I launched a beanstalk multi container instance and its working fine. I then tried to setup dynamic port mapping and set the host port to 0. I allowed port range 32768 – 60999 for ec2 instance security group and I can access nginx using newly assigned dynamic port from browser/curl.
So, then I created an ALB & target group to support dynamic port from ecs service. Like I can access the app directly hitting instance_public_id:33084 publicly.
currently there is nothing running on port 80. So, the image below is valid in that case. But it should work in case of dynamic port.
Application Load balancer forwarding request to the above target group.
Things I tried.
I ssh into the instance and launched SimpleHTTPServer on port 80. In target group port 80 status becomes active as expected. I can also access that from load balancer DNS.
Setup: Send email whenever a request to /service/ is sent. (No email so far). Although on hitting public_ip_instance:dynamic_port I am getting emails.
Also tried allowing all in bounds traffic in attached security group of instance.
FYI, I have added all subnet zones to ALB and everything is running in only one default VPC.
I am running out of ideas at this point.
Any work around I can do?
Best Answer
Run TCPdump on the node to see if there are any connections coming in from the ALB. Also check there are no NACLs that prevent access between the two. Is the ALB a member of a security group that can reach the node on that port?