[ecs-patterns] - HTTPS between NLB and fargate service when using NetworkLoadBalancedFargateService

[svkurowski]

Hello,

Please add a switch to use TLS target group protocol when using NetworkLoadBalancedFargateService.

Best regards

~ Sascha

Use Case

We are using NetworkLoadBalancedFargateService construct and are using an ACM certificate and an additional listener for HTTPS traffic (terminating HTTPS on the NLB), that part is working well.

However, as per internal requirements the traffic between the NLB and the service needs to be secured with TLS as well (we would like to re-encrypt on the NLB so that the service does not need to know about our certificate). We already have our service serving SSL with a self-signed certificate.

Proposed Solution

A switch or something in NetworkLoadBalancedFargateService construct to set the target group protocol to TLS, not TCP:

CR property: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html#cfn-elasticloadbalancingv2-targetgroup-protocol

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[SoManyHs]

Related: #6988

[SoManyHs]

Closing as duplicate of #6263. Feel free to re-open if you have further questions!

[svkurowski]

Please reopen. I looked at both linked issues and they don't describe the feature mentioned here. Both are about the TLS listener on the NLB. We have already set that up and it is working.

This feature request is about the traffic between NLB and target group and a separate CFN. property.

[KarthickEmis]

Please reopen. I looked at both linked issues and they don't describe the feature mentioned here. Both are about the TLS listener on the NLB. We have already set that up and it is working.

This feature request is about the traffic between NLB and target group and a separate CFN. property.

Hi ,

I am facing the below issue when trying to create NLB using CDK(NetworkLoadBalancedFargateService) with the listener of port 22 and 443 (TCP and TLS) with the certificates attached to it . I am creating the certificate and NLB in the same construct.
node_modules@aws-cdk\core\lib\private\resolve.ts:144 : throw new Error('Trying to resolve() a Construct at ' + pathName);.

How to create certificate and attach to the NLB in CDK for TLS(443) port ?

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[svkurowski]

This is still a feature that would benefit us.

[OGoodness]

Same here, this is actually linked to the base NLB creation. We just need some way to specify listener configurations.
https://github.com/aws/aws-cdk/blob/v1.159.0/packages/%40aws-cdk/aws-ecs-patterns/lib/base/network-load-balanced-service-base.ts

[OGoodness]

@MrArnoldPalmer Why was this medium? Curious, because if you expose the Network Listener creation props as a input to the NLB Base, then it would be a matter of just keeping defaults.

[199911]

Hi community,

I am working on this issue.

I got some idea on the fix,
I will need some time to test the code in real AWS account.
Any suggestion or helps on testing will be helpful.

#30611

[github-actions]

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.