By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using Service Connect TLS to make https connection between ALB and ECS Fargate

2

We would like to setup end to end https, i.e encrypt traffic from the ALB to the fargate containers too. In order to do that we setup ECS service connect with tls enabled in client server mode for the service that needs to receive traffic from the load balancer. Per the documentation the client port is taken over by the service connect proxy, and we are able to make https calls to this ip address and port from an ec2 machine in the same VPC using curl -k to accomondate for the self signed certificate. But even at this stage:

  1. The task fails the target group health checks that are made using https
  2. No traffic ever reaches the application from the service connect proxy
  3. The ecs metrics for service connect proxy shows TLS negotiation error.
  4. When we switiched the health check to another http port that the application was directly listening on the tasks were marked as healthy and at this stage we routed the load balancer traffic to the service connect proxy port and that started having TLS connection error where Target TLS Negotiation Errors metric in the target group started showing a non zero count.

What is the issue here?? TLS with service connect was a very good way to get end to end https for container without having to meddle with application code.

Topics
ContainersNetworking & Content Delivery
Tags
Amazon Elastic Container ServiceElastic Load BalancingApplication Load Balancer
Language
English
Vivek
asked 2 months ago216 views
2 Answers
0
  • Verify the ALB is in a public subnet with a route to the internet gateway.
  • Check the security groups - the ALB security group must allow inbound traffic on the listener port from your IP/network and the target group security group must allow traffic from the ALB on the container port.
  • Go to the target groups section in the ECS console and check the health of your target. The health checks must be passing for targets to be considered healthy.
  • Check the ALB listeners - make sure it is configured with the correct certificate and to forward traffic to your target group on the appropriate port.
  • Review the ECS service configuration and ensure the service is using the correct task definition and load balancer details are populated correctly.
  • Examine the ECS service events for any failures during deployment or target registration.
  • Check the application container logs for any errors that could impact the health check.
profile picture
EXPERT
Giovanni Lauria
answered 2 months ago
  • Vivek
    2 months ago

    All the above mentioned points are fine. The question is specific towards ECS service connect TLS not working with the HTTPS connection from the load balancer . As mentioned above its working perfectly fine when hit using curl from an EC2 machine.

0

To achieve end-to-end encryption between the Application Load Balancer and the Fargate tasks, you can use AWS Service Discovery with TLS enabled in client-server mode.

Check on these:

  • Make sure the security groups allow traffic from the ALB to the service connect proxy port on the tasks.
  • Verify the health checks configured on the target group are passing. The health check URL should be accessible over HTTPS.
  • Check the service connect proxy logs for any errors during TLS negotiation. It could be failing to verify the self-signed certificate.
  • Try making test HTTPS calls directly to the service connect proxy IP from another EC2 instance in the same VPC using curl -k to ignore certificate validation errors.
  • Ensure the application is configured to listen on the port exposed by the service connect proxy, usually 8443 for HTTPS.
profile picture
EXPERT
Giovanni Lauria
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content