[ecs-patterns] - HTTPS between NLB and fargate service when using NetworkLoadBalancedFargateService

[svkurowski]

Hello,

Please add a switch to use TLS target group protocol when using NetworkLoadBalancedFargateService.

Best regards

~ Sascha

Use Case

We are using NetworkLoadBalancedFargateService construct and are using an ACM certificate and an additional listener for HTTPS traffic (terminating HTTPS on the NLB), that part is working well.

However, as per internal requirements the traffic between the NLB and the service needs to be secured with TLS as well (we would like to re-encrypt on the NLB so that the service does not need to know about our certificate). We already have our service serving SSL with a self-signed certificate.

Proposed Solution

A switch or something in NetworkLoadBalancedFargateService construct to set the target group protocol to TLS, not TCP:

CR property: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html#cfn-elasticloadbalancingv2-targetgroup-protocol

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[SoManyHs]

Related: #6988

[SoManyHs]

Closing as duplicate of #6263. Feel free to re-open if you have further questions!

[svkurowski]

Please reopen. I looked at both linked issues and they don't describe the feature mentioned here. Both are about the TLS listener on the NLB. We have already set that up and it is working.

This feature request is about the traffic between NLB and target group and a separate CFN. property.

[KarthickEmis]

Please reopen. I looked at both linked issues and they don't describe the feature mentioned here. Both are about the TLS listener on the NLB. We have already set that up and it is working.

This feature request is about the traffic between NLB and target group and a separate CFN. property.

Hi ,

I am facing the below issue when trying to create NLB using CDK(NetworkLoadBalancedFargateService) with the listener of port 22 and 443 (TCP and TLS) with the certificates attached to it . I am creating the certificate and NLB in the same construct.
node_modules@aws-cdk\core\lib\private\resolve.ts:144 : throw new Error('Trying to resolve() a Construct at ' + pathName);.

How to create certificate and attach to the NLB in CDK for TLS(443) port ?