Part 3: When Your ECS Service Won’t Talk to the Load Balancer

This is Part 3 of 5 in my series on keeping ECS deployments rock-solid — covering best practices, hidden pitfalls, and the sneaky issues that cause downtime.

One of the most head-scratching issues I’ve run into is when everything in ECS looks fine, but traffic never reaches your container.
The ALB is up, DNS resolves, and ECS says “running”… yet the site’s dead.

When ECS and the ALB aren’t properly connected, you’re essentially running your service in a black hole.
Here are 3 common ALB–ECS integration mistakes I’ve seen — and how to fix them.

---

1️⃣ Wrong Target Group Registration

The Problem:
The ECS service has to register its tasks into the right ALB target group.
If you picked the wrong target group ARN in your service definition — or updated the ALB later without updating ECS — your containers might not receive traffic at all.

Fix:

• In the ECS service, check the Load Balancing section and confirm it points to the intended target group.

• Verify the target group actually contains your ECS tasks when they’re running.

• If you have multiple services, make sure each uses a unique target group unless you’re intentionally sharing.

---

2️⃣ Security Groups Blocking Traffic

The Problem:
Even if ECS and the ALB are wired correctly, mismatched security group rules can silently block requests.
For example, your ECS task’s security group might not allow inbound from the ALB’s security group.

Fix:

• In the ALB’s security group, allow inbound traffic from the internet on ports 80 and 443.

• In the ECS task’s security group, allow inbound from the ALB’s security group, not 0.0.0.0/0.

• Outbound should typically be open so the task can respond to the ALB health check.

---

3️⃣ Listener & Path Rule Mismatches

The Problem:
If the ALB listener rules don’t match the path your users are requesting, the request may never hit your ECS target group.
I once had /api requests silently drop because the listener was only forwarding /.

Fix:

• Check the ALB listener rules and confirm the paths match your application’s endpoints.

• If in doubt, add a catch-all rule to forward everything to your ECS target group.

• Use the ALB access logs to see what requests are hitting it (or not).

---

💡 Bonus Tip:
If you ever change ports, paths, or target groups — re-run health checks immediately.
A working config can break instantly after an update if these links aren’t aligned.

---

Final Thought

ECS and ALB work brilliantly together when properly configured — but a single mismatch can cut off all traffic.
Always check target group registration, security group rules, and listener paths before assuming it’s the app’s fault.