https://pulumi.com logo
Powered by
m

miniature-arm-21874

04/01/2020, 1:55 PM
I have created an ALB with awsx and a listener which listens on port 443. When the LB is created it creates a security group and then the listener creation attaches ingress and egress rules to port 443 from anywhere. I then attach a listener rule to a target group and the target group to an `ecs.FargateService`` the problem i'm having is that the ingress/egress only create a rule for 443 and doesn't create one which allows the LB to talk to the instances for the healthcheck and then the end up in a perpetual up/down cycle. I can prove this works by adding 
80 tcp 0.0.0.0/0
outbound rule to the created group in the console to test. as soon as i create this it works but also then allows http traffic to my container which i don't want. i just need https externally. what's the best way to make this work? I've added my own security group with an egress rule with 
80 tcp 0.0.0.0/0
for now which makes my healthchecks pass and attached it to the LB. however, like i said this makes http work even though i haven't got an HTTP listener on my load balancer so i'm not entirely sure why i can get to the container on port 80 as soon as i add this? must have been the browser cache or some delay updating. it's no longer letting me get to port 80 externally. not really sure what the best way to fix this is. any help would be appreciated.
in case anyone finds this when searching, this is what i've done for now and it works
Copy code
// Open egress traffic from our targets to your load balancer (for health checks).
const sg = new awsx.ec2.SecurityGroup('web-sg', {
  vpc,
  egress: [
    { protocol: '-1', fromPort: 0, toPort: 0, cidrBlocks: ['0.0.0.0/0'] },
  ],
});

export const alb = new awsx.lb.ApplicationLoadBalancer('web-services-lb', {
  vpc,
  securityGroups: [sg],
});
Powered by