ECS Fargate + Network Load Balancer for TCP+UDP



I'm trying to hook up a network load balancer with my ECS service hosted on fargate.

The traffic the load balancer needs to forward is both TCP and UDP on the same port. This is readily achievable with the network load balancer and target groups where an explicit "TCP+UDP" option is available.

This option is not present when creating the task definition for ECS, so I create multiple port mappings on the same port, but with different protocols.

Once I try and create the ECS service, it complains about how I have multiple ports mapped inside the ECS task definition.

Any ideas/workarounds?


asked 5 months ago436 views
2 Answers


As you noted, NLB does support listening for TCP and UDP traffic on the same port via the "TCP_UDP" protocol setting. You'll create a target group that is configured to handle both TCP and UDP traffic on the specified port.

In ECS, you're required to specify port mappings in the task definition. The challenge is that ECS Fargate doesn't inherently support multiplexing TCP and UDP on the same port in the task definition (as of my last training).

Workaround Strategies:

Separate Services for TCP and UDP: Create two different ECS services, each handling either TCP or UDP traffic separately. Both services can be behind the same NLB using different target groups, with each target group handling a different protocol (TCP or UDP) on the same port. This strategy allows you to keep both TCP and UDP traffic on the same port while bypassing the limitation on the ECS task definition.

Use EC2 Instead of Fargate: If the limitation persists on Fargate, consider using EC2 launch type for your ECS service, which gives you more control over network configurations. Utilize iptables or another network tool to manage traffic routing on the EC2 instances. For example, you could reroute traffic at the instance level so that it appears to be on different ports for the ECS tasks while maintaining the same port for external traffic via the NLB.

Regards, Andrii

profile picture
answered 5 months ago

Amazon Elastic Container Service (ECS) doesn't directly support defining both TCP and UDP ports for a single container port in a task definition. However, you can work around this limitation by the following way out. In Amazon Elastic Container Service (ECS), you can have different services for TCP and UDP by creating separate ECS services for each protocol. Each service can be configured to handle either TCP or UDP traffic, and you can use the same Network Load Balancer (NLB) or Application Load Balancer (ALB) to route traffic to the appropriate service based on the protocol.

Here's how you can achieve this:

Create Two ECS Services: Create two separate ECS services in your ECS cluster, one for handling TCP traffic and another for handling UDP traffic. Each service should use the appropriate task definition that specifies the desired protocol for its containers.

Configure Load Balancer Rules: Use the same Network Load Balancer (NLB) or Application Load Balancer (ALB) for both services. Create two listeners on the load balancer, one for TCP and another for UDP, both using the same port.

For the TCP listener, configure the listener to route traffic to the TCP service. For the UDP listener, configure the listener to route traffic to the UDP service. Update Your Security Groups: Ensure that your security groups are configured to allow traffic on the required ports and protocols. You'll need separate security groups for TCP and UDP services, each allowing traffic on the respective protocol.

Register Targets: When creating or updating the services, make sure you configure the services to use the correct target groups and set the desired number of tasks (containers) for each service.

This approach allows you to manage TCP and UDP traffic separately, with dedicated services for each protocol. It provides a clean and straightforward way to handle different protocols and ensures that traffic is directed to the appropriate ECS services based on the protocol specified in the load balancer rules.

By using separate services, you can scale and manage each protocol independently and have more granular control over how your ECS tasks handle different types of traffic.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions