By using AWS re:Post, you agree to the Terms of Use
/Health check at NLB level for a Fargate Service/

Health check at NLB level for a Fargate Service


I have a service using ECS Fargate behind an NLB, which runs my application at port 8443. The NLB target group health check shows the following settings (default for TCP health check).

Protocol                                   TCP
Port.                                      Traffic port
Healthy threshold                          3 consecutive health check successes
Unhealthy threshold                        3 consecutive health check failures
Timeout.                                   10 seconds
Interval                                   30 seconds

The NLB target group also has the default target deregistration time of 60 seconds.

With this, I wanted to understand the difference between the active health check and the passive health check done by the NLB for its targets.

My understanding is that the above health check configuration is for the active health check. Would there also be a default passive health check in an NLB which responds to failed responses from the target?

Further, i can see that the moment i stop my Fargate task, even in the absence of any traffic, the target(ECS IP) begins deregistration. There seems to be no 30 second time gap (active health check interval as above). The metric (healthy host as 1) stops getting published. Is this thus somehow configured in the NLB to get notified about terminating Fargate tasks?

Finally, I wanted to understand how good is the NLB healthy task count metric to monitor my Fargate application. I was thinking that it is the best metric since it does a TCP ping at the port level (8443 port in my case) thus ensuring that the monitoring is done at the port (application) level as well as the task level.

1 Answers


As you described, the NLB with TCP healthcheck is basically just going to open a TCP connection on the target + port, and report it healthy if it can open the TCP session. There is no notion of passive healthcheck, it is all actively opening connections to targets to evaluate their health.

The way the ECS Task (container(s)) gets added to the Target Group "targets", is that after your container is up, ECS will go ahead and attach the container as a target to aforementioned Target Group. Then the health check starts.

If you stop the fargate task, then ECS will remove it from the Target Group (and therefore from the Listener Rule and therefore from the NLB (or ALB)).

The healthy hosts metric indeed is a good indicator of whether your targets are healthy or not.

If you want an end-to-end demo with NLB + ACM (so, using TLS at the NLB) and Fargate, have a look at this (part 2 is in the writing).

Hope this helps,

answered 20 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions