Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ECS-Patterns Does Not Map Host Port

See original GitHub issue

When working with one of the NLB ECS patterns (EC2 vs Fargate) the patterns do not map the container to a stable host port. In addition, the patterns do not expose the containers to allow for additional port mappings.

Therefore, if you tried to use the publicLoadBalancer option, it would not work on any of the patterns. (This is because the load balancer would be setup with port 80, but since the container is not given a host port a randomly assigned port is used)

Note: This is not an issue for ApplicationLoadBalancers since they support dynamic port mapping.

Reproduction Steps

Here is an example:

const app = new cdk.App();
const stack = new cdk.Stack(app, 'aws-ecs-pattern', { 
  tags: { id: 'ecs-pattern' }

// Create a cluster
const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 1 });

const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
cluster.addCapacity('DefaultAutoScalingGroup', {
  instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO)

const pattern = new patterns.NetworkLoadBalancedEc2Service(stack, 'ecs-pattern-task', {
  image: ecs.ContainerImage.fromRegistry('nginx:latest'),
  memoryLimitMiB: 256,
  containerPort: 80,
  enableLogging: true,
  publicLoadBalancer: true

new cdk.CfnOutput(stack, 'LoadBalancerDNS', { value: pattern.loadBalancer.loadBalancerDnsName, });


Error Log

Days of trying to debug the issue 😃

NOTE: There are actually TWO issues created by this stack!!!

  • The first issue is described in #4279. The fix for that issue is to find the security group and add an inbound rule from the public web to port 80.
  • The second issue is the topic of this bug. There is no workaround for this particular issue. (since the container isn’t exposed)

Days of trying to debug… 🤦‍♂ 😃


  • CLI Version : 1.9.0
  • Framework Version: 1.9.0
  • OS : macOS 10.14.6
  • Language : all

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:3
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

konstantinjcommented, Feb 13, 2020

I can reproduce this now. Using this code I’m getting 2 targetgroups but both are using the same host port (the first one 32768) which is port 80 on the container. The listener that I added that should use port 22 is also going to 80 on the container which is wrong.

Also it does not work without adding the ecs port range manually to the ASG security group.

const autoScalingGroup = new AutoScalingGroup(this, 'AutoScalingGroup', {
            vpc: vpc,
        autoScalingGroup.connections.allowFrom(Peer.ipv4(vpc.vpcCidrBlock), Port.tcpRange(32768, 65535))
        autoScalingGroup.connections.allowFrom(Peer.ipv4(''), Port.tcp(22))

        const cluster = new Cluster(this, 'Cluster', {
            clusterName: this.stackName,
            vpc: vpc,

        const hostedZone = HostedZone.fromLookup(this, 'HostedZone', {
            domainName: scope.getConfig(this, 'hostedZone'),

        const certificate = new DnsValidatedCertificate(this, 'Certificate', {
            domainName: scope.getConfig(this, 'domainName'),
            hostedZone: hostedZone,

        const service = new NetworkLoadBalancedEc2Service(this, 'Service', {
            cluster: cluster,
            domainName: scope.getConfig(this, 'domainName'),
            domainZone: hostedZone,
            listenerPort: 80,

            containerPort: 22,

        service.loadBalancer.addListener('SshListener', {
            port: 22,
            protocol: Protocol.TCP,
        }).addTargets('SshTarget', {
            port: 22,
            targets: [service.service]
        }).setAttribute('deregistration_delay.timeout_seconds', '30')

        service.loadBalancer.addListener('HttpsListener', {
            port: 443,
            protocol: Protocol.TLS,
            certificates: [{certificateArn: certificate.certificateArn}],
        }).addTargetGroups('HttpTarget', service.targetGroup)

        service.targetGroup.setAttribute('deregistration_delay.timeout_seconds', '30')

            protocol: Protocol.HTTP,
            healthyThresholdCount: 3,
            unhealthyThresholdCount: 3,
            path: '/',
github-actions[bot]commented, May 5, 2021

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

Read more comments on GitHub >

github_iconTop Results From Across the Web

interface PortMapping · AWS CDK
Port mappings allow containers to access ports on the host container instance ... you can specify a non-reserved host port for your container...
Read more >
CDK Fargate: Map subdomain to different container port
I want to map incoming traffic with api.domain to port 3001 and everything else should map to port 3000. How can I achieve...
Read more >
5.7 Ensure privileged ports are not mapped within containers
Solution. Do not map the container ports to privileged host ports when starting a container. Also, ensure that there is no such container...
Read more >
3. Expose Your Services | Rancher Manager
Using a HostPort for a Kubernetes pod in Rancher v2.x is synonymous with creating a public port mapping for a container in Rancher...
Read more >
Deploying a containerized web application with AWS Cloud ...
Where does AWS CDK fit into the infrastructure as code space? ... What tooling does AWS CDK offer for containerized applications? ... hostPort:...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found