When deploying applications on AWS ECS Fargate, it's common to use an Application Load Balancer (ALB) as the entry point. One frequent requirement is terminating SSL/TLS at the ALB level while forwarding plain HTTP traffic to your Fargate containers.
Terminating SSL at the ALB offers several advantages:
- Reduces computational load on your containers
- Simplifies certificate management
- Allows for centralized SSL policy enforcement
- Enables features like ALB authentication
Here's how to set up SSL termination at ALB with HTTP forwarding to Fargate:
1. Create an HTTPS Listener
First, configure your ALB to accept HTTPS connections:
{
"Listeners": [
{
"Protocol": "HTTPS",
"Port": 443,
"Certificates": [
{
"CertificateArn": "arn:aws:acm:region:account-id:certificate/cert-id"
}
],
"DefaultActions": [
{
"Type": "forward",
"TargetGroupArn": "arn:aws:elasticloadbalancing:region:account-id:targetgroup/target-group-name/id"
}
]
}
]
}
2. Configure Target Group
Set up your target group to forward HTTP traffic to Fargate:
{
"TargetGroups": [
{
"Name": "my-fargate-tg",
"Protocol": "HTTP",
"Port": 80,
"TargetType": "ip",
"HealthCheckPath": "/health"
}
]
}
3. Update ECS Task Definition
Ensure your task definition exposes port 80:
{
"containerDefinitions": [
{
"name": "my-app",
"image": "my-repo/my-app:latest",
"essential": true,
"portMappings": [
{
"containerPort": 80,
"hostPort": 80,
"protocol": "tcp"
}
]
}
]
}
While this setup works well for non-sensitive applications, consider these security enhancements:
- Enable VPC flow logs to monitor traffic
- Configure security groups to restrict ALB-Fargate communication
- Consider using AWS WAF for additional protection
Common issues and solutions:
# Check ALB access logs
aws elbv2 describe-load-balancers --names my-alb
aws elbv2 describe-target-groups --names my-fargate-tg
# Verify ECS service is registered with target group
aws ecs describe-services --cluster my-cluster --services my-service
To improve performance:
- Enable ALB connection draining
- Configure optimal health check intervals
- Consider enabling ALB access logs for monitoring
This setup involves three critical AWS components working together:
- Application Load Balancer (ALB) as the TLS termination point
- ECS Fargate running containerized applications
- Target Groups routing traffic between them
Here's how to properly configure the components:
1. ALB Listener Configuration
aws elbv2 create-listener \
--load-balancer-arn YOUR_ALB_ARN \
--protocol HTTPS \
--port 443 \
--certificates CertificateArn=YOUR_ACM_ARN \
--default-actions Type=forward,TargetGroupArn=YOUR_TG_ARN
2. Target Group Setup
Create a target group pointing to your Fargate containers:
aws elbv2 create-target-group \
--name fargate-http \
--protocol HTTP \
--port 80 \
--vpc-id YOUR_VPC_ID \
--health-check-path /health \
--target-type ip
3. ECS Task Definition
Ensure your container is configured to listen on port 80:
{
"containerDefinitions": [
{
"name": "my-app",
"image": "my-ecr-repo/my-app:latest",
"portMappings": [
{
"containerPort": 80,
"hostPort": 80,
"protocol": "tcp"
}
]
}
]
}
While this setup works for non-sensitive applications, consider these security enhancements:
- Enable VPC Flow Logs to monitor traffic
- Configure Security Groups to only allow ALB → Fargate communication
- Implement WAF rules if handling any user input
If traffic isn't reaching your containers:
- Verify ALB security group allows inbound 443
- Check Fargate security group allows inbound 80 from ALB
- Confirm target group health checks are passing
- Validate IAM permissions for ECS execution role
For more complex scenarios:
# Redirect HTTP to HTTPS
aws elbv2 create-listener \
--load-balancer-arn YOUR_ALB_ARN \
--protocol HTTP \
--port 80 \
--default-actions \
Type=redirect,RedirectConfig='{Protocol=HTTPS,Port=443,Host=#{host},Path=/#{path},Query=#{query},StatusCode=HTTP_301}'