What is the protocol of the target group be for an Application Load Balancer and how to register targets


The create service for the ECS console does not work. So what I am doing is creating all the security groups, load balancers, and target groups that I needed before hand and then creating the service. I create

  • Security group A that allows https traffic port 443 from the remote client to the Application Load balancer
  • Security group B that allows http port 8080 traffic from the Application Load balancer to the server in the task container
  • Application Load balancer (ALB) using
    • security group A
    • listener using https on port 443
    • target group T

So the target group for the ALB has a protocol and a health check protocol. The health check protocol I assume must be set to http port 8080 since that is what the service in the container needs. But I do not know what the protocol is. The default shows https:443 perhaps because the listener on the ALB (this target group was created from the EC3 load balancer creator) was https:443. I do not know what this protocol is referring to.

Now the registration page has one specify an IP address and 'include as pending below'.

Can I pick any ip address that is supported by my VPC such as I do not know what the 'include as pending below' means. Note that I have not created the service yet, but just am trying to setup the items needed in the service.

1 Answer

In the context of an Application Load Balancer (ALB), the protocol of the target group defines the protocol that the load balancer uses to communicate with the registered targets. This will typically be HTTP but sometimes it is HTTPS depending on the use-case.

The health check protocol is what the load balancer uses to check the health of its registered targets. This can be either HTTP or HTTPS, and it determines how to route traffic based on the results of the health checks.

For your situation, you could set both the target group's protocol and the health check protocol to HTTP. The ALB will receive traffic on HTTPS (due to the listener setup) and forward it to the targets using HTTP, which will be received on port 8080.

When it comes to registering targets, if you're working with Amazon ECS services, you don't manually specify an IP address. Instead, you associate the target group with the ECS service during the service creation. Amazon ECS will automatically register and deregister container instances with the load balancer.

In your case, you do not need to manually register any targets to the target group at this point. When you create the ECS service, you will specify this target group, and Amazon ECS will automatically register the tasks in your service with the target group using the IP of the ENI (Elastic Network Interface) that is attached to the task.

"Include as pending below" refers to targets that have not yet passed initial health checks. They are in the "initial" state and are not yet considered healthy or unhealthy. Remember to set the appropriate security groups for your ECS service to allow incoming traffic from the ALB to your ECS tasks.

So, once your target group, listener, and ALB are set up, you can proceed to create the ECS service and specify the target group in the service definition. Once the service is running and tasks are launched, they should be registered to the target group automatically, and you should be able to see incoming traffic being routed correctly.

profile picture
answered 8 months ago
  • THis is a great answer and very thorough. The problem I have been having is that if I use the ECS service creator and specify the target group when I configure the load balancer, there is no option to set the advanced parameters of the target group and no option to set the target group port (I need 8080 and not the default 80 with HTTP). Also, there is no option to assign a security group to the ALB when configuring it in the service creator, and AWS assigns the wrong one. It uses the security group for the VPC network (which is HTTP 8080 and not the security group for the client to ALB which is https: 443.

    THis is why I am trying to create all my entities ahead of time, but when creating the target group (from the create LB option on the EC2 page) I need to specify a target. Can I just skip that? I did not try to just skip it. Hope the UI lets me skip it if that is what I should do.

  • You can create an Empty Target Group and use that as the target when creating an ALB without issue

  • Gary: If I do that I have no option to set the HealthCheck advanced parameters. I need to set the accepted case to 401 (the default is 200). I also need to set the http port to 8080 (the default is 80) and these cannot be done when creating a new target group in the create service option.

    By the way, when I create the service it takes forever - 40+ minutes. So far, the deployment always fails and it will likely happen again in another 30 minutes as I try the above suggestions. Is there anyway to get the REASON for the deployment failure? All that happens is a retry

  • I have done all those things, and still I get a failed deployment after a VERY long wait (40 minutes). No information on WHY the deployment failed. Just failed and it tries again and again and again each time taking forever.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions