You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
Service Connect to support TLS v1.2 for connectivity to ALB
Which service(s) is this request for?
ECS, EKS, Service Connect
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
There is no compatibility with ALB health checks and TLS v1.3 with Service Connect.
Are you currently working around this issue?
No work around - Not supported with ALB when using Service Connect.
Additional context
According to the Service Connect documentation:
"By default, TLS 1.3 is supported, but TLS 1.0 - 1.2 are not supported."
However, if we look at the ALB documentation and in particular Target Group Health checks:
If a target group is configured with HTTPS health checks, its registered targets fail health checks if they support only TLS 1.3. These targets must support an earlier version of TLS, such as TLS 1.2.
Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
The text was updated successfully, but these errors were encountered:
Thank you for informing us. But to clarify Service Connect is compatible with ALB health checks and TLS v1.3. The TLS versions supported on the target group are driven by the security policy on the ALB listener. So to use end to end TLS encryption with ALB and Service Connect you need to do the following:
ALB configured with a TLS listener set to a TLS 1.3 security policy such as ELBSecurityPolicy-TLS13-1-2-2021-06.
A target group configured with protocol HTTPS attached to the TLS listener.
An ECS Service Connect enabled service with the following
Load balancer configuration set to the target group from ECR FIPS Compliance聽#2 and container port targeting the same port as your SC TLS service
No ingress port override set on the service connect service
Network mode awsvpc (bridge mode uses an ephemeral port that won't match the targets registered to your load balancer)
Make sure the health check on the target group is set to use the same port as the Service Connect service, rather than 443.
With this you get end to end encryption and the improved security of TLS 1.3. Does this address your concern ?
Community Note
Tell us about your request
Service Connect to support TLS v1.2 for connectivity to ALB
Which service(s) is this request for?
ECS, EKS, Service Connect
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
There is no compatibility with ALB health checks and TLS v1.3 with Service Connect.
Are you currently working around this issue?
No work around - Not supported with ALB when using Service Connect.
Additional context
According to the Service Connect documentation:
"By default, TLS 1.3 is supported, but TLS 1.0 - 1.2 are not supported."
However, if we look at the ALB documentation and in particular Target Group Health checks:
If a target group is configured with HTTPS health checks, its registered targets fail health checks if they support only TLS 1.3. These targets must support an earlier version of TLS, such as TLS 1.2.
Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
The text was updated successfully, but these errors were encountered: