How to make HTTPS ALB that targets other TCP port of a fargate service?


I would like to make a HTTPS fargate service that is in a docker container with port 4000. I set up as follows.

Task definition/Port mapping of the container
-Host port: 4000
-Container port: 4000
Target group 
-Target type: IP
-Protocol: HTTPS (port 443)
-IPv4 address: None
Application load balancer
-Listener protocol: HTTPS (port 443)
-Default action: the TG above
ECS service
-Task definition: the definition above
-Load balancer: the ALB above
-Container to load balance: the container above
 -Production listener port: HTTPS (443)
 -Target group name: the TG above
Route 53 A record
-alias: the ALB above

However, when I access to the url of the A record, I got "503 Service Temporarily Unavailable" or "504 Gateway Time-out". I can access to the service if I do not use ALB and connect to the IP:4000 directly.

What is the correct way to set up ALB and TG that connect to the container port 4000 via HTTPS?

  • It looks like the setup should be able to work as long as the target group is setup to forward traffic to the relevant host. Have you already checked that the host security group or subnet network ACL allow that traffic from your load balancer?

  • Are any targets showing up in the console for the group? And are the health checks showing as successful?

1 Answer

Your setup looks almost correct. However, you need to set your Target Group to point to port 4000 instead of 443. Otherwise it will be unable to establish a connection with your Fargate task.

In addition, you will want to confirm your Fargate security group allows incoming traffic from the Load Balancer, and you'll want to make sure your health check is configured and it shows healthy targets.

The errors you're receiving mean:

  • 503 Service Temporarily Unavailable -- Your Fargate task(s) are not running, and there are no targets registered to the load balancer.
  • 504 Gateway Time-out -- There is at least one target registered to the load balancer, but it's not responding on the configured port.

(See: )

The reason it's flipping between 503 and 504 is because your Target Group cannot reach your Fargate task, so the health check is failing, and the task is getting restarted over and over.

If you clear up the connectivity between the Target Group and the Fargate task, this will probably solve the problem.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions