Expose ECS Service via API Gateway- Part 1

ECS Service via API Gateway

Today, let's see how to expose ECS Service via API Gateway. If you are looking for a simpler solution to expose your service via HTTPS Authorized endpoint, please read .

This will be two-part series, where I will talk about

  1. Setting up the AWS ECS Services with NLB

Without further ado, let's dive in.


This is written under an assumption, that you have some experience in AWS services like ECS, CFT, VPC, API-Gateway, Cognito etc.

Spring Boot Service:

Health Check

  1. Ensure that you have added health check dependency to your spring-boot service.

2. Your spring boot health check endpoint would look like

Swagger (Open API 2)

Ideally, it is recommended to go with the API first approach. But for simplicity, we will be using Swagger dependency to create Open API for us.

Swagger Dependency

You can get the OAS2 document from the below endpoint

NOTE: As of today 23–06–2020, maven dependency supports only Open API 2.

Swagger (Open API 3)

To generate Open API 3 Spec from the spring boot service, you can use the below dependency:

Get the OAS3 from the below endpoint.

NOTE: V3 signifies Open API version



  1. Create a VPC with Public & Private subnet for the ECS cluster.

You can run the CFT from this article:

2. You just need to provide the CIDR ranges, and it should create a proper VPC, with the public and private subnets.

3. You can use this for determining the IP range etc.

Subnet Calculator Example


  1. While creating the ECS Cluster, ensure that you have EC2 created in private subnets.
ECS Cluster-Private Subnet

2. Ensure that you have the EC2 instances registered under the cluster. If it is not registered, it could be because of some networking configuration issue.

ECS- Registered EC2 Instances

3. Troubleshooting: Sometimes changing the EC2 AMI also helps


Task Defenition

  1. Ensure that you have added port mapping to the Container Defenition inside the Task Defenition.
Port Mapping

Target Group:

  1. Create an Instance Target Group for the ECS service.


  1. Provide the port number, which is exposed as Host Port mapping in Task Defenition.
  2. Provide the correct health check path.


  1. Create an Internal NLB in Private Subnet.
Configure NLB

2. Select the already created Target Group in the Configure Routing screen.

You can also create a new Target Group in here, and later modify the health check path.

3. Finally, create the NLB.

4. If everything went well after deploying the ECS service, you will find tasks registered under the Target Group.

Healthy tasks

NOTE: If we add internal NLB for the internal API Service Communication (ie, A → NLB → B), it will work only with Network Mode: aws-vpc, or Fargate (essentially awsvpcnetwork mode) or with ALB for inter-service communication. With normal network mode, there is a chance that it will route to the same internal IP and the request will timeout. Read the following section: .

ECS Service:

  1. Create ECS Service for your Task Defenition.
  2. When creating the service, provide the NLB configuration.
NLB Configuration in ECS Service

3. When you click on Add to Load Balancer, you can select the target group.

Select Target Group

4. Once you are done creating the service, you will able to see tasks under the service. Also, you will be seeing task registered under the target group.

Hurray!!! You have now exposed your service internally via NLB. In the part, you will see, how to expose the service to the public via API-Gateway.

Found it Interesting?
Please show your support by 👏.

Writes on Big Data, AWS & Backend technologies.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store