5

ECS Settings

Network Config

Network Config

Tasks and Containers

Tasks and Containers

Deployment Config

Deployment Config

Health Config

Health Config

Ingress Security Group

Ingress Security Group

Egress Security Group

Egress Security Group

Few more things:
  1. The Dockerfile ports to 443
  2. The container has ports 443 mapped to 443 and 8080 to 8080
  3. The ALB is listening on 443
  4. The target group is on 443 and 8080
Open question:

The issue is that the service and task are running the container, however I can't access it via the public IP or the load balancer dns.

They are healthy instances on Fargate, and show no sign of failure or rebooting constantly. The health check is 600 seconds, and min health is 50% max 200%.

I would like to know if there is anything that sounds out of the ordinary with the information I provided as I have thoroughly checked my configuration however everyone makes mistakes.

Thank you for reading.

Ventti
  • 87
  • 1
  • 6
  • 1
    Can you post details of your ALB, Target Group and security group settings. Why port 443? Do you have ssl certificates setup for that? – Marcin Feb 06 '21 at 02:11
  • Yep ill update now. Docker app Im uploading ports to 443, so when I run on localhost I have to run with ports 443:443 – Ventti Feb 06 '21 at 02:22

1 Answers1

4

Not sure if this may help, as you are using fargate, each task as an ENI with a security group. In your explaination, you show only one security group (the ALB one ?), you need to check if the sg for the task as well. More details here. You should consider dynamic port mapping for your task with the SG allowing connections only from the ALB's SG on ephemeral port range (32768 to 61000 for Amazon ECS-optimized AMI) FYI.

Cyril G.
  • 1,879
  • 2
  • 5
  • 19
  • Yes so my EMI has its own sg with: Egress [All, All, 0.0.0.0/0] and Ingress [(80, tcp,0.0.0.0/0), (All, All, 0.0.0.0/0), (443, tcp, 0.0.0.0/0). – Ventti Feb 06 '21 at 10:32
  • *** It should be noted that this very image works perfectly on my machine when I run it locally and port to localhost:443 through docker. Moreover, there is a stacktrace that I manufactured to output only when the application is running and that is coming through via the task logs - the issue lies solely with the porting of the application with ECS. – Ventti Feb 06 '21 at 10:33
  • 2
    This is normal as the network mode is specific to AWS (awsvpc). The best way to debug is to check the VPC/ENI logs, you can see if your request is ACCEPT or not. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html – Cyril G. Feb 06 '21 at 10:42
  • I appreciate your help, ill read through that link now. I just marked your answer as accepted (even though im not sure it solved the issues). Thank you, it isnt working yet but ill be up all night trying to fix it. – Ventti Feb 06 '21 at 11:07
  • 2
    you should read although ALB + SSL if you are doing SSL termination in the docker container, you should use Network LB instead of ALB. For ALB, it is doing SSL termination, you will need 2 certificates (one client <-> ALB, one ALB <-> docker). Good luck ! – Cyril G. Feb 06 '21 at 11:12
  • So my docker image ports to 443, same as the python code it runs using flask. It has one ssl cert attached. I have it set up so that all my resources map to 443 and 80 with 0.0.0.0.0\0 as source. Also, I just checked the ENI and are you refering to the flow logs? – Ventti Feb 06 '21 at 11:19
  • Currently I am not using an ALB... I am just running a task without a service and even that isnt working. I have an ssl within the docker do I need another one? – Ventti Feb 06 '21 at 11:20
  • 1
    if you dont use ALB, you don't need. One question, you confirm VPC and subnet is correctly configured to access internet (IGW + route table + public IP) – Cyril G. Feb 06 '21 at 12:11
  • Im going through [this](https://medium.com/faun/understanding-dynamic-port-mapping-in-amazon-ecs-with-application-load-balancer-bf705ee0ca8e) so I'm testing the configuration with ALB. But yes, even without ALB it wasn't working, any ideas? – Ventti Feb 06 '21 at 12:15
  • it is hard to say like this... if timeout, it is more likely to be network setting (sg, route table, etc...) if connection refused maybe SSL. you can check if HTTP works first. You can try to connect from an EC2 in same subnet also – Cyril G. Feb 06 '21 at 12:21
  • I am going to remove all possible points of failure and just try to get one container running on ecs with access through http. Is this hard? I can scale up tomorrow if i solve that first, but for now I will focus on why it isnt working for just the one instance. I have an ssl cert my boss gave me, a docker image that historically works (porting to 443), and a can do attitude. Is there any other resources that might be helpful? – Ventti Feb 06 '21 at 12:41
  • So I was able to get my container working with https, but the only way I am able to access them via https is through the ENI DNS? I have them connected to an ALB but it isnt working? The targets are draining and then failing ?? – Ventti Feb 07 '21 at 03:52