Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add an example of setting up HTTPS on ApplicationLoadBalancedFargateService

See original GitHub issue

An example showing the recommended way of enabling HTTPS on an ApplicationLoadBalancedFargateService.

Use Case

I am having issues enabling HTTPS in my ApplicationLoadBalancedFargateService. I have been digging many issues and StackOverflow issues and trying to wrap my head around all the possible configurations. Should I add certificate to the service directly? Then I need to set up domains. Should I create an entirely new ApplicationLoadBalancer? Should I add a listener for 443 in the loadBalancer property?

There is no clear path and the documentation is somewhat inconsistent as to how to do it.

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:10
  • Comments:18 (3 by maintainers)

github_iconTop GitHub Comments

sprightbotcommented, Aug 24, 2021

If you wanted to add a certificate to this pattern, you first need to create a certificate construct in the constructor:

    const cert = new Certificate(this, "MyCertificate", {
      domainName: '',
      subjectAlternativeNames: ['*'],
      validation: CertificateValidation.fromDns(),

Then in the properties of the ecs pattern add the certificate and redirectHTTP (optional, but recommended) properties.

new ecs_patterns.ApplicationLoadBalancedFargateService(this, "MyFargateService", {
      cluster: cluster, // Required
      cpu: 256, // Default is 256
      desiredCount: 1, // Default is 1
      taskImageOptions: { image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample") },
      memoryLimitMiB: 512, // Default is 512
      publicLoadBalancer: true, // Default is false 
      certificate: cert,
      redirectHTTP: true,

Thats it!

In this example, I’m not using an AWS hosted zone, so when this deploys the certificate will be stuck in a pending state. You will need to goto AWS Certificate Manager, open the certificate and copy and paste the CNAME to your DNS provider.

If you wanted to add an AWS Hosted zone, you can create one by adding the following construct to the constructor:

const hostedzone = new PublicHostedZone(this, "myHostedZone", {
      zoneName: '',

Then in AWS Certificate manager, open the certificate and there’s a blue button that you click that will create the record for you. Don’t forget to delegate to your hosted zone from your DNS provider or else you’ll be in the pending waiting room.

Hope this helps!

sprightbotcommented, Feb 19, 2022

Nice! You’re almost there. For the HTTPS piece you need to make the certificate and attach it to the service and cloudfront. Note that Cloudfront is based in us-east-1, so your certificate for cloudfront must be in us-east-1. (You can also make a crossZoneDNS cert… search for DnsValidatedCertificate in the @aws-cdk/aws-certificatemanager library)

Assuming that you’re creating this in us-east-1, you can first create your cert:

const cert = new Certificate(this, "MyCertificate", {
   domainName: '',
   subjectAlternativeNames: ['*'],
   validation: CertificateValidation.fromDns(),

Then on your ApplicationLoadBalancedFargateService add the certificate property. Then add the certificate and domainName property to your cloud front. Also make sure to add allowedMethods and viewerProtocolPolicy otherwise cloudfront won’t forward your requests on.

const cloudFront = new Distribution(this, "CloudFrontDistribution", {
      defaultBehavior: {
        origin: new LoadBalancerV2Origin(app.loadBalancer),
      certificate: cert,
      domainName: [''],
      allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
      viewerProtocolPolicy: ViewerProtocolPolicy.ALLOW_ALL,

That should get you set up on whatever domain name you pick. Make sure you have the proper delegation/own the zone, and if the zone is hosted by google, or some other provider, that you can add the certificate validation CNAME, otherwise cloudformation will hang forever (3 hrs, but feels like forever). Recommend creating the route53 hostedZone in aws and then let certificate manager create the records for you. Then all you need to do is delegate to that hosted zone and you’re good to go.

Also I was able to find an example write up which is pretty similar to this here:

The big difference i see here is that they terminate ssl at cloud front. Doing the above terminates at the ALB. Not sure how important that is to ya, but /shrug.

Read more comments on GitHub >

github_iconTop Results From Across the Web

class ApplicationLoadBalancedFargateService (construct)
A Fargate service running on an ECS cluster fronted by an application load balancer. ... Setting this option will set the load balancer...
Read more >
Adding HTTPS And Custom Domains To An API Hosted On ...
One thing is worth noting up front — while will be looking into configuring HTTPS and the custom domain using the same API...
Read more >
Application Load Balanced Fargate Service example in AWS ...
Application Load Balanced Fargate Service example in AWS CDK ... Before we can start to build a Fargate service we need to set...
Read more >
Configure HTTPS with an AWS Load Balancer - YouTube
In this tutorial, you will learn how to configure HTTPS using AWS Load Balancer. IMPORTANT: Please note that in newer instances the ...
Read more >
Hey CDK, how can I secure my Fargate Service with ALB ...
Next, we need some information from our OIDC provider. See here how to set up a new application in Azure AD. Replace {tenantId}...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found