Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ECS-Patterns Does Not Map Host Port

See original GitHub issue

When working with one of the NLB ECS patterns (EC2 vs Fargate) the patterns do not map the container to a stable host port. In addition, the patterns do not expose the containers to allow for additional port mappings.

Therefore, if you tried to use the publicLoadBalancer option, it would not work on any of the patterns. (This is because the load balancer would be setup with port 80, but since the container is not given a host port a randomly assigned port is used)

Note: This is not an issue for ApplicationLoadBalancers since they support dynamic port mapping.

Reproduction Steps

Here is an example:

const app = new cdk.App();
const stack = new cdk.Stack(app, 'aws-ecs-pattern', { 
  tags: { id: 'ecs-pattern' }
});

// Create a cluster
const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 1 });

const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
cluster.addCapacity('DefaultAutoScalingGroup', {
  instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO)
});

const pattern = new patterns.NetworkLoadBalancedEc2Service(stack, 'ecs-pattern-task', {
  image: ecs.ContainerImage.fromRegistry('nginx:latest'),
  memoryLimitMiB: 256,
  cluster,
  containerPort: 80,
  enableLogging: true,
  publicLoadBalancer: true
});

new cdk.CfnOutput(stack, 'LoadBalancerDNS', { value: pattern.loadBalancer.loadBalancerDnsName, });

app.synth();

Error Log

Days of trying to debug the issue 😃

NOTE: There are actually TWO issues created by this stack!!!

The first issue is described in #4279. The fix for that issue is to find the security group and add an inbound rule from the public web to port 80.
The second issue is the topic of this bug. There is no workaround for this particular issue. (since the container isn’t exposed)

Days of trying to debug… 🤦‍♂ 😃

Environment

CLI Version : 1.9.0
Framework Version: 1.9.0
OS : macOS 10.14.6
Language : all

This is 🐛 Bug Report

Issue Analytics

State:
Created 4 years ago
Reactions:3
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

konstantinjcommented, Feb 13, 2020

I can reproduce this now. Using this code I’m getting 2 targetgroups but both are using the same host port (the first one 32768) which is port 80 on the container. The listener that I added that should use port 22 is also going to 80 on the container which is wrong.

Also it does not work without adding the ecs port range manually to the ASG security group.

const autoScalingGroup = new AutoScalingGroup(this, 'AutoScalingGroup', {
            vpc: vpc,
            ...
        })
        autoScalingGroup.connections.allowFrom(Peer.ipv4(vpc.vpcCidrBlock), Port.tcpRange(32768, 65535))
        autoScalingGroup.connections.allowFrom(Peer.ipv4('10.0.0.0/16'), Port.tcp(22))

        const cluster = new Cluster(this, 'Cluster', {
            clusterName: this.stackName,
            vpc: vpc,
        })
        cluster.addAutoScalingGroup(autoScalingGroup)

        const hostedZone = HostedZone.fromLookup(this, 'HostedZone', {
            domainName: scope.getConfig(this, 'hostedZone'),
        })

        const certificate = new DnsValidatedCertificate(this, 'Certificate', {
            domainName: scope.getConfig(this, 'domainName'),
            hostedZone: hostedZone,
        })

        const service = new NetworkLoadBalancedEc2Service(this, 'Service', {
            cluster: cluster,
            domainName: scope.getConfig(this, 'domainName'),
            domainZone: hostedZone,
            listenerPort: 80,
            ...
            }
        })

        service.taskDefinition.defaultContainer?.addPortMappings({
            containerPort: 22,
        })

        service.loadBalancer.addListener('SshListener', {
            port: 22,
            protocol: Protocol.TCP,
        }).addTargets('SshTarget', {
            port: 22,
            targets: [service.service]
        }).setAttribute('deregistration_delay.timeout_seconds', '30')

        service.loadBalancer.addListener('HttpsListener', {
            port: 443,
            protocol: Protocol.TLS,
            certificates: [{certificateArn: certificate.certificateArn}],
        }).addTargetGroups('HttpTarget', service.targetGroup)

        service.targetGroup.setAttribute('deregistration_delay.timeout_seconds', '30')

        service.targetGroup.configureHealthCheck({
            protocol: Protocol.HTTP,
            healthyThresholdCount: 3,
            unhealthyThresholdCount: 3,
            path: '/',
        })

0reactions

github-actions[bot]commented, May 5, 2021

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.