Unclear how to use ecs-patterns NetworkMultipleTargetGroupsEc2Service

[konstantinj]

In my use case I'm trying to setup Gitlab on ecs with an NLB attached so the ip is static but the LoadBalancer can take the certificate and I don't need to handle that in Gitlab.

❓ General Issue

This is my code:

const service = new NetworkMultipleTargetGroupsEc2Service(this, 'Service', {
            cluster: cluster,
            memoryReservationMiB: 4096,
            desiredCount: 1,
            healthCheckGracePeriod: Duration.seconds(240),
            loadBalancers: [
                {
                    publicLoadBalancer: false,
                    domainName: scope.getConfig(this, 'domainName'),
                    domainZone: hostedZone,
                    name: scope.getConfig(this, 'domainName'),
                    listeners: [
                        {
                            name: 'https',
                            port: 443,
                        },
                        {
                            name: 'http',
                            port: 80,
                        },
                        {
                            name: 'ssh',
                            port: 22,
                        }
                    ]
                }
            ],
            taskImageOptions: {
                image: ContainerImage.fromRegistry('gitlab/gitlab-ce'),
                containerPorts: [80, 22],
                environment: {},
                secrets: {
                    AWS_SECRET_ACCESS_KEY: Secret.fromSsmParameter(ssmSecretKey),
                    LDAP_PASSWORD: Secret.fromSsmParameter(ssmLdapPassword),
                    CI_APP_ID: Secret.fromSsmParameter(ssmCiAppId),
                    CI_APP_SECRET: Secret.fromSsmParameter(ssmCiAppSecret),
                },
                logDriver: LogDriver.awsLogs({
                    logGroup: logGroup,
                    streamPrefix: 'gitlab',
                }),
            }
        })

The Question

First of all the created Loadbalancer is internet-facing while with the other construct NetworkLoadBalancedEc2Service it is private. publicLoadBalancer needs to be set to false manually.

For setting this I need to fill out loadBalancers completely. This way I need to fill out all options below, even a name for the NLB. I have no idea why this is needed.

This way I also need to create listeners since it's a required field.

I think this way it's not possible to create a TLS listener.

I'm not really sure how to use this construct. Also it is not possible to get to the created resources later on using my service object. The properties are the ones from the NetworkLoadBalancedEc2Service contruct. I have no idea which listener is meant on service.listener.

Creating my Gitlab using NetworkLoadBalancedEc2Service only did also not work because of #4283

Environment

• CDK CLI Version: 1.23.0
• Module Version: 1.23.0
• OS: osx
• Language: Typescript

[iamhopaul123]

Hi @konstantinj, can you also attach the error log like why this construct doesn't work?

The reason why we want this pattern is because it is easier for you to spin up your application if you need multiple LBs or multiple target groups. However, if you only need one LB with one target group. Then NetworkLoadBalancedEc2Service would be better to use.

To answer your questions:

First of all the created Loadbalancer is internet-facing while with the other construct NetworkLoadBalancedEc2Service it is private. publicLoadBalancer needs to be set to false manually.

I don't think the default value for publicLoadBalancer is different. If you have trouble in configuring the security group then this might help.

For setting this I need to fill out loadBalancers completely. This way I need to fill out all options below, even a name for the NLB. I have no idea why this is needed.

NetworkMultipleTargetGroupsEc2Service creates an NLB with one listener for you by default. However, we also provide with options to customize if more LBs/listeners are required. The name is required because we allow multiple LBs to be defined.

you can skip setting Load balancer like the example in the README:

// One application load balancer with one listener and two target groups.
const loadBalancedEc2Service = new ApplicationMultipleTargetGroupsEc2Service(stack, 'Service', {
  cluster,
  memoryLimitMiB: 256,
  taskImageOptions: {
    image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
  },
  targetGroups: [
    {
      containerPort: 80,
    },
    {
      containerPort: 90,
      pathPattern: 'a/b/c',
      priority: 10
    }
  ]
});

This way I also need to create listeners since it's a required field.

Same reason above. If it is just one LB one listener structure then LoadBalancer field can be skipped, unless it is an HTTPS LB then you have to set up domainName and domainZone.

I think this way it's not possible to create a TLS listener.

Yes you can do it by setting your certificate.

Also it is not possible to get to the created resources later on using my service object. The properties are the ones from the NetworkLoadBalancedEc2Service contruct. I have no idea which listener is meant on service.listener.

service.listener is the first listener of the first LB. We expose properties as required. What else properties would you like to expose?

[iamhopaul123]

Apologies so to create a TLS listener you can do service.loadBalancer.addListener() then add a TLS listener. But yes we should fix that!

[SoManyHs]

Possibly related to #5461 @bvtujo

[namedgraph]

And how does one specify the backend/upstream server? I suppose that's what the target groups are for, but I cannot find any examples.

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.