/ ecs

Ephemeral Ports

I knew this. I did know this. Documenting so I don't have to rely on useless brain next time.

When you have a task definition in ECS that uses dynamic port assignment for the host (ie, hostPort = 0), the load balancer will automatically map traffic to that port from whatever port it is getting traffic. E.g. my load balancer gets traffic from port 80 or 443. It sends it to the container host (i.e, the EC2 instances), on a dynamic port that docker, I assume, has created for the container. The container instance at the host end then maps this to whatever container port is defined in the task definition, e.g. back to port 80.

This allows you to have many tasks on the same EC2 instance because they are all on separate ports.

Of course, this makes some things a little harder. The Target Group for your load balancer will know which port to use to try to hit the configured health check - but it will fail and constantly spin up a new instance of the container unless you do 1 more thing.

This is the bit I always forget - the security group needs to know what ports are OK and as they are dynamically created, we need to add a range of ports to the security group. There are the Ephemeral Ports.
Capture
Note that I have set the source to be the security group so that those ports are not open to the entire planet.

If your using Terraform, it looks like this:

    ingress {
        from_port = 32768
        to_port = 61000
        protocol = "tcp"
        self = true
    }