Repo'), ecrRepoArn),
                    dockerTag
                ),
                containerPort: containerPort,                
            },
            listenerPort : listenerPort,
            desiredCount: taskDesiredCount,
        });
               
        loadBalancedService.targetGroup.configureHealthCheck({
            port: 'traffic-port', 
            path:  healthCheckPath,
            protocol : healthCheckProtocol ,
        });

[rubenjgarcia]

Hi

I have the same problem

The listener of the ALB has a Target Group that points to port 80 while my container has port 6500

Is there any update on this?

[piradeepk]

When using ELB and ECS together, ELB does not look at the default port specified for the target group, but rather, it looks at the container port specified.

The default port specified on your target group is not used to route traffic from load balancer to your ecs service (the container port is used, the target group default port is ignored). The target group default port is only used if a container port is not specified (which is not possible with ECS, a container port will always be specified, even if it's the same value as the default port).

[jackm-ts]

This is also an issue for me but maybe in a slightly different way. The default props mentioned above and seen here and not sufficient for my application running in ecs.

The app is running container port 443. And only accepts traffic over HTTPS. The default target group protocol of HTTP is causing me to receive this error from nginx running in ECS.

400 The plain HTTP request was sent to HTTPS port

I need to be able to make the target group protocol HTTPS from ApplicationLoadBalancedFargateServiceProps

[sivaprasadreddy]

I am also facing the same issue. My SpringBoot app is running on port 8080 in docker container and when I used ApplicationLoadBalancedFargateService by default the load balancer is running on port 80 with target group of services running on port 8080. But the health checks are performed on LB on port 8080 which is failing.

Is there a way to resolve this apart from changing the docker container port to 80?

[erothmayer]

Edit: I thought I was running into the same issue, but got clarification from @pkandasamy91 (thank you!)

The TargetGroup CFN does set Port 80 in this case, which LOOKS wrong... but it isn't, because the ALB ignores this when you attach an ECS container, and it just uses the containerPort behind the scenes. The setting in CFN doesn't matter, so the default is irrelevant.

My case was confused by a bad health check path setting, which was causing our tasks to be continually killed and restarted. That overlapped with noticing this seemingly bad Port setting. If anyone else is hitting this, it's worth a look in your ECS Service Events tab to see if it's killing off your targets and making it look like a bad port binding.

[piradeepk]

@erothmayer happy to help!

To add a bit of clarification, the way that ECS (not specific to the CDK) works with an ALB is a bit misleading. As part of associating an ALB to an ECS service, a listener port, a target group port and a container port are configured. The listener port will be used to route external traffic to a specific target group. In the case of an ECS Service, the listener port will map to a target group, but ecs will ignore the target group's default port and instead use the container port of any containers associated to that target group.

Example workflow:
External traffic -> calls ALB with listener port 80 -> routes traffic to target group A -> target group A ignores the default port mapping -> dynamically routes traffic to the container ports of containers mapped to the target group

That example is a bit confusing so feel free to ask more questions, but the gist of it is ECS as a service does not use the default target group port mapping. In order to have your load balancer route traffic from a different port other than 80, you'll want to modify the listener port, that routes to your container's target group.

[nragusa]

I am having a similar problem to @jackm-ts

I understand that containerPort will override the port setting in the target group. However, if the protocol remains as HTTP, and the container expects an encrypted connection, it will fail. For any workload that requires end-to-end encryption, this would be a show stopper.

[piradeepk]

@nragusa are you looking to perform termination at the load balancer or at the container level?

[nragusa]

@piradeepk Ideally I'd have both. I'd like to expose the appropriate certificate to clients on the ALB, and have an encrypted connection from the ALB to the container(s).

[sep76]

Have the same problem.
that the container port override the Targetgroup port is understandable. But it still tries HTTP on a HTTPS container port.
are there any workarounds ?

[nickorka]

I've specified TCP protocol for Fargate service, but I'm getting another error now:
Value 'tcp' at 'protocol' failed to satisfy constraint: Member must satisfy enum value set: [UDP, TCP, TCP_UDP, HTTP, HTTPS, TLS] (Service: ElasticLoadBalancingV2, Status Code: 400

Here is my code:

         vpc = ec2.Vpc.from_lookup(self, 'VPC', is_default=False, vpc_name='Blah-vpc')

        cluster = ecs.Cluster(
            self, 'LuigiServerCluster', vpc=vpc,
            enable_fargate_capacity_providers=True)

        image = ecs.ContainerImage.from_asset('../container/')

        fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(
            self, "LugiServerService",
            cluster=cluster,  # Required
            cpu=512,  # Default is 256
            desired_count=1,  # Default is 1
            task_image_options=ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
                image=image, container_port=8082
            ),
            memory_limit_mib=2048,  # Default is 512
            public_load_balancer=False,  # Default is False
            protocol=ecs.Protocol.TCP,
            listener_port=8082
        )

What is wrong?

[serge-komogorov-idealo]

@nickorka,
protocol: ApplicationProtocol.HTTPS, where ApplicationProtocol comes from @aws-cdk/aws-elasticloadbalancingv2

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.