Enable https on collector; ALB cannot target ECS

We set up the health check on route 53 and it looks good. However, the health check on the target group shows that the hosts are unhealthy. It seems the connection between ALB and the ECS is broken.

Our collector config is as follows:

collector {
 # The collector runs as a web service specified on the following interface and port.
 interface = 0.0.0.0
 port = 8000

 # optional SSL/TLS configuration
 ssl {
   enable = true
   # whether to redirect HTTP to HTTPS
   redirect = true
   port = 9543
 }

The security groups code snippet for ALB and the target group in terraform:

resource "aws_security_group" "lb" {
  name        = "${var.load_balancer_security_group_name}-${var.stage}"
  description = "controls access to the ALB"
  vpc_id      = var.vpc_id

  ingress {
    protocol    = "tcp"
    from_port   = var.ssl_port
    to_port     = var.ssl_port
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    protocol    = "tcp"
    from_port   = var.container_port
    to_port     = var.container_port
    security_groups = [aws_security_group.ecs_tasks.id]
  }
}

resource "aws_security_group" "ecs_tasks" {
  name        = "${var.ecs_tasks_security_group_name}-${var.stage}"
  description = "allow inbound access from the ALB only"
  vpc_id      = var.vpc_id
  
  egress {
    protocol    = "-1"
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }
}


resource "aws_security_group_rule" "ingress_for_ecs" {
  description = "This rule defines the ingress to ecs sg to avoid cyclic dependency."
  type              = "ingress"
  from_port         = var.container_port
  to_port           = var.container_port
  protocol          = "tcp"
  source_security_group_id = aws_security_group.lb.id
  security_group_id = aws_security_group.ecs_tasks.id
}

We are not sure what to choose as a container port while operating on https, 8000 or 9543?

In the CloudWatch we also see REST interface bound to both 8000 and 9543 ports as seen in the screenshot.

1 Like