I have deployed a PHP application on AWS ECS using bridge mode. The container is listening on port 8000, and the host port is set to 0, allowing ECS to assign a random host port. I am using an Application Load Balancer (ALB) to forward traffic to my ECS service.

I am trying to ensure that all traffic within my AWS VPC has in-transit encryption.

I got a setup where my ECS service is using a target group. The same target group is also used by an ALB. The ECS task definition is configured to use Bridge networkmode. When the ecs service starts on a day, it would register a target (ec2 instance) to the target group but the port that gets assigned to the registered target is a NON ephemeral port range. Eg:10240, 10241, … etc.
In the ECS task definition the port mapping is 0:80.
What could be the reason why the ephemeral port range(>32,000) is not used for the registered target?

I have a scenario where I am hosting some ECS container and tasks as a result in a private subnet. I then have 2 more private subnets in different AZ’s which have /28 cidr ranges which are accessible from the company network only. My issue is that there are only a few IP address available in both of these subnets which means that I can’t set up any AWS Load Balancer as there is a requirement that there are 8 free IP address available in each subnet.