TL;DR

❌ LB (HTTPS:443) → TG (HTTPS:443) → ECS/Task (HTTP:80)

✅ LB (HTTPS:443) → TG (HTTP:80) → ECS/Task (HTTP:80)

Trivial

I wanted my ECS service to have its own DNS name with HTTPS.

The DNS part is handled by Route53 and isn't within the scope of this discussion.

To solve the HTTPS issue, I added a load balancer. Between the load balancer and ECS service, I needed to add a target group so the load balancer knows where to direct traffic. The target group is similar to a tag concept –
if you've used K8s selectors before, you can think of it as a selector that tells the service where to find its targets.
In my case, my Golang app in the ECS server was listening on port 80.

1. When setting up the load balancer, I naturally chose HTTPS 443.

2. But when creating the middleman target group, I also thought I should use HTTPS 443. (my mistake!)

This created a confusing situation:

1. My Task’s Public IP was working fine when accessed directly

2. Target group was correctly targeting my Golang server's Private IP

3. But accessing the load balancer directly kept returning a 502 error (❓)

Core

Here's what I figured out:

1. Target group protocol must match what your service expects (HTTP:80), not what the load balancer uses (HTTPS:443)

2. Target group simply tells the load balancer where to send traffic

A target group is an abstract logical layer, not an actual computing resource. It's used to let the load balancer know where my service should go and what protocol and port to use for communication.