Extending NLB health checks for RADIUS using an Amazon ECS witness
Networking & Content Delivery Blog
This article presents an open-source reference solution that extends AWS Network Load Balancer with application-layer RADIUS health checks using an Amazon ECS witness to detect authentication failures and manage target group membership.
- NLB UDP health checks are transport-layer only and cannot validate RADIUS authentication functionality or identity store connectivity
- A single-process RADIUS witness runs as an ECS task, performing real PAP authentication probes on each RADIUS server at configurable intervals
- The witness uses failure thresholds and hold-down timers to prevent flapping, and implements fail-open mode to keep targets registered during complete outages
- A reconciler daemon translates health state into NLB target group membership via EC2 and ELBv2 APIs, self-healing drift automatically
- RADIUS credentials are stored in AWS Secrets Manager with support for automated rotation via Lambda functions
- Structured logs to CloudWatch enable correlation between probe failures and target deregistration without joining log groups
- Pattern generalizes to other protocols NLB cannot natively health-check: LDAP, custom TCP/UDP services
The solution closes the gap between transport-layer reachability and application-layer functionality for RADIUS workloads migrated to AWS, without requiring code changes to vendor-managed appliances.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
2026
2024
2025
2024
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.