0

I'm setting up an AWS ECS/Fargate cluster/service/task with a load balancer for the first time.

I believe the task is good since I can go to the task's (public) IP directly in a browser and see the application.

I set up an application load balancer whose default listener is forwarding to my target group, and my target group shows one health registered target that has the private IP address of my task.

However, when I go to the DNS Name of my load balancer (xxxxx.region.elb.amazonaws.com), it eventually times out with a "This site can't be reached" message. I even did a reverse DNS lookup of the load balance and tried those IP addresses directly with the same result.

Everything is on port 80 and all the inbound (and outbound) rules I can find allow port 80 traffic from anywhere.

What am I missing or what should I check? Thanks!

1 Answer 1

0

I think I found the issue. The security group for my load balancer was "default VPC security group". When I looked at the inbound rules for the security group, it had one entry: all traffic, all protocols, all port ranges, but when I scrolled all the way over to the right, the source listed was itself? "sg-xxxxxxx / default"

I have no idea how it was set that way or what it means, but when I added two new inbound rules for HTTP, protocol TCP, port 80, 0.0.0.0/0 and ::/0, it started working.

2
  • I prefer not to use default security groups or VPCs, because defaults are often wide open - except in this case. IMHO you'd be better off removing all rules for the default security group and defining a new SG for each resource. Then you define inter-security group rules on the ports / protocols required.
    – Tim
    Commented Apr 16, 2022 at 20:24
  • Will do, thanks. Just trying to get it to work before I tighten things up!
    – ScottyB
    Commented Apr 16, 2022 at 20:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .