Here is my setup:
Route53 Alias Record -> Network Load Balancer -> Fargate/ECS Cluster
The containers in the cluster have their own TLS certificates and have ports 80 and 443 open. The http server in the container sends a 302 redirect to port 443 if you access port 80, so users don't have to type the full https url.
Everything works fine EXCEPT I can't find a way to have the NLB forward more than one port.
In the ECS Service description, you can map your service to ELB target groups, but you can only specify one mapping per service (LoadBalancers is a list type, but it only allows one entry) and it has to include a port, i.e.:
EcsService:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref EcsCluster
DeploymentConfiguration:
MaximumPercent: 100
MinimumHealthyPercent: 0
ServiceName: ecs-service
LaunchType: FARGATE
LoadBalancers:
- ContainerName: !Ref ContainerName
ContainerPort: 443
TargetGroupArn: !Ref TargetGroup
DesiredCount: 1
TaskDefinition: !Ref TaskDefinition
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- !Ref SecurityGroup
Subnets:
- !Ref Subnet
I considered doing the mapping the other way, i.e. specifying the targets in the TargetGroup definition, but the docs state that for ip targets you have to specify an IP address as the target (not a reference to the service) – so as containers get deleted and added, it seems this would fail too.
Am I missing something here? I'm trying to avoid using an ALB to accomplish this.
Best Answer
Can I ask why are you trying to avoid using an ALB? It's a perfect fit for web-based services, can do SSL termination for you, supports multiple ports, you can add authentication through Cognito, etc. Is there something ALB can't do for you in your setup?
IMO people are overusing NLB and I still don't understand why...