By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Specify port mapping for container in ECS

2

The container has a service which is accessed locally through localhost:8080 Now I want to deploy this container on AWS using ECS. BUT I want the external client to access the service using https There is a 'host port' and 'container port' What should the port values be and where should I set them? There is the service security group setting and the load balancer listener setting and the task itself containing the container

I am using FARGATE and load balancing

Topics
Networking & Content DeliveryContainers
Tags
Elastic Load BalancingContainers
Language
English
brianR
asked a year ago4978 views
1 Answer
2

Here is how to to deploy your container on AWS ECS using Fargate and allow external clients to access your service securely over HTTPS:

  1. Task definition: In your task definition, set the containerPort to 8080, as this is the port your service is listening on inside the container. You don't need to specify a hostPort when using Fargate, as it will automatically assign an available port on the host. Here's an example container definition:
{
  "name": "my-container",
  "image": "my-repository:latest",
  "portMappings": [
    {
      "containerPort": 8080,
      "protocol": "tcp"
    }
  ],
  "essential": true
}

  1. Load balancer: Create an Application Load Balancer (ALB) to handle incoming HTTPS traffic and forward it to your container instances. You'll need to configure a listener on the ALB to listen for HTTPS traffic on port 443. Make sure to attach an SSL certificate to the listener, either by importing your own or using one provided by AWS Certificate Manager (ACM).

  2. Target group: Create a target group with the target type set to ip and the protocol set to HTTP. Specify the port as 8080. The ALB will forward incoming HTTPS traffic to this target group, which will then route it to the appropriate container instances.

  3. Service security group: Create a security group for your ECS service that allows inbound traffic on the assigned hostPort from the ALB's security group. This will ensure that only traffic from the ALB can reach your container instances.

  4. Load balancer security group: Update the security group associated with your ALB to allow inbound traffic on port 443 (HTTPS) from the internet or specific IP addresses, depending on your requirements.

  5. ECS service: When creating or updating your ECS service, configure it to use the Fargate launch type and associate it with the ALB and target group created earlier. In the networkConfiguration section, specify the subnets and security group you created for your service.

With this setup, external clients can access your service using HTTPS via the ALB, which will forward the traffic to your container instances running on Fargate. The container instances will communicate with the ALB over HTTP on port 8080.

Let me know if you need further help.

profile picture
YusufVendii
answered a year ago
profile picture
EXPERT
Hiroki Takahashi
reviewed a year ago
  • brianR
    a year ago

    Maybe my difficulty is that I am using the AWS ECS console, and a lot of these things you are suggesting are not possible. After creating a cluster I do the create a service. I pick the option 'Launch Type'. Next I stick with the 'Service' option and select my task. I give the service a name and then I turn of the rollback on deployment failure. Now starts the fun

    In the Networking I pick a VPC and delete the private subnets having one public subnet per zone since the ALB will croak if you have more than one subnet per zone. In the security group I have ONLY the option to pick the name and inbound rules. For the inbound rules I pick Custom TCP with a port of 8080 and a source of anywhere.

    Now to the Load balancer. I pick ALB and add a listener. I set it to HTTPS and port 8080. IF I set the port to 443 it will fail.

    The biggest problem is the target group for this ALB. All I can do is set its name and health check path and choose HTTP or HTTPS for the group and the health check. Nothing else, which is a major issue since the health check will fail because the server in the container will return 401 and not 200. There is no way to configure the 'advanced' settings on the target group until you create the service. Then you have to race to the CloudFormation console, select resources, find your target group, select it, get to the health check, select edit, select advanced, and add the 401 to the 'success' condition. See next:

  • brianR
    a year ago

    Continued:. You have to do this fast enough so that the create service does not do a health check and fail your creation.

    But the main point is that several of the options you present are not possible while creating the service. There is NO option to configure a security group for the ALB - only a target group. And the target group options are far fewer than needed.

    That being said, I do not know why it works with an ALB listener set to HTTPS 8080, and a service security group set to Custom TCP 8080. Any other setting of the ports would fail EXCEPT ALB listener of HTTP 8080, but that would be unsecure.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content