No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I followed the same route as you. Although, I use host-based routing so I only need a single ALB (not sure how NLB works)

How does connecting multiple services to single load-balancer work, and handling the proper routing?

If you running multiple services behind say *.<http://test.com|test.com> or *.<http://app.test.com|app.test.com> your certificate would be for *.<http://test.com|test.com> and a SAN *.<http://app.test.com|app.test.com>

or if your running multiple domains you need a cert for each domain. *.<http://test.com|test.com>, *.<http://staging.com|staging.com> etc.

Ahh okay makes sense <@U011HRS1HTQ>, thank you.
So in this scenario, if I had two services, let's say `api` and `frontend`, and two environments, `staging` and `production`.
I would create one Application Load Balancer (not NLB), and in Pulumi I would attach them all to this single ALB.

And then in my Pulumi handler, I could do something like:
```type StackEnvironment = "staging" | "production"
const stack = pulumi.getStack() as StackEnvironment

const config = new pulumi.Config()
const domain = config.require("domain") // IE: <http://mysite.com|mysite.com>

// Create certificate for "<http://mysite.com|mysite.com>" with "subjectAlternativeNames: ['*.${domain}']"
// Create ALB here for "<http://mysite.com|mysite.com>"

// Create Fargate API service attached to ALB with Route53 Domain at "api.${stack}.${domain}"
// Create Fargate Frontend service attached to ALB with Route53 Domain at "frontend.${stack}.${domain}"```

And this would handle attaching `<http://api.staging.mysite.com|api.staging.mysite.com>` and `<http://api.production.mysite.com|api.production.mysite.com>` etc all to the same ALB + single Certificate right? Based on Pulumi stack

When creating your ACM certificates that would attach on the Listener you would have 2 ACM Certificate Resources. But you would have a Request for each, an approval Email DNS, CNAME Route53 Record,, an SSL Attachment to the ALB, a new route to a new target group, and a new A Record in Route53 for your app pointed to your ALB DNS name.

Holy smokes. Appreciate the response a ton but I think I need to study DevOps a bit more to interpret that answer haha.
:pray:

<@URQ291HT2>, here's some pseudo-code to show what I have done. I'm pretty new to this stuff, so please don't trust this completely.
```const alb = new awsx.lb.ApplicationLoadBalancer(...)
const listener = alb.createListener(...) // one listener for my case
const cert = new aws.alb.ListenerCertificate(...) // repeat for each domain, or you could use a single wildcard
const targetGroup = alb.createTargetGroup(...) // repeat for each domain
const listenerRule = listener.addListenerRule(...) // repeat for each domain
const service = new awsx.ecs.FargateService(...) // repeat for each host, use loadBalancers to register service with targetGroup```