An Application Load Balancer health check for an instance in an Amazon ECS container is returning an unhealthy status. How should I troubleshoot this?

If your load balancer health check is configured according to the instructions at Configure Routing, make sure the following things are true:

  • The application in your ECS container returns the correct response code (by default, "200 OK") when the load balancer sends an HTTP GET request to the health check path.
  • The security groups of your load balancer or container instances are properly configured.
  • The target group's advanced health check settings are properly configured.

In order to pass a health check, by default, an application server must return “200 OK” when a load balancer sends an HTTP GET request to the application.

Note: When using an Application Load Balancer, you can update the Matcher setting to change the expected response code to something other than 200. For more information, see Health Checks for Your Target Groups.

To confirm that the application is working as expected, log in to the container instance using SSH and perform a check manually by following these steps:

1.    (Optional) Install curl, if you haven’t already.

For Amazon Linux and other RPM-based distributions, run this command:

sudo yum –y install curl

For Debian-based systems, such as Ubuntu, run the following command:

sudo apt-get install curl 

2.    Find the container ID for the relevant container by running the following command:

docker ps

Find the output under PORTS, which will be similar to "0.0.0.0:32768->80". Take special note of the portion of the output marked in bold, which is the port for the local listener.

3.    Obtain the IP address of the container by running the following command:

$ docker inspect --format='{{.NetworkSettings.IPAddress}}' [container ID]

Take note of the IP address.

4.    Run the following command, where container_ip is the IP address you obtained in step 3, and port is the local listener port you noted in step 2:

curl –v http://{containerip}:{port}

The command should return "200 OK" (or, if you're using an Application Load Balancer and have updated your Matcher setting, your preferred response code instead).

Note: If you do not receive a "200 OK" response, your application is not listening to HTTP traffic.

Check the security groups attached to your load balancer and container instances

It's a best practice to configure two security groups: one for your container instances, and another for your load balancer. Because host ports on container instances are dynamically assigned, make sure of the following:

  • The security group associated with your load balancers allows all egress traffic to the security group associated with your backend instances.
  • The security group associated with your backend container instances allows all ingress traffic on ports 32768-65535 from the security group associated with your load balancer.

This ensures that all traffic from your load balancers to your backend instances is allowed, and that your backend instances can accept traffic on the ephemeral port range that is used when using dynamic host port mapping.

Note: If you're not using dynamic host port mapping, and instead declare the host port in your task definition, ensure that your security groups are configured to allow the declared port on the security group associated with your backend instances from the security group associated with your load balancer instead of the ephemeral port range.

Check the advanced health check settings for your load balancer

Make sure that your health check is configured according to the instructions at Health Checks for Your Target Groups, paying special attention to the following ECS-specific points:

  • For Target group, use New target group. Do not add targets to the target group manually, because ECS automatically registers and deregisters containers with the target group.
  • For Port, use the default of Traffic port; choosing Override causes health check traffic to be routed incorrectly.

Amazon EC2 Container Service, health check, Elastic Load Balancing, ELB, Application Load Balancer


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-12-15

Updated: 2017-03-08