1

I am creating ECS cluster with EC2 instances. I have some questions about ECS <-> ALB connection.

First of all , I have one ALB with 443 port listner and http 10080 target groups. And I am creating one ECS cluster with one container service. I set the containerport and hostport to 10080 in the task definition. So, this is the picture how I set the network flow.

enter image description here

Is it correct that a request comes in from the outside to 443, goes through the ALB to the targetgroup of 10080, then rides the container's hostport and containerport in that order and the request is forwarded to the container?

enter image description here

In the ECS console, only the target group of the alb was connected. If this happens, is it possible to communicate with the outside of the container? I wonder how the target of ALB and the hostport of the container are connected. And if I have more containers using 9090 or 8080 for containerport, do I have to make new target groups for connecting container and ALB?

Also, I have one more question. If the ecs service is set as a daemon, when the container instance is auto-scaled, are tasks automatically created as a daemonset one by one in the new instance?

Improve this question

1 Answer 1

Reset to default
0

ALB and target group is not in ECS (they are in VPC tho) so your picture is a bit incorrect.

Is it correct that a request comes in from the outside to 443, goes through the ALB to the targetgroup of 10080, then rides the container's hostport and containerport in that order and the request is forwarded to the container?

True, if a https request make it to listener on port 443 on your ALB, it will be forwarded to the target group depending on your config, if you registered the instance with port 10080 to your target group then that request will make it to port 10080 of your instance (host).

is it possible to communicate with the outside of the container?

If your instance has public IP enabled, yes. Outbound rule is fully enabled by default so it can access to internet. If you want to SSH or connect to specific ports, you have to config inbound rule to allow it.

do I have to make new target groups for connecting container and ALB?

Yes.

are tasks automatically created as a daemonset one by one in the new instance

Yes, but deamonset is a term usually used with kubernetes, you should give EKS a check, too.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for reply , in the first picture I just wanted to tell you " ECS is connected with ALB ". Finally I understood that 443 connect from outside will coming through ALB to target group which is the container that has 10080 host&container port right?
@zinho9 target group is not a container itself, it's just a configure for your load balancer to know how to route to your instance(s). But you got the idea correctly.
@zinho9 Do you still have anything you don't understand?
Thanks for your help. I have one more question. When there is one ec2 instance and one ecs container instance in the same vpc, when the service ( ex. prometheus ) in the ec2 instance receives the resources of the exporter ( ex. cadvisor , jmx .. ) running in the ecs container instance, security without a load balancer Is it possible to adjust the group inbound port as well?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.