Network Load Balancer to Fargate/ECS Cluster - how to map multiple ports/target groups to one service?

Question

Here is my setup:

Route53 Alias Record -> Network Load Balancer -> Fargate/ECS Cluster

The containers in the cluster have their own TLS certificates and have ports 80 and 443 open. The http server in the container sends a 302 redirect to port 443 if you access port 80, so users don't have to type the full https url.

Everything works fine EXCEPT I can't find a way to have the NLB forward more than one port.

In the ECS Service description, you can map your service to ELB target groups, but you can only specify one mapping per service (LoadBalancers is a list type, but it only allows one entry) and it has to include a port, i.e.:

EcsService:
  Type: AWS::ECS::Service
  Properties:
    Cluster: !Ref EcsCluster
    DeploymentConfiguration:
      MaximumPercent: 100
      MinimumHealthyPercent: 0
    ServiceName: ecs-service
    LaunchType: FARGATE
    LoadBalancers:
    - ContainerName: !Ref ContainerName
      ContainerPort: 443
      TargetGroupArn: !Ref TargetGroup
    DesiredCount: 1
    TaskDefinition: !Ref TaskDefinition
    NetworkConfiguration:
      AwsvpcConfiguration:
        AssignPublicIp: ENABLED
        SecurityGroups:
          - !Ref SecurityGroup
        Subnets:
          - !Ref Subnet

I considered doing the mapping the other way, i.e. specifying the targets in the TargetGroup definition, but the docs state that for ip targets you have to specify an IP address as the target (not a reference to the service) - so as containers get deleted and added, it seems this would fail too.

Am I missing something here? I'm trying to avoid using an ALB to accomplish this.

Can I ask why are you trying to avoid using an ALB? The *Listener Rules* can even redirect from HTTP to HTTPS for you. What's the reason why you insist on NLB? — MLu, May 06 '19 at 03:08

score 0 · Answer 1 · answered May 05 '19 at 10:10

0

Can I ask why are you trying to avoid using an ALB? It's a perfect fit for web-based services, can do SSL termination for you, supports multiple ports, you can add authentication through Cognito, etc. Is there something ALB can't do for you in your setup?

IMO people are overusing NLB and I still don't understand why...

answered May 05 '19 at 10:10

MLu

23,798
5
54
81

Why not? What if SSL certificate cannot be automated using ACM? – titus Feb 09 '21 at 10:00
@titus ACM supports upload of custom certificates. – MLu Feb 09 '21 at 18:40
It does, probably they had to use SSL inside each container. I guess I had to "minus" a question for a quesiton. – titus Feb 09 '21 at 22:39
@titus If it made your day better then be my guest ;) – MLu Feb 09 '21 at 22:41
And yes now I can't "plus" it. It will than stay in history. But yes it felt good at that moment. = ) – titus Feb 09 '21 at 23:14

score 0 · Answer 2 · answered May 05 '19 at 17:24

So to answer my own question - this is not directly possible w/ NLBs. My solution, however, was quite simple.

I created a second service and task definition in the same ECS cluster consisting of a very lightweight container (nginx-alpine) that simply responds to port 80 with a 301 redirect to port 443.

The listener for port 80 points to a TargetGroup mapped to this second service, so an http request to port 80 gets redirected immediately to the https version of the same request, which goes to the listener for port 443, which points to the actually app.

It is working very well and uses minimal resources.

The nginx.conf is:

events {}
http {
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
    }
}

Network Load Balancer to Fargate/ECS Cluster - how to map multiple ports/target groups to one service?

2 Answers2