Hi, and thanks for reaching out!
The TargetConnectionErrorCount metric will increment any time the ALB encounters an error in establishing a TCP connection with a target. In this case, it sounds like the first failed request that was made after changing the Security Group was still in flight over the connection that is maintained between an ALB and a target. This would not increment the TargetConnectionErrorCount metric.
The next request after this may have then come in after the second target had already been marked Unhealthy, and therefore no further requests were routed to it.
In the case of all targets being unhealthy, the ALB exhibits fail-open behavior, routing requests to all registered targets, regardless of health status. As a result, the ALB attempts to make connections with each of them, but fails in each attempt, causing the TargetConnectionErrorCount to increment.
Hope this helps!
Automatically reboot EC-2 linux servers of a target-group if OS update requires a rebootasked 2 months ago
Will the "TargetConnectionErrorCount" be counted even if there are two servers in the target group and one cannot respond?Accepted Answerasked 5 months ago
Cannot select a target group with alb target type when creating an application load balancerAccepted Answerasked 3 months ago
Create ECS service using existing load balancer with existing target groupasked 8 months ago
How does it work differently per target group?Accepted Answerasked 4 years ago
Unable to delete Target Group.asked 3 years ago
Multiple SQS messages of the same group in one batchAccepted Answerasked 4 months ago
How to handle error? You cannot change the health check interval for a target group with the TCP protocolasked 6 months ago
My Network Load Balancer is not enforcing the target Security groupasked 3 years ago
ECS fails to remove a task from the load balancer target group?asked 5 months ago