ALB results in 504 gateway time out error with ECS

Question

I have an httpd container with ECS service along with ALB.

Container with ALB are using a dynamic port feature which means host port is set to 0. if i try to ssh in an instance container and try to curl localhost:port number it works.

But when i try to use ALB DNS name it turns out to 504.

ALb security group allows HTTP 80 connections from anywhere and instance sg allows any connection on any port from alb sg.

Interestingly

when I try to check the target group associated with alb all the instances are unhealthy.

Update:- i tried to open a security group of ecs container to public and yet the instance were not healthy

2 sg's one for ecs container and another for alb. ALb allow all traffic on port 80 and ecs container sg allow all traffic on all ports from alb — Jatin Mehrotra, Feb 26 '22 at 07:47
You would have to provide details of your ECS task and service definitions, as well ALB and TG settings. — Marcin, Feb 26 '22 at 10:01

Gurpreet Singh · Accepted Answer · 2022-02-26T14:00:19.693

1

you need to check the events of the ECS service and see what is the exact error message. If it states something like port 45675 is unhealthy then you need to check your security group configuration, it should get rid of 504 error message. If it states health check failed (this should give 502) then you should ssh into the container and check on which port the application is running and create a new service with the modification.

Assuming, you have configured the health check for traffic port and haven't modified it.

httpd service generally works on port 80. So I'll suggest use the container port as 80.

504 is Gateway Timeout error, if the above information doesn't help you can provide look at the AWS link here - https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-http-5xx/

If you can share the error message from the ecs events that will help in narrowing down the issue.

Adding the screenshots of the changes I made to fix the issue, I hope it helps. I am assuming you are using the default httpd image -

edited Feb 26 '22 at 14:00

answered Feb 24 '22 at 18:39

Gurpreet Singh

256
1
5

I did check the events of ecs service, it states `unhealthy in target-group ecs-dva-cl-dva-alb due to (reason Health checks failed)`, even i did ssh in to my container and service is running perfectly. but why should i create a new service, because the whole idea is to create service with dynamic port mapping with alb. container port is also set on 80, host port is set to 0 for dynamic port feature. – Jatin Mehrotra Feb 25 '22 at 01:51
I mentioned to create a new service if the port used is being different because we cannot modify the port association of Load balancer once it is created while creating the service. – Gurpreet Singh Feb 26 '22 at 13:55
Added the screenshot of the changes that I made which fixed this error message while using the default httpd image and service using dynamic port mapping – Gurpreet Singh Feb 26 '22 at 14:01
if your security group only allows certain IP into your instances, then could that block the ALB from communicating with with them? guessing in such case may be best to keep the webservers private and the lb public or to add the lb ip to the instance security group (not sure how to configure that with terraform) – mike01010 Aug 09 '23 at 05:38

ALB results in 504 gateway time out error with ECS

1 Answers1