ECS Networking and Load Balancing

Networking is fundamental to running containers in production. Your tasks need to receive traffic, communicate with each other, access databases, and connect to the internet — all securely. This lesson covers ECS networking modes, load balancer integration, service discovery, and network architecture patterns.

---

ECS Network Modes

ECS supports several network modes, each with different trade-offs:

awsvpc Mode (Recommended)

Every task gets its own Elastic Network Interface (ENI) with a private IP address from your VPC. This is the default for Fargate and the recommended mode for EC2 as well.

VPC (10.0.0.0/16)
├── Subnet A (10.0.1.0/24)
│   ├── Task 1 — ENI → 10.0.1.15
│   └── Task 2 — ENI → 10.0.1.22
└── Subnet B (10.0.2.0/24)
    ├── Task 3 — ENI → 10.0.2.8
    └── Task 4 — ENI → 10.0.2.31

Advantages:

• Each task has its own security group
• Full VPC networking features (flow logs, NACLs)
• Simplified port mapping — no port conflicts
• Same networking model as EC2 instances

Consideration: Each ENI consumes an IP address from your subnet. For large deployments, ensure your subnets have enough IP addresses.

bridge Mode (EC2 Only)

Uses Docker's built-in bridge network. Containers share the host's IP address but use different port mappings.

host Mode (EC2 Only)

Containers share the host's network namespace directly. No port mapping — the container binds directly to the host's ports.

---

Load Balancing with ECS

Load balancers distribute incoming traffic across your ECS tasks, providing high availability and fault tolerance.

Application Load Balancer (ALB)

The ALB operates at Layer 7 (HTTP/HTTPS) and is the most common choice for ECS services.

Internet
    |
    v
+-------+
|  ALB  |
+-------+
    |
    +----------+----------+
    |          |          |
 Task 1    Task 2    Task 3
10.0.1.15  10.0.2.8  10.0.1.22

Key features:

• Path-based routing — route /api/* to one service and /web/* to another
• Host-based routing — route api.example.com to one service and web.example.com to another
• Health checks — ALB checks task health and removes unhealthy targets
• Dynamic port mapping — ALB automatically discovers which port each task is using
• SSL/TLS termination — handle HTTPS at the ALB level
• Sticky sessions — route a user's requests to the same task

Network Load Balancer (NLB)

The NLB operates at Layer 4 (TCP/UDP) and is designed for ultra-high performance and low latency.

When to use NLB:

• TCP or UDP protocols (not HTTP)
• Extreme performance requirements (millions of requests per second)
• Static IP addresses are needed
• gRPC traffic

ALB vs NLB

Feature	ALB	NLB
Layer	7 (HTTP/HTTPS)	4 (TCP/UDP/TLS)
Routing	Path, host, header, query string	Port-based
Performance	High	Ultra-high
Static IP	No (use Global Accelerator)	Yes
SSL termination	Yes	Yes (TLS)
WebSocket	Yes	Yes
gRPC	Yes	Yes

---

Configuring ALB with ECS

Target Groups

An ALB forwards traffic to a target group. For ECS with awsvpc networking, the target type is ip:

aws elbv2 create-target-group \
  --name my-web-tg \
  --protocol HTTP \
  --port 3000 \
  --vpc-id vpc-0123456789abcdef0 \
  --target-type ip \
  --health-check-path /health \
  --health-check-interval-seconds 30 \
  --healthy-threshold-count 2 \
  --unhealthy-threshold-count 3

ALB Health Checks

The ALB performs HTTP health checks against your tasks. If a task fails the health check, the ALB stops sending traffic to it and ECS replaces it.