- I have a service on AWS ECS deployed using Fargate.
- This service uses a Network Load Balancer (NLB) to allow an Elastic IP to be associated with the service.
- This is not an http service and is using port 5060
(SIP), hence the choice of an NLB.
I am not quite understanding something in regards to the health checks. If I limit access in the Security Group associated with the service to just a few /32 (single IPs) for the traffic port, the service is marked unhealthy. If I allow access to the world to the traffic port the service is marked healthy. If I allow access to just the internal CIDR block including the NLB, the service is marked healthy — BUT that also allows world access to the port.
I tried making the health check use another port on the container, but this is less than ideal and I didn't get that working successfully. While I'd welcome an answer that detailed how to set that up properly given my Fargate/NLB/Elastic IP requirement, I'd rather have the traffic port just be the health check port, but I need to understand a way to deny world access to the port.
Best Answer
You'll have to figure out where do the health checks come from and whitelist those IPs. Since it's a Fargate container and you presumably don't have SSH access to it you can try one of these avenues:
You also mention that when you whitelist the internal VPC IP range the service gets open to the world. That doesn't sound right - can you post a screenshot of your Security Group settings in that case?
Hope that helps :)