Redirect ephemeral port to 80

Question

I am starting in AWS and server management in general and just set up a deployment pipeline with ECS and some containers.

My container :

• My host port is 0 and redirected to container port 4200 (Angular default port)
• Is behind an Application Load Balancer
• A dynamic port is assigned

While I read the port mapping and load balancing documentations, I can't wrap my head around how I can retrieve that port automatically and route it to the port 80. What I want is basically to access my website without port specification in the URL.

I know I can find the default port range in there : /proc/sys/net/ipv4/ip_local_port_range

Where I am stuck currently is :

1 - How can the chosen ephemeral port be mapped to the default http traffic port (80)

2 - How can I make sure that if the port is already in use, I still fetch the right port in the ephemeral port range so that this one can be mapped to 80.

Answer 1

You can check what service is running on each port with:

• lsof -i :port -S
• netstat -a | grep port

As for the main part of your question i would use nginx. You can run angular on localhost:someport and proxy your site.com:80 to localhost.

Answer 2

The thing that can make this tricky to understand is that there are actually three ports to consider here:

1. The external port of the Application Load Balancer (ALB) - the listener
2. The 'host port' of the EC2 instance(s) running on your ECS cluster
3. The 'container port' of the application running inside your container

The magic happens when you specify a 'host port' of 0, this is an instruction to ECS to start the container with a random ephemeral port exposed on the EC2 ECS host instance. Allowing (for example) you to run two instances of the same container on the same EC2 instance. You don't really need to understand which port is in use (except for maybe diagnostics) as ECS/ALB take care of mapping it dynamically - except that you do need to ensure the security group of your ECS instances allows all ephemeral port ranges from the ALB - otherwise the traffic won't pass from the ALB to the application.

The internal container port of 4200 can be the same for each container instance because it is only visible inside the container itself.

Then in order for your application to use port 80 - so it is a seamless experience for your users - it is the ALB listener port that should be port 80, as it is the ALB that your users will connect to - i.e. http://yourapplication.com/ is a CNAME to the ALB DNS name.

Some more details on setting this up can be found here:

How do I set up dynamic port mapping for Amazon ECS?

And here:

Dynamic Port Mapping in ECS with Application Load Balancer

Finally, while your goal is to export port 80, I would highly suggest using HTTPS on 443 on the load balancer, as you can obtain a certificate for the ALB for free from AWS. Any services exposed today really should be making use of TLS (SSL) where possible.

Of course if you do want your users to still access via HTTP and redirect them - thankfully since just last month you can now use the redirect action on the ALB to do this natively in the ALB by attaching a redirect rule to a port 80 listener. More details here:

Listeners for Your Application Load Balancers