AWS
ECS Fargate
Load Balancing
Application Load Balancer
Cloud Computing

Application Load Balancer with ECS Fargate

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

Using an Application Load Balancer with ECS Fargate is the standard way to expose HTTP or HTTPS container services to users. The load balancer gives you stable entry points, health checks, TLS termination, and traffic distribution across multiple running tasks.

The detail that matters most with Fargate is networking. Because Fargate tasks use awsvpc networking, the target group for the ALB must register task IP addresses rather than EC2 instances.

Core Components

A typical setup has four pieces:

  • an ECS task definition that describes the container
  • an ECS service using the Fargate launch type
  • an Application Load Balancer with a listener on port 80 or 443
  • a target group configured with target type ip

That last part is the common source of mistakes. Fargate tasks do not register as instances the way older ECS on EC2 setups often did.

Task Definition and Service Mapping

Your task definition exposes a container port, and the ECS service connects that port to the target group.

json
1{
2  "family": "web-app",
3  "networkMode": "awsvpc",
4  "requiresCompatibilities": ["FARGATE"],
5  "cpu": "256",
6  "memory": "512",
7  "containerDefinitions": [
8    {
9      "name": "web",
10      "image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/web:latest",
11      "essential": true,
12      "portMappings": [
13        {
14          "containerPort": 8080,
15          "protocol": "tcp"
16        }
17      ]
18    }
19  ]
20}

When you create the ECS service, you attach the service to the target group and specify that the ALB should forward traffic to container web on port 8080.

The Target Group Must Use ip

For Fargate, the target group should be configured like this conceptually:

text
1Target type: ip
2Protocol: HTTP
3Port: 8080
4Health check path: /health

If you create the target group with target type instance, the service will not register Fargate tasks correctly. That mismatch is one of the first things to check when traffic never reaches the containers.

Security Groups Matter

You typically want two security groups:

  • one on the ALB that allows inbound traffic from the internet on 80 or 443
  • one on the ECS tasks that allows inbound traffic only from the ALB security group

That pattern keeps the tasks private while still letting the load balancer reach them.

In other words, users talk to the ALB, and the ALB talks to the tasks. The tasks do not need to be directly exposed to the public internet just because the application is public.

Health Checks Drive Traffic Flow

The ALB sends traffic only to healthy targets. That means the health-check path and success criteria must match what your container actually serves.

If your app listens on /health, configure the target group accordingly. If the container takes time to start, make sure the health-check grace period and thresholds are realistic. Otherwise ECS may keep replacing tasks that were merely still booting.

HTTPS and Listener Rules

An Application Load Balancer can terminate TLS for you. A common production pattern is:

  • listener on 80 that redirects to 443
  • listener on 443 with an ACM certificate
  • rule forwarding requests to the ECS target group

Because the ALB is layer 7, it can also route by host or path. That makes it easy to run multiple services behind the same load balancer, such as /api to one service and /admin to another.

Scaling Behavior

Once the ECS service is behind an ALB, scaling is straightforward. You can run multiple tasks across subnets and Availability Zones, and the ALB will distribute traffic across healthy tasks.

Autoscaling policies can then increase or decrease the desired task count based on CPU, memory, or custom CloudWatch metrics. The load balancer and ECS service work together so new healthy tasks start receiving traffic automatically.

Common Pitfalls

  • Creating the target group with target type instance instead of ip for Fargate.
  • Opening the task security group to the internet instead of only to the ALB security group.
  • Misconfiguring the health-check path so healthy containers are marked unhealthy.
  • Forgetting that the ECS service, container name, and container port must match the load balancer mapping.
  • Assuming TLS must terminate inside the container when the ALB can usually handle it more simply.

Summary

  • An ALB plus ECS Fargate is a standard way to expose containerized HTTP or HTTPS services.
  • Fargate tasks require an ALB target group with target type ip.
  • Map the ECS service to the correct container name and container port from the task definition.
  • Use security groups so only the ALB can reach the tasks directly.
  • Configure health checks carefully, because they determine whether tasks receive traffic.

Course illustration
Course illustration

All Rights Reserved.