Network Load Balancer to ECS Fargate doesn't send traffic to healthy tasks even they are registered correctly in target group

0

I'm building a service running on ECS Fargate, the setup is below:

  1. Network Load Balancer IPv4/Internal listens to TLS:443 port and forward to a target group, available in 3 AZs with 3 subnet each
  2. ECS Fargate has 3 tasks running (each runs in a different AZ) and registered to the target group and are all healthy based on HTTPS 200 status code ping healthy check.

However I find requests sending to the NLB are dropped (responded with 503 errors), it never reach our ECS tasks. I've tried recreate NLB and related things and search everywhere I could. But still have no clue on how to fix it. Could someone help?

2 Answers
0

A 503 error response from the Network Load Balancer (NLB) usually indicates that the targets are either not healthy or not properly configured. Ensure that your NLB, target group, and ECS tasks are all within the same VPC and that the subnets for each are correctly configured. Double-check that the NLB listener is correctly forwarding traffic to the target group and that the target group is configured with the correct target type (IP) and protocol (HTTPS). And please check the following for NLB Access Logs to view the exact error https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

profile picture
EXPERT
answered a year ago
    1. Confirmed NLB, Target Group, ECS Cluster/Service/Tasks are all in the same VPC
    2. Confirmed Target Group configuration Target Type as IP and Protocol as TLS:443, and all registered targets are healthy (HTTPS 200 status code health check), 3 AZs, 1 task for each AZ.
0

When using a NLB, the NLB does not care whether the target replies with a HTTP code or not, it tries to establish the connection with TCP and that's it. So it seems to me it might not be able to do that.

A NLB does not have a SG, instead, the Security Group Rules (Ingress here) used are the ones of the service. That includes for the NLB to do the healthcheck. Make sure your SG ingress allows for the NLB to perform the healthcheck. To check, you can try to do telnet <container IP> <port> and see whether your NLB would be able to perform the test. Do that from an EC2 instance for example, placed in the same subnet as your NLB.

Hope this helps,

profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions