I have an ECS cluster and an Application load balancer. I have setup dynamic port mapping for Amazon ECS following aws's docs.
The problem is that port 80 of my instance gets registered as a target in my target group which always fail (and it will because the container is exposed at the ephemeral port range 32768 - 65535:
Because of that, the Autoscaling group that I have constantly spun up new EC2 instances and terminates existing ones
Bellow are my Tarraform config file that creates the ALB, listener and target_group:
resource "aws_alb" "default" {
name = "${var.app_name}-${var.app_environment}-alb"
load_balancer_type = "application"
internal = true
subnets = var.loadbalancer_subnets
security_groups = [aws_security_group.load_balancer_security_group.id]
resource "aws_lb_listener" "default" {
load_balancer_arn = aws_alb.default.arn
port = "80"
protocol = "HTTP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.default.arn
resource "aws_lb_target_group" "default" {
name_prefix = "rushmo"
port = 80
protocol = "HTTP"
vpc_id = var.vpc_id
target_type = "instance"
health_check {
healthy_threshold = "2"
unhealthy_threshold = "5"
interval = "300"
port = "traffic-port"
path = "/"
protocol = "HTTP"
matcher = "200,301,302"
resource "aws_autoscaling_group" "default" {
name = "${var.app_name}-${var.app_environment}-ASG"
desired_capacity = 1
health_check_type = "ELB"
health_check_grace_period = 600 # 10 min
launch_configuration = aws_launch_configuration.default.name
max_size = 1
min_size = 1
target_group_arns = [aws_lb_target_group.default.arn]
termination_policies = ["OldestInstance"]
vpc_zone_identifier = var.application_subnets
protect_from_scale_in = true
Note: If I manually deregister the target on port 80 from the Target group the problem with the constant termination and launching of new instances is solved but I don't understand what I have done wrong and why this port 80 shows up as a registered target and not only the ephemeral port range
I think the issue is due to:
health_check_type = "ELB"
This makes ASG to use ALB's health checks on port 80 of your instances. However, since you are using ECS, the health checks should be only used for your containers, not the instances themself. Thus it should be:
health_check_type = "EC2"