end-to-end TLS for ecs containers for fargate launch


Hi, I am trying to implement end-to-end tls implementations on ecs fargate launch with envoy sidecar. for this, I have deployed the java spring-boot application as an app container and created the self-signed certificates using these certs created the envoy proxy container and both deployed as a single task to allow SSL traffic to the container. I have followed aws blog for this implementation: https://aws.amazon.com/blogs/containers/maintaining-transport-layer-security-all-the-way-to-your-container-using-the-application-load-balancer-with-amazon-ecs-and-envoy/

I have used this envoy.yaml static_resources: listeners:

  • address: socket_address: address: port_value: 443 filter_chains: tls_context: common_tls_context: tls_certificates: - certificate_chain: filename: "/etc/ssl/envoy.crt" private_key: filename: "/etc/ssl/envoy.key" filters:
    • name: envoy.http_connection_manager config: codec_type: auto stat_prefix: ingress_http route_config: name: local_route virtual_hosts: - name: service domains: - "*" routes: - match: prefix: "/" route: cluster: local_service http_filters:
      • name: envoy.router config: {} clusters:
  • name: local_service connect_timeout: 0.5s type: strict_dns lb_policy: round_robin hosts:
    • socket_address: address: port_value: 8080

admin: access_log_path: "/dev/null" address: socket_address: address: port_value: 8081

Unfortunately, I am not able to load the page with SSL.

please suggest/support me here to achieve this, do we have any step-by-step guide we have with the latest?

asked 7 months ago692 views
1 Answer
  • Certificate Issues: First of all, check the self-signed certificates. Ensure that the certificates are correctly generated and are accessible by the Envoy container. Make sure the paths in the envoy.yaml (/etc/ssl/envoy.crt and /etc/ssl/envoy.key) are correctly mounted to the envoy container and the Envoy process has read access to them.

  • Application Configuration: Check if your application container is correctly listening on port 8080 (as defined in the envoy.yaml file). You can test this by exec'ing into the application container and trying to connect to it on that port.

  • Envoy Logs: Check the Envoy container logs for any error messages. If Envoy is misconfigured or unable to establish a connection to your application, there should be log messages indicating this.

  • Network Configuration: Ensure your VPC, Subnet, Security Group configurations allow traffic from/to your ECS service and the ALB.

  • Health Checks: Check if your target group's health checks are correctly configured and are passing. If your target group's health check fails, the ALB will not route traffic to your task.

  • ALB Listener: Ensure that your ALB listener is set up correctly to forward traffic to your target group. The listener should be configured with a certificate and to listen on port 443.

If you continue to have problems, please provide more specific error messages or symptoms you are seeing. This will help in troubleshooting the issue further.

profile picture
answered 7 months ago
  • Thanks, Ercan for having a deep analysis, and answering them on a point basis.

    1: Certificates are generated without any errors and pushed to ACm as well for the same and passed to Loadbalancer. Could you please suggest do we have any way to verify those certs are valid or having issues with the envoy to utilize those? 2: The application configures pretty much fine and I have tested passing public ip(assigned to the container) with 8080 it is popping up with results even though the same container service is having envoy with ssl into it, it is showing the results for only HTTP with 8080 port and remaining https is getting the error, as below, Test: C:\Users\sballu>curl The application is up and running! C:\Users\sballu>curl curl: (35) channel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid

    3: I have not observed any error messages on envoy logs:

    2023-08-02 09:19:24[2023-08-02 13:19:24.295][6][info][main] [source/server/server.cc:937] starting main dispatch loop 2023-08-02 09:19:24[2023-08-02 13:19:24.293][6][info][main] [source/server/server.cc:918] all clusters initialized. initializing init manager 2023-08-02 09:19:24[2023-08-02 13:19:24.293][6][info][config] [source/extensions/listener_managers/listener_manager/listener_manager_impl.cc:870] all dependencies initialized. starting workers 2023-08-02 09:19:24[2023-08-02 13:19:24.292][6][info][config] [sou

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions