56

I'm trying to setup an ALB which listens on port 443, load balancing to ECS Docker containers on random ports, lets say I have 2 container instances of the same task definition, listening on port 30000 and 30001.

When I try to create a target group in the AWS EC2 Management console, there's a "port" input field with 1-65535 range. What number should I put there?

And when I try to create a new service in the AWS EC2 Container Service console, together with a new target group to connect to a existing ALB, there's no input field for a target group "port". After it's created, navigating to the EC2 console, the new target group has port "80". Do I have to listen on port 80? But the health check happens against the "traffic port", which is the container port, 30000 and 30001, so what's the point?

Kumar Sambhav
  • 7,503
  • 15
  • 63
  • 86
mash
  • 4,204
  • 4
  • 32
  • 34

6 Answers6

72

Turns out, when combined with ECS, the target group's port doesn't mean anything. You don't need to listen on that port.

mash
  • 4,204
  • 4
  • 32
  • 34
  • 6
    Damn. I spent hours trying to trace this down. I am sure they needed that port in order for the load balancer to get started up. And then we dont care about it. They should make it optional. – sethu Apr 10 '17 at 00:43
  • 1
    I want to back up @sethu. I'm using Terraform to orchestrate ECS including target group. You definitely still have to specify port (e.g. 80) and even protocol for target group. It's misleading, however, because with ALB's dynamic host port, the instances (targets) in target group aren't using the port specified (e.g. 80) at all. They are instead using port like 32769 or ports within the ephemeral port range. – Shawn Mar 04 '19 at 05:05
  • 1
    Also agree they should make the port optional (and more documentation). However, @sethu mentioned that specifying a port is still needed for the ALB to "get started up" - that's actually interesting, and I'd like to know more about it. For now it seems to me that specifying a 80 on target group is like magic. It works, but I have no idea why. I don't know in what case should we set target group port to 80, and in what case to other values like 443, because with ALB dynamic host port, that number doesn't make sense at all. – Shawn Mar 04 '19 at 05:05
  • this drives me crazy – Kid_Learning_C Apr 01 '22 at 12:04
20

I ran into this situation myself at work. I noticed the target group port and the port of the registered instance were different. I've typically set them up to be the same thing so wondered what this was all about which led me to this thread. I couldn't find a good answer on AWS docs, but found this in the Terraform docs for aws_lb_target_group resource:

port - (Optional, Forces new resource) The port on which targets receive traffic, unless overridden when registering a specific target.

So, I guess it's just the default port used unless you override it. Makes sense.

MacGruber
  • 861
  • 1
  • 7
  • 8
2

I think what he's referring to is the health checks. If your ELB is listening on port 443 but your target group is set for port 80, then every health check for the target group will attempt a request on port 80 and get redirected to port 443 by the load balancer. This results in a 301 code, which is considered unhealthy. Only 200 codes are supposed to be considered healthy. At that point you either have all unhealthy targets all the time or you add 301 to the list of healthy codes which defeats the whole point in health checks because it will always return a 301 for port 80. You might as well just match the ports.

Jay Long
  • 39
  • 2
  • 2
    when using dynamic ports, the health check should be set for "traffic port" which ensures the dynamic port is used. – enablor Mar 04 '20 at 19:53
0

By default, a load balancer routes requests to its targets using the protocol and port number that you specified when you created the target group. Alternatively, you can override the port used for routing traffic to a target when you register it with the target group.

Praveen Mishra
  • 31
  • 1
0

Don't forget the fact that Load Balancers also have Security group ‍♂️

Anand Rockzz
  • 6,072
  • 5
  • 64
  • 71
-3

The port in the target group is used in conjunction with auto-scaling groups and if you ever plan to use those you want to use the right port from the start. Why? Because you can not change it after the target group has been created and auto-scaling will simply not work if you set the port wrong.

Lars Hansson
  • 366
  • 1
  • 3