Here’s twtech complete guide on how Amazon ECS integrates with Load Balancers.
This helps twtech to expose its containerized apps securely and reliably.
Amazon ECS – Load Balancer Integration
Overview
When twtech runs ECS services, it can place them behind a load balancer to:
- Expose services to the internet or internal clients
- Distribute traffic across multiple ECS tasks
- Enable service discovery and auto scaling
- Perform health checks to replace unhealthy containers
Supported Load
Balancers
|
Load Balancer Type |
Best Use Case |
|
Application Load Balancer (ALB). |
HTTP/HTTPS routing based on path
or host |
|
Network Load Balancer (NLB). |
High performance, TCP/UDP traffic |
|
Classic Load Balancer (CLB). |
Legacy, not recommended for new
workloads |
ECS integrates best with ALB for web
apps.
ECS Load Balancer Architecture
# java
Internet /
VPC
│
┌──────────▼──────────┐
│ Application Load │
│ Balancer (ALB) │
└─────────▲───────────┘
│
Target Group (port
80)
┌──────┬────────────┬───────┐
│ ECS Task 1 │ Task 2 │ │
└───────────────────────────┘
How It Works
- Create a Load Balancer (ALB or NLB) in your VPC.
- Define a Target Group
for your ECS tasks (based on IP or instance).
- Configure ECS Service
to:
- Attach to the load balancer
- Register running tasks into the target group
- Perform health checks and deregister failed tasks
- Route traffic
via ALB listener rules (e.g., /api, /admin, etc.)
ECS Service with ALB – Required Settings
In twtech ECS service
definition, you need:
|
Setting |
Description |
|
loadBalancers[]. |
Attach the service to ALB target
group |
|
launchType. |
FARGATE or EC2 |
|
networkConfiguration. |
VPC, subnets, and security groups |
|
healthCheckGracePeriod. |
Delay before starting health
checks |
Target Group Type
|
Type |
Use
Case |
Launch
Type Support |
|
instance. |
Tasks on EC2 (uses host port) |
ECS-EC2 |
|
ip. |
Tasks use awsvpc mode (ALB/NLB) |
ECS-Fargate or EC2 |
Fargate requires ip target type.
Example: ECS Fargate Service with
ALB (Terraform snippet)
# hcl
resource
"aws_ecs_service" "twtech_service" {
name = "twtech-web-app"
cluster = aws_ecs_cluster.twtech_cluster.id
task_definition = aws_ecs_task_definition.twtech_task.arn
launch_type = "FARGATE"
network_configuration {
subnets = ["subnet-abc", "subnet-def"]
security_groups = [aws_security_group.lb_sg.id]
assign_public_ip = true
}
load_balancer {
target_group_arn = aws_lb_target_group.twtech_tg.arn
container_name = "twtechwebapp"
container_port = 80
}
}
Benefits of Using Load Balancers with ECS
- Zero-downtime deployments using blue/green (CodeDeploy)
- Health check integration (auto-replace failed tasks)
- Path/host routing
with ALB for microservices
- Public and private access control with SGs and listeners
- SSL termination
at ALB
Service Discovery Alternative
Instead of using a load balancer,
you can use AWS Cloud Map for DNS-based service discovery. Useful
in internal-only services or microservices mesh.
Summary
|
Feature |
ECS
+ ALB/NLB Integration |
|
Internet Exposure. |
Yes (public ALB/NLB) |
|
Internal Communication. |
Yes (internal ALB or Cloud Map) |
|
Health Checks. |
Yes |
|
Blue/Green Deployments. |
Yes (via CodeDeploy) |
|
Routing Control. |
Yes (ALB listener rules) |
SSL Termination
at ALB (Application Load Balancer) – Explained.
SSL termination at the Application Load Balancer
(ALB) means that HTTPS
(SSL/TLS) traffic is decrypted at the ALB, and then forwarded to twtech ECS tasks as plain HTTP.
This is the most common and
cost-effective way to secure traffic coming into ECS services.
How SSL Termination Works in ECS with ALB
# pgsql
[ User (Browser) ]
│ HTTPS (Port 443) │
▼
+----------------------+
| Application Load |
| Balancer (ALB) |
| - SSL Certificate |
| - Decrypts
traffic |
+----------------------+
│ HTTP (Port 80)
▼
[ ECS Service Task ]
✅ Benefits of SSL Termination at ALB
- Secure:
Encrypts client-to-ALB traffic using HTTPS.
- Efficient:
Offloads expensive encryption/decryption from ECS tasks.
- Simplifies:
Tasks can run standard HTTP (no HTTPS config needed).
- Managed
Certs: Works seamlessly with AWS Certificate Manager (ACM).
How to Set Up SSL Termination at ALB
1. Create or
Import SSL Certificate
- Go to AWS Certificate Manager (ACM)
- Request a public certificate (e.g., api.example.com)
- Validate domain (via DNS or email)
2. Configure ALB
Listener for HTTPS
- In the ALB settings:
- Add a Listener on port 443
- Select HTTPS protocol
- Attach the ACM certificate
- Set up a target group for HTTP
traffic on port 80 (or other)
- Add forwarding rules (e.g., /* → twtech-target
group)
3. Update ECS
Service
- In twtech ECS Service, we make sure:
- Container listens on port 80 (or
appropriate HTTP port)
- Task definition exposes correct containerPort
- Load balancer target group protocol = HTTP
- Networking mode = awsvpc for Fargate (or
bridge/host for EC2)
4. (Optional) Redirect
HTTP → HTTPS
- Add an ALB listener on port 80 (HTTP)
- Forward or redirect to HTTPS:443
Terraform Example (ALB HTTPS Listener)
# hcl
resource
"aws_lb_listener" "https" {
load_balancer_arn = aws_lb.twtech_alb.arn
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = aws_acm_certificate.twtech_cert.arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.twtech_tg.arn
}
}
Notes
|
Topic |
Detail |
|
Certificate
Source. |
AWS ACM (free for public certs) |
|
Protocol
to ECS Task. |
Usually HTTP |
|
Encryption
in transit. |
Only between client ↔ ALB (not ALB ↔
ECS task) |
|
End-to-end
encryption. |
Use HTTPS between ALB ↔ ECS task
(optional) |
|
Multi-domain
support. |
ALB supports SNI (Server Name
Indication) |
Option: End-to-End
Encryption
If twtech requires encryption
all the way to its ECS containers:
- ECS
container must run an HTTPS server
- Target group
protocol = HTTPS
- ECS
service’s container port must match HTTPS port (e.g., 443)
This adds complexity and is only
needed for strict security & compliance needs.
No comments:
Post a Comment