Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify container port protocol for ApplicationLoadBalancedFargateService #7266

Closed
jdavisp3 opened this issue Apr 8, 2020 · 13 comments
Closed

Specify container port protocol for ApplicationLoadBalancedFargateService #7266

jdavisp3 opened this issue Apr 8, 2020 · 13 comments
Assignees
@MrArnoldPalmer @bvtujo
Labels
@aws-cdk/aws-ecs-patterns Related to ecs-patterns library feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p2

Comments

@jdavisp3
Copy link

jdavisp3 commented Apr 8, 2020
edited by SoManyHs
Loading

Specify target group protocol when creating an application load balanced service.

Use Case

To use the ECS Pattern for a LoadBalancedFargateService when the container serves HTTPS.

Proposed Solution

Make the target protocol an option in the constructor.

This is a 🚀 Feature Request
@jdavisp3 jdavisp3 added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Apr 8, 2020
@SomayaB SomayaB added the @aws-cdk/aws-ecs-patterns Related to ecs-patterns library label Apr 9, 2020
@bvtujo bvtujo assigned bvtujo and unassigned uttarasridhar Apr 14, 2020
@bvtujo bvtujo added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Apr 14, 2020
@bvtujo
Copy link
Contributor

bvtujo commented Apr 15, 2020

Hi jdavisp3, just to be clear, are you describing the situation where you need the routing capabilities of the ALB, but need a new HTTPS connection to be originated at the load balancer and routed to your container targets?

@jdavisp3
Copy link
Author

Hi jdavisp3, just to be clear, are you describing the situation where you need the routing capabilities of the ALB, but need a new HTTPS connection to be originated at the load balancer and routed to your container targets?

That's exactly right.

@bvtujo
Copy link
Contributor

bvtujo commented Apr 15, 2020

Thanks for the reply! This fix seems pretty quick at the moment, so barring any unexpected complications we should have this out as an optional parameter shortly.

@jdavisp3
Copy link
Author

Thanks for the reply! This fix seems pretty quick at the moment, so barring any unexpected complications we should have this out as an optional parameter shortly.

Awesome! I was able to convince the current version to do this, but I had to add a lot of extra code so having this as an optional parameter will be 👌

@bvtujo
Copy link
Contributor

bvtujo commented Apr 15, 2020

Would you be able to share any (anonymized, of course) snippets of what you did to coerce the current implementation to behave properly? It would help us understand some of the ways our customers are innovating using the CDK to meet their own needs.

@jdavisp3
Copy link
Author

Sure so first I added two port mappings to the container:

container.add_port_mappings(
            ecs.PortMapping(
                container_port=8000, protocol=elasticloadbalancingv2.ApplicationProtocol.HTTPS
            )
        )

Making sure HTTPS came after 80 (I don't need 80 but that's the one that the construct will use so I can configure HTTPS myself).

Then after creating the whole service I did this:

        # so the target group for 80 is healthy even though not really used
        load_balanced_service.target_group.configure_health_check(
            path="/health", port="8000", protocol=elasticloadbalancingv2.ApplicationProtocol.HTTPS
        )

        fargate_service = load_balanced_service.service

        listener = load_balancer.add_listener(
            "https-listener",
            certificates=[certificate],
            protocol=elasticloadbalancingv2.ApplicationProtocol.HTTPS,
        )

        target = fargate_service.load_balancer_target(
            container_name="app-container",
            container_port=8000,
            protocol=elasticloadbalancingv2.ApplicationProtocol.HTTPS,
        )

        target_group = listener.add_targets(
            "target-group",
            protocol=elasticloadbalancingv2.ApplicationProtocol.HTTPS,
            targets=[target],
        )

        target_group.configure_health_check(
            path="/health", protocol=elasticloadbalancingv2.ApplicationProtocol.HTTPS
        )

This was referenced Apr 16, 2020
Closed
Closed
Closed
@bvtujo bvtujo added the in-progress This issue is being actively worked on. label May 5, 2020
@bvtujo
Copy link
Contributor

bvtujo commented May 5, 2020

Related #6428

@bvtujo bvtujo mentioned this issue May 5, 2020
Closed
@jdavisp3
Copy link
Author

jdavisp3 commented May 5, 2020

To shed some additional light on the question of "why do you need HTTPS if it's inside your VPC" I would mention the HIPAA guidelines of "encrypt at rest, encrypt in transit". Not to suggest that the networking inside AWS inside isn't rock-solid already, but in general it's easier to satisfy regulatory requirements by following them even when it's not strictly technically necessary.

@kohidave

@bvtujo bvtujo mentioned this issue Jun 23, 2020
Closed
@SomayaB SomayaB removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Nov 2, 2020
@justin-ad
Copy link

justin-ad commented Nov 20, 2020
edited
Loading

@SomayaB I have the same requirement as @jdavisp3. Building systems that fall under the HIPAA guidelines for handling of PHI. Unless AWS can provide guidance/documentation indicating that traffic within a VPC is protected in accordance with HIPAA guidelines (something authoritative that I can show an auditor), I'm required to ensure end-to-end encryption.

@justin-ad
Copy link

Related #7989

@hoegertn
Copy link
Contributor

Also #11381

@bvtujo
Copy link
Contributor

bvtujo commented Nov 23, 2020

This is resolved as of merge of #11381

@bvtujo bvtujo closed this as completed Nov 23, 2020
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MrArnoldPalmer MrArnoldPalmer

@bvtujo bvtujo

Labels
@aws-cdk/aws-ecs-patterns Related to ecs-patterns library feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jdavisp3 @hoegertn @uttarasridhar @MrArnoldPalmer @SomayaB @justin-ad @bvtujo