0

I’m needing to deploy an api on ecs fargate that uses an internet facing network load balancer. After getting all this setup, the api deployed on ecs, and passing health checks, I’m noticing that I get a timeout error when I try to access the Dns nlb name in the browser. I think this may have to do with the firewall. The nlb doesn’t have a security group I can modify so I’m wondering if I’ve setup the fargate service security group correctly or if there’s anything else I can try. I’ve got 443,8443,80,8080 just to cover a few in that security group.

The nlb setup like the following: tcp 443 listener and then the container is hosted on port 8443. My question is, does the timeout issue sound like this has something to do with the firewall, and if so how do I allow the nlb on the ecs service sec group if that’s what’s needed? As of yet I’m unsure where to set the firewall configs for something like this since the nlb doesn’t have a security group.

stonewalker747
  • 61
  • 1
  • 7
  • 1
    Your question is not clear. You have to provide all details of your setup. Nlb setup, listeners, target groups, vpc, ecs task definition, ecs service,... – Marcin Apr 02 '22 at 04:41
  • 1
    You can do the test by configure the SG of your ECS to allow the CIDR of your Subnet. – Chuong Nguyen Apr 02 '22 at 05:30
  • More info on setup is as follows: Container is deployed on ECS Fargate using an internet facing NLB (cert is integrated into API), NLB listener TCP 443 with a registered IP on a TG (Target type: IP, protocol of host port of container is TCP: 8443. Health are checks passing). I get a 503 error when accessing the domain name ("service unavailable"). The tasks in Fargate is running in a private subnet, the network mode is awsvpc (fargate launch type). Again container port is 8443. – stonewalker747 Apr 02 '22 at 17:01
  • @stonewalker747 - Were you able to figure the issue? I am in the same situation. – srg Nov 24 '22 at 00:12

1 Answers1

0

I’ve got 443,8443,80,8080 just to cover a few in that security group.

Port 32768 to 61000 shoud open in security group for tasks in fargate to allow NLB access tasks. accroding to this page, if dynamic ports used in NLB and task definition.

Wish this helps

izayoi
  • 129
  • 5
  • 1
    Network Load Balancers can not have security groups attached to them. See [answer](https://stackoverflow.com/a/48784314/7661119). You cannot open any kind of port for something you don't have. – Ervin Szilagyi Apr 02 '22 at 11:02
  • Container port is on 8443 and the NLB listener is TCP 443. CUrrently I've just been adding to the security group of the service, but getting 504 service unavailable error. – stonewalker747 Apr 02 '22 at 17:03
  • he’s not saying the nlb has a security group. He’s saying how to configure “the security group for tasks in fargate to allow NLB access tasks”. The fargate service has a security group that can be configured. – stonewalker747 Apr 02 '22 at 20:15
  • @landy777 You should not allow these ports on a Security Group. Security groups are statefull firewalls, you need to allow only the necessary ports such as 80, 443 or whatever else you are using. Outbound connectivity which is usually using ephemeral ports (example ports between 32768 and 61000), will still work. You should allow ephemeral ports for Network ACLs. NACLs are stateless firewalls, because of these you need to allow both inbound and outbound ports separately. – Ervin Szilagyi Apr 02 '22 at 20:21
  • Yes verifying the nacls are setup correctly is important to verify – stonewalker747 Apr 02 '22 at 20:34
  • So from what you’re saying I should keep the security group the same for fargate service but change or modify the outbound nacls as needed? – stonewalker747 Apr 02 '22 at 21:28