- Newest
- Most votes
- Most comments
Hello.
Is the path used for ALB health checks correct?
ALB performs health checks on "/" by default.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html
Have been in this situation and I feel your pain. Here are a few things that I did
---Check 1
Check the security group inbound on the task/service. And outbound on the ALB
---Check 2
I would try SSHing onto the fargate task. Some helpful instructions on how to do this here
Then increase the healthcheck interval and count on the Targetgroup.
Then once you ssh in figure out of the healthcheck is actually working "http://localhost:3000/ping"
----Check 3
If you can't do check2 maybe try log the ping output in the container for some more clues.
security group created for fargate like these
` resource "aws_security_group" "fargate" { name_prefix = "fargate-security-group-"
vpc_id = "vpc-0370dd3da02a2770f" ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }
ingress { from_port = 3000 to_port = 3000 protocol = "tcp" security_groups = ["sg-0d73dc6bd50a4d4a1"] # If you don't know the ELB's security group ID, use its CIDR range (e.g., 10.0.0.0/8): }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } `
for ssh part I was even able to access the public_ip_of_task:3000/ping return success
Hows the security group on the ECS configured?
security group created like these `resource "aws_security_group" "fargate" { name_prefix = "fargate-security-group-"
vpc_id = "vpc-0370dd3da02a2770f" ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }
ingress { from_port = 3000 to_port = 3000 protocol = "tcp" security_groups = ["sg-0d73dc6bd50a4d4a1"] # If you don't know the ELB's security group ID, use its CIDR range (e.g., 10.0.0.0/8): }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } }`
Hi,
Can you try without this "healthcheck" part in your Task definition
"healthCheck": {
"command": [
"CMD-SHELL",
"curl -f http://localhost:3000/ping || exit 1"
],
...
}
If your task is working, it means that it's the problem. So probably, you have to allow localhost connection in your security group. Add this:
ingress {
protocol = "-1"
cidr_blocks = ["127.0.0.1/32"]
}
By the way, you don't need to put CMD-SHELL
because the target group also checks this path, it's redondant.
Relevant content
- asked 10 months ago
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
Yes like these
resource "aws_lb_target_group" "map" { for_each = var.target_groups name = "backend-${each.key}" vpc_id = data.aws_vpc.bid365-backend.id port = 3000 protocol = "HTTP" target_type = "ip" # Specify the target type as "ip" for Fargate health_check { enabled = true interval = 60 port = "traffic-port" path = "/ping" protocol = "HTTP" timeout = 5 healthy_threshold = 2 unhealthy_threshold = 3 matcher = "200" } }