Health check in target group in network load balancer always fail.

0

Hi guys,

I have deployed an ECS service with Fargate and connect it to the network load balancer. I have exposed port 8000 in the container and created a port mapping with container port 8000 and host port 8000.

I also created the listener rule with port 80 in the network load balancer, and forward to target group with port 8000 of the container above. I enable http health check and this health check corresponds with the health check in my container. The security group in the ecs service and network load balancer does allow all in and out traffic.

Unfortunately my health check is always failing with the reason "Health check fails". I can get inside container and get the correct response of the health check. I also created an EC2 instance with the same vpc and subnet as in ECS service, I can ping the host and cannot access the port.

Any idea of what I did wrong?

Many thanks, SN

siunhan
asked 7 months ago562 views
3 Answers
1

Hi, you may want to follow the guidance of this KC article to fix your problem: https://repost.aws/knowledge-center/elb-fix-failing-health-checks-alb

Best,

Didier

profile pictureAWS
EXPERT
answered 7 months ago
  • Hi Didier, thanks for your comment. However my load balancer is network load balancer and I also followed the steps, but I still havent figured it out why. Actually I forgot to mention that I can ping the host in EC2 instance but I cannot access the port. Seems like port mapping is wrong..

0

Hello,

  • Increase the health check grace period or interval if the application takes some time to fully start up on the container. This will prevent false failures during startup.
  • Check for any network ACLs that may be blocking port 8000 traffic.

For further info check these links - https://repost.aws/knowledge-center/fargate-alb-health-checks https://repost.aws/knowledge-center/fargate-nlb-health-checks

Thanks

answered 7 months ago
  • Hi, thanks for your reply. Actually my network ACL does not block port 8000 and I increased the heath check grace period but it's not working. Somehow the port in ecs service is not opening because when I ping the private ip address and the port, I got "connection refused" or "no route to host".

0

It's possible the application is only listening on localhost (127.0.0.1) by default instead of being bound to 0.0.0.0/0. Binding to localhost is common in development environments for testing locally, but production deployments should listen on all available network interfaces.

I would kindly suggest double checking the host configuration and ensuring it is bound to 0.0.0.0 to allow external access.

profile pictureAWS
EXPERT
answered 7 months ago
  • this actually is not my problem because I deploy the same image with public nlb with aws copilot and it works.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions