AWS Network Load Balancer in front of ECS service running vsftpd not working

Question

The deployment of `vsftpd` as a service to ECS appears to work as expected...an FTP client can connect to the container using the Public IP listed in ECS > Clusters > Services > Tasks > Networking.

Instead of using the Public IP, the goal is to use a load balancer to map a subdomain to the ECS instance.

Currently trying to use a Network Load Balancer so that we can map TCP ports (ALB only offers HTTP ports, as I understand it).

Target groups are configured with 5 TCP ports (IP target type & IPv4 address type)

The Network Load Balancer is configured with 5 listeners that map 5 TLS ports (using an ACM certificate) to forward to the above target groups.

The internet-facing IPv4 NLB times out when I try to connect using an FTP client.

I've checked/confirmed the Security Groups and Subnet (repeatedly) and can't find the issue.

What am I missing?

Accepted Answer

FTP is not supported by NLB. The way I usually talk about this is that FTP is a "complex" protocol - there are multiple ports being opened; sometimes in different directions; and the load balancer needs to read the application layer data to determine what ports to allow and allocate to a target for each file transfer session.

NLB operates at layer 3 and layer 4 of the protocol stack. It doesn't look at the protocol to determine additional context - and that's what FTP requires.

AWS Network Load Balancer in front of ECS service running vsftpd not working

Relevanter Inhalt