Amazon ECS Load Balancer Integrations - Overview.
Scope:
- Intro,
- Amazon ECS – Load Balancer Integration Overview,
- Supported Load Balancers Types,
- ECS Load Balancer Architecture,
- How It Works,
- ECS Service with ALB – Required Settings,
- Target Group Type,
- Sample ECS Fargate Service with ALB (Terraform snippet),
- Benefits of Using Load Balancers with ECS,
- Service Discovery Alternative,
- SSL Termination at ALB (Application Load Balancer) – Explained,
- How SSL Termination Works in ECS with ALB,
- Benefits of SSL Termination at ALB,
- How to Set Up SSL Termination at ALB,
- Terraform Sample (ALB HTTPS Listener) code,
Intro:
- Here’s twtech overview of how Amazon ECS integrates with Load Balancers.
- This helps twtech to expose its containerized apps securely and reliably.
Amazon ECS – Load Balancer Integration
Overview
When twtech runs ECS services behind its load balancer, it will:
- Expose services to the internet or internal clients
- Distribute traffic across multiple ECS tasks
- Enable service discovery and auto scaling
- Perform health checks to replace unhealthy containers
Supported Load
Balancers Types
|
Load Balancer Type |
Best Use Case |
|
Application Load Balancer (ALB). |
HTTP/HTTPS routing based on path
or host |
|
Network Load Balancer (NLB). |
High performance, TCP/UDP traffic |
|
Classic Load Balancer (CLB). |
Legacy, not recommended for new
workloads |
NB:
- ECS integrates best with ALB for web apps.
ECS Load Balancer Architecture
How It Works
- Create a Load Balancer (ALB or NLB) in twtech-VPC.
- Define a Target Group
for twtech ECS tasks (based on IP or instance).
- Configure ECS Service
to:
- Attach to the load balancer
- Register running tasks into the target group
- Perform health checks and deregister failed tasks
- Route traffic
via ALB listener rules (e.g., /api, /admin, etc.)
ECS Service with ALB – Required Settings
In twtech ECS service
definition, it needs:
|
Setting |
Description |
|
loadBalancers [ ]. |
Attach the service to ALB target
group |
|
launchType. |
FARGATE or EC2 |
|
networkConfiguration. |
VPC, subnets, and security groups |
|
healthCheckGracePeriod. |
Delay before starting health
checks |
Target Group Type
|
Type |
Use
Case |
Launch
Type Support |
|
instance. |
Tasks on EC2 (uses host port) |
ECS-EC2 |
|
ip. |
Tasks use awsvpc mode (ALB/NLB) |
ECS-Fargate or EC2 |
Fargate requires ip target type.
Sample: ECS Fargate Service with
ALB (Terraform snippet)
# hcl
resource
"aws_ecs_service" "twtech_service" {
name = "twtech-web-app"
cluster = aws_ecs_cluster.twtech_cluster.id
task_definition = aws_ecs_task_definition.twtech_task.arn
launch_type = "FARGATE"
network_configuration {
subnets = ["subnet-abc", "subnet-def"]
security_groups = [aws_security_group.lb_sg.id]
assign_public_ip = true
}
load_balancer {
target_group_arn = aws_lb_target_group.twtech_tg.arn
container_name = "twtechwebapp"
container_port = 80
}
}
Benefits of Using Load Balancers with ECS
- Zero-downtime deployments using blue/green (CodeDeploy)
- Health check integration (auto-replace failed tasks)
- Path/host routing
with ALB for microservices
- Public and private access control with SGs and listeners
- SSL termination
at ALB
Service Discovery Alternative
- Instead of using a load balancer, twtech can use AWS Cloud Map for DNS-based service discovery.
- Useful in internal-only services or microservices mesh.
Summary
|
Feature |
ECS
+ ALB/NLB Integration |
|
Internet Exposure. |
Yes (public ALB/NLB) |
|
Internal Communication. |
Yes (internal ALB or Cloud Map) |
|
Health Checks. |
Yes |
|
Blue/Green Deployments. |
Yes (via CodeDeploy) |
|
Routing Control. |
Yes (ALB listener rules) |
SSL Termination
at ALB (Application Load Balancer) – Explained.
- SSL termination at the Application Load Balancer (ALB) means that encrypted HTTPS (SSL/TLS) traffic is decrypted at the ALB, and then forwarded to twtech ECS tasks as plain decrypted HTTP.
- This is the most common and cost-effective way to secure traffic coming into ECS services.
How SSL Termination Works in ECS with ALB
✅ Benefits of SSL Termination at ALB
- Secure:
Encrypts client-to-ALB traffic using HTTPS.
- Efficient:
Offloads expensive encryption/decryption from ECS tasks.
- Simplifies:
Tasks can run standard HTTP (no HTTPS config needed).
- Managed
Certs: Works seamlessly with AWS Certificate Manager (ACM).
How to Set Up SSL Termination at ALB
1. Create or
Import SSL Certificate
- Go to AWS Certificate Manager (ACM)
- Request a public certificate (e.g., api.example.com)
- Validate domain (via DNS or email)
2. Configure ALB
Listener for HTTPS
- In the ALB settings:
- Add a Listener on port 443
- Select HTTPS protocol
- Attach the ACM certificate
- Set up a target group for HTTP
traffic on port 80 (or other)
- Add forwarding rules (e.g., /* → twtech-target
group)
3. Update ECS
Service
- In twtech ECS Service, we make sure:
- Container listens on port 80 (or
appropriate HTTP port)
- Task definition exposes correct containerPort
- Load balancer target group protocol = HTTP
- Networking mode = awsvpc for Fargate (or
bridge/host for EC2)
4. (Optional) Redirect
HTTP → HTTPS
- Add an ALB listener on port 80 (HTTP)
- Forward or redirect to HTTPS:443
Terraform Sample (ALB HTTPS Listener) code
# hcl
resource
"aws_lb_listener" "https" {
load_balancer_arn = aws_lb.twtech_alb.arn
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = aws_acm_certificate.twtech_cert.arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.twtech_tg.arn
}
}
NB:
|
Topic |
Detail |
|
Certificate
Source. |
AWS ACM (free for public certs) |
|
Protocol
to ECS Task. |
Usually HTTP |
|
Encryption
in transit. |
Only between client ↔ ALB (not ALB ↔
ECS task) |
|
End-to-end
encryption. |
Use HTTPS between ALB ↔ ECS task
(optional) |
|
Multi-domain
support. |
ALB supports SNI (Server Name
Indication) |
Option: End-to-End
Encryption
If twtech requires encryption
all the way to its ECS containers:
- ECS
container must run an HTTPS server
- Target group
protocol = HTTPS
- ECS
service’s container port must match HTTPS port (e.g., 443)
NB
- This adds complexity and is only needed for strict security & compliance needs.
No comments:
Post a Comment