Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ECS] [Feature Request]: Service Connect - Support TLS version 1.2 #2321

Open
awsjake opened this issue Apr 3, 2024 · 1 comment
Open

[ECS] [Feature Request]: Service Connect - Support TLS version 1.2 #2321

awsjake opened this issue Apr 3, 2024 · 1 comment
Labels
ECS Amazon Elastic Container Service Proposed Community submitted issue

Comments

@awsjake
Copy link

awsjake commented Apr 3, 2024

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Service Connect to support TLS v1.2 for connectivity to ALB

Which service(s) is this request for?
ECS, EKS, Service Connect

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
There is no compatibility with ALB health checks and TLS v1.3 with Service Connect.

Are you currently working around this issue?
No work around - Not supported with ALB when using Service Connect.

Additional context
According to the Service Connect documentation:
"By default, TLS 1.3 is supported, but TLS 1.0 - 1.2 are not supported."

However, if we look at the ALB documentation and in particular Target Group Health checks:
If a target group is configured with HTTPS health checks, its registered targets fail health checks if they support only TLS 1.3. These targets must support an earlier version of TLS, such as TLS 1.2.

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
@awsjake awsjake added the Proposed Community submitted issue label Apr 3, 2024
@herrhound herrhound added the ECS Amazon Elastic Container Service label Apr 29, 2024
@kshivaz
Copy link

kshivaz commented May 16, 2024

Thank you for informing us. But to clarify Service Connect is compatible with ALB health checks and TLS v1.3. The TLS versions supported on the target group are driven by the security policy on the ALB listener. So to use end to end TLS encryption with ALB and Service Connect you need to do the following:

  1. ALB configured with a TLS listener set to a TLS 1.3 security policy such as ELBSecurityPolicy-TLS13-1-2-2021-06.
  2. A target group configured with protocol HTTPS attached to the TLS listener.
  3. An ECS Service Connect enabled service with the following
    • Load balancer configuration set to the target group from ECR FIPS Compliance聽#2 and container port targeting the same port as your SC TLS service
    • No ingress port override set on the service connect service
    • Network mode awsvpc (bridge mode uses an ephemeral port that won't match the targets registered to your load balancer)
  4. Make sure the health check on the target group is set to use the same port as the Service Connect service, rather than 443.

With this you get end to end encryption and the improved security of TLS 1.3. Does this address your concern ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ECS Amazon Elastic Container Service Proposed Community submitted issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@herrhound @awsjake @kshivaz