Open in app

Sign in

Write

Sign in

Host Blazor on ECS Part 2 —Configure Load Balancer with SSL

Kagawa
5 min readJan 17, 2022

What we need to follow this article

  • Container app in ECS FARGATE
  • Your Domain for SSL

What we will achieve

  • Accessing containerized web app in ECS Fargate using SSL Domain through Load Balancer

In the previous article, we covered how to containerize your app and run it in ECS Fargate. App is running in ECS but it does not scale without Load Balancer and no SSL access yet.

In order to improve what we have, this is what we are covering in this article so that we can apply SSL to Load Balancer and create multiple tasks.

6. Create SSL Certificate in ACM

7. Create Subnets

8. Create Load Balance in EC2

9. Configure ECS Service with Load Balancer

6. Create SSL Certificate in ACM

If you have your domain, you can create SSL certificate free in ACM. Go to Certificate manager and click “Request a certificate”. DNS validation and Email validation are available to validate your domain ownership.

ACM — request certificate

Either by DNS or Email validation, once it is validated and status becomes “Success”. Once we create a load balancer, we will add CNAME record for this domain to point to Load Balancer’s DNS.

ACM — Domain has been validated

7. Create Subnets

In order to configure a load balancer, we need at least two availability zones.

This is how I created my vpc and it’s subnets referencing the article Practical VPC Design. One private subnet and one public subnet in availability zone A and B.

VPC — dev 10.0.0.0/16

Subnets
- dev-a-private 10.0.0.0/19
- dev-a-public 10.0.32.0/20
- dev-b-private 10.0.64.0/19
- dev-b-public 10.0.96.0/20

Here is Route Table. The one for Public Subnet has Internet Gateway, and the one for private subnet has NAT Gateway.

Route table with Internet Gateway
Route table with NAT Gateway

Public subnets will be used in Load Balancer.

Private subnets will be used in ECS Service since we only want our app to be accessible from load balancer, ECS Service does not need public access. Its needs NAT since it cannot pull image to create tasks without NAT because of the following error.

ResourceInitializationError: unable to pull secrets or registry auth: pull command failed: : signal: killed

8. Create Load Balancer

Go to EC2 and create Application Load Balancer since web app is HTTP/HTTPS.

EC2 — Create Load Balancer

Choose “Internet-facing” for Scheme

EC2 — Configure Load Balancer

In order to configure network mapping, we set public subnets (ones with Internet Gateway routing).

EC2 — Network mappings

Set security group to allow only HTTP traffic

EC2 Load Balancer’s security group

Now, in order to create routing, we need a target group, to which traffic to a load balancer will be routed. Make sure to choose “IP address” because when using Fargete in ECS, Network mode is set to “awsvpc” in Task Definition and tasks won’t be associated to EC2 instances.

Load Balancer — Target group

Register targets page is blank now, but once we recreate service with load balancer, tasks will be registered here automatically.

Load Balancer — register targets

Select the target group for Default action and choose the SSL certificate.

Load Balancer add 443 listener

Also, you can add another listener for port 80 so that it will redirect to HTTPS.

Load Balancer add 80 listener

That’s it. It takes a few minutes until a load balancer will be ready. When its status says “Active”, a load balancer is completed.

Add CNAME for SSL domain to point to Load Balancer’s DNS

Once you can find DNS name for your Load Balancer, make sure to add CNAME for your SSL domain so that it points to Load Balancer DNS.

Load Balancer’s DNS Name

8. Configure Service with load balancer

Expose port 80 in Task Definition

Make sure that Container ‘s port 80 is exposed in Task Definition since our load balancer listen to port 80. If not, go to Task definition and click “Create new revision” and add 80 in “Port mappings”.

ECS — task definition expose port 80

Configure network in ECS Service to be in in private subnets

Since we do not need ECS Service to be internet facing thanks to Load balancer, we will put it in private subnets.

ECS — configure service with private subnets

Set Load Balancer in ECS Service

Now, it’s time to hook load balancer up to Service. If service has been created without setting a load balancer, new service needs to be created since we cannot just update the existing one.

Check “Application Load Balancer” and select the one we created.

ECS — Conifugre Service with Load Balancer

Click “Add to load balancer” button, and enter the listing port and select the target group.

ECS — Service add Load Balancer

Wait for a service to create tasks. When tasks are up, your app will be ready to be accessible. It might take a while until DNS cache is updated.

Blazor app accessed via SSL domain

Summary

We deployed .NET Blazor app to ECS Fargate and configured Load Balancer with SSL. If we want to scale out, we can just increate the number of Tasks and Load Balancer will take care of the rest.

In this article, .NET Blazor app is used but as long as it is a containerized app, steps are same. Hope this is useful and you enjoyed it.

--

--

Kagawa

Written by Kagawa

22 Followers

C# & JavaScript software engineer.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams