[ecs-patterns] - HTTPS between NLB and fargate service when using NetworkLoadBalancedFargateService #8517
Comments
svkurowski
added
feature-request
|
Related: #6988 |
SoManyHs
added
in-progress
|
Closing as duplicate of #6263. Feel free to re-open if you have further questions! |
|
Please reopen. I looked at both linked issues and they don't describe the feature mentioned here. Both are about the TLS listener on the NLB. We have already set that up and it is working. This feature request is about the traffic between NLB and target group and a separate CFN. property. |
Hi , I am facing the below issue when trying to create NLB using CDK(NetworkLoadBalancedFargateService) with the listener of port 22 and 443 (TCP and TLS) with the certificates attached to it . I am creating the certificate and NLB in the same construct. How to create certificate and attach to the NLB in CDK for TLS(443) port ? |
MrArnoldPalmer
changed the title
ericzbeard
added
the
feature/pattern
|
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
github-actions
bot
added
closing-soon
|
This is still a feature that would benefit us. |
|
Same here, this is actually linked to the base NLB creation. We just need some way to specify listener configurations. |
|
@MrArnoldPalmer Why was this medium? Curious, because if you expose the Network Listener creation props as a input to the NLB Base, then it would be a matter of just keeping defaults. |
|
Hi community, I am working on this issue. I got some idea on the fix, |
|
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
…30611) ### Issue # (if applicable) Closes #8517 ### Reason for this change NLB support TLS protocol in listener and target group. This changes provide a feature parity in ECS patterns, allowing customer to enhance security with encrypted traffic between NLB and services ### Description of changes - Add `listenerCertificate` to `NetworkLoadBalancedServiceBaseProps`, default value is `none` - Change the default value of `listenerPort` and `taskImageOptions.containerPort` to 443, if `listenerCertificate` is provided. ### Description of how you validated changes - Added both unit test and integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Comments on closed issues and PRs are hard for our team to see. |
Hello,
Please add a switch to use TLS target group protocol when using NetworkLoadBalancedFargateService.
Best regards
~ Sascha
Use Case
We are using NetworkLoadBalancedFargateService construct and are using an ACM certificate and an additional listener for HTTPS traffic (terminating HTTPS on the NLB), that part is working well.
However, as per internal requirements the traffic between the NLB and the service needs to be secured with TLS as well (we would like to re-encrypt on the NLB so that the service does not need to know about our certificate). We already have our service serving SSL with a self-signed certificate.
Proposed Solution
A switch or something in NetworkLoadBalancedFargateService construct to set the target group protocol to TLS, not TCP:
CR property: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html#cfn-elasticloadbalancingv2-targetgroup-protocol
Other
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: