I have an ECS Fargate Cluster with one service running in it. The service has two tasks running on the same task definition. Both tasks, for debugging, have public IP addresses - and I can make requests to the health check endpoints on both tasks/containers that return a 200. So the service seems fine and accessible. No problems there.

The service also has a target group and has registered targets for both containers - the health checks for the target group use the same health check endpoint on the container that I can access directly, and both are healthy.

The target group receives traffic from an ALB.

The ALB has two availability zones, two public subnets that allow incoming traffic from the internet. I know that I can access the ALB because configuring it like so:

And using curl --location --request GET 'somewhere-in.ap-southeast-2.elb.amazonaws.com/123'

yields

works!

When I curl --location --request GET 'somewhere-in.ap-southeast-2.elb.amazonaws.com/actuator/health the request times out, and I don't know why.

I know that my containers are fine and can send and receive traffic directly, I know that my ALB is reachable on the internet and that my target groups know that my containers are healthy. All these resources are in the same VPC with permissive security groups. Ideally I want these containers to live in a private subnet without a public IP address, but I can't do that until I've solved this access issue, and can access both containers via the ALB.

So I think there must be some misconfiguration I've made somewhere that is preventing the ALB from sending traffic through to the target group (even though it can return a fixed response on the same URL).

Does you know how I can find out where that misconfiguration is, or how I can fix this?

EDIT: Adding more screenshots of config:

ECS Service Config:

Target Group Config: