0

I have created a number of ecs services this way, but I find that from time to time I struggle to get everything right. I want to get some feedback from the community if there is any issues with the following steps:

Backgroud:

The ecs cluster creates instances on a non-default VPC

Steps:

  1. Create a new task. Map port 0 to the exposed port 8080

  2. Create an new Application Load Balancer. Make sure it use the right target vpc

  3. Create a service in the cluster. Choose the ALB as created in the previous. Add the target group to the load balancer.

  4. Go to the relevant security group and make sure port 0-65535 of inbound traffic are allowed

    Does the above steps make sense to you? Can they be further streamlined?

Anthony Kong
  • 2,976
  • 10
  • 53
  • 91
  • *"Go to the relevant security group and make sure port 0-65535 of inbound traffic are allowed"* Why 0-65535? Wouldn't this just be 8080? Or whatever port your service is bound/mapped to? Inbound security groups are only interested in the target port. – Michael - sqlbot Aug 29 '17 at 02:03
  • 1
    @Michael-sqlbot ECS uses ephemeral ports, though http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html states it will use 49153+, certainly 32768+. No reason to expose 22 unnecessarily. – Jason Martin Aug 29 '17 at 03:29

1 Answers1

1

#4 should be done first as it'll cause tasks to appear unhealthy if the ALB cannot reach the container.

#2,3 are in the correct order, then #1 can be done before or after 2,3.

Jason Martin
  • 4,865
  • 15
  • 24