CloudFront with ECS Blue/Green Deployments

0

I have a setup with CloudFront as CDN and application on ECS cluster. As we are using ECS Blue/Green deployment, production listener port 443 & test listener port 8443 are being used in ECS service and the same ports are registered as listeners in application load balancer. Route 53 A record has alias to Cloudfront distribution. And the origin is application load balancer and only https traffic on 443 port is allowed in CloudFront distrubution.

When request is sent to application on 443 port for example, portal.example.com; it works. But the request is timed out when it is sent on 8443 port for example, portal.example.com:8443. I am able to launch application on both ports using Application Load Balancer's domain name which means there is no restriction on 8443 port at Load Balancer, EC2, VPC, Subnet, Security Group or NACL layers.

I thought the issue is due to https port configured on CloudFront distribution and changed it to 8443. Still portal.example.com:8443 doesn't work and getting timed out.

I couldn't get why the request is not passing through cloudfront and reaching load balancer on 8443 port. Any suggestions would be appreciated.

Note: There is no WAF ACL used in cloudfront

1 Answer
0

You cannot specify the port that CloudFront listens on for viewer traffic - it will always be either 80 for HTTP traffic, or 443 for HTTPS traffic. This is configured in your Behavior settings: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html

However, you can configure a custom origin which listens on 80, 443, or 1024-65535: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html

In your case, rather than trying to connect to CloudFront on port 8443, you could instead create a second CloudFront distribution to use for the non-production/test traffic - eg. test.example.com, and configure a custom origin so that CloudFront accesses your ALB on port 8443.

AWS
EXPERT
Paul_L
answered 2 years ago
  • Tried in the way explained above. But still has same problem. test.example.com request redirects to test.example.com:8443 but not reaching ALB. Trace Log for https://testportal.example.com/admin


    == Info: Clear auth, redirects to port from 443 to 8443== Info: Issue another request to this URL: 'https://testportal..:8443/admin' == Info: Trying 65.8.72.94:8443... == Info: TCP_NODELAY set == Info: connect to 65.8.72.94 port 8443 failed: Connection timed out == Info: Trying 65.8.72.27:8443... == Info: TCP_NODELAY set == Info: After 84504ms connect time, move on! == Info: connect to 65.8.72.27 port 8443 failed: Connection timed out == Info: Trying 65.8.72.23:8443... == Info: TCP_NODELAY set

  • It looks like the viewer makes a request on port 443 which is accepted - but then a redirect is returned and the viewer tries to access CloudFront on port 8443 which is not possible. The viewer should always communicate with CloudFront on port 443 - but you can configure CloudFront to communicate with the ALB on 8443. The origin should not return a redirect to the viewer

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions