我有一个ECS Fargate集群,该集群用于与NLB的API Gateway VPC链接集成。我们已经切换到仅将域解析为ALB的DNS名称,并在TLS处终止了ALB。然后,它将流量通过http/8080路由到群集。自从此切换以来,任务一直在运行状况检查中失败。使用8080/tcp将运行状况检查设置为NLB时,它可以正常工作。使用ALB,运行状况检查为8080/http,现在它失败了。连接到群集的安全组允许来自ALB的流量超过8080。此外,我可以点击负载平衡器的DNS名称并获得预期的响应。因此,我知道它们实际上已经启动并运行并且运行良好。但是随后,它仍然无法通过运行状况检查,从而使任务被耗尽……这非常令人沮丧。我在下面粘贴了我的设置。
ECS Security Group:
resource "aws_security_group" "ecs_tasks" {
name = "ecs-tasks"
description = "allow inbound access from the ALB only"
vpc_id = "${module.vpc.vpc_id}"
ingress {
protocol = "TCP"
from_port = 8080
to_port = 8080
security_groups = ["${aws_security_group.lb_sg.id}"]
}
egress {
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
}
ALB, Listener, and Target Group:
resource "aws_lb" "api_lb" {
name = "api-lb"
internal = false
load_balancer_type = "application"
security_groups = ["${aws_security_group.lb_sg.id}"]
subnets = ["${module.vpc.public_subnets}"]
enable_deletion_protection = false
tags = {
Environment = "dev/demo"
}
}
resource "aws_lb_listener" "api_listener" {
load_balancer_arn = "${aws_lb.api_lb.id}"
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = "arn:aws:acm:us-east-1:12345678910:certificate/xxxxxx-yyyy-zzzz-aaa-bbbbbbb"
default_action {
target_group_arn = "${aws_lb_target_group.api_tg.id}"
type = "forward"
}
}
resource "aws_lb_target_group" "api_tg" {
name = "api-tg"
port = 8080
protocol = "HTTP"
target_type = "ip"
vpc_id = "${module.vpc.vpc_id}"
stickiness{
enabled = false
type = "lb_cookie"
}
health_check{
interval = 120
timeout = 90
port = 8080
protocol = "HTTP"
healthy_threshold = 2
unhealthy_threshold = 2
}
}
Task Definition:
[
{
"name": "myGOapi",
"image": "12345678910.dkr.ecr.us-east-1.amazonaws.com/myapi:1.0",
"cpu": 512,
"memory": 1024,
"essential": true,
"portMappings": [
{
"hostPort": 8080,
"containerPort": 8080
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "myapi",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "api"
}
}
}
]