AWS ALB with GRPC

Question

I'm trying to run a netty server with GRPC API on AWS ECS (on Fargate) behind an application load balancer for an Android GRPC client to connect to. Calls are forwarded but the server logs show an error like

io.grpc.netty.shaded.io.netty.handler.codec.http2.Http2Exception: HTTP/2 client preface string missing or corrupt. Hex dump for received bytes: 1603010102010000fe03036a5663244616ee784100b9d61c

I've read here that such an error is related to the client and server not both using SSL, which arguably is true in my case.

The server itself is not configured to use SSL (I wouldn't know which certificate to deploy it with). The ALB provides an ACM public certificate to the client and should do SSL offloading I would expect. However, the fact that I cannot configure the load balancing target group with another protocol than HTTPS when protocol version is GRPC indicates otherwise.

Can anyone clarify this to me or have a working example?

This is the relevant ALB config of my cfn template:

  ApplicationLoadBalancer:
    Type: "AWS::ElasticLoadBalancingV2::LoadBalancer"
    Properties:
      Name: my-alb
      Scheme: "internet-facing"
      Type: "application"
      Subnets:
        - !Ref public-sn-1
        - !Ref public-sn-2
      SecurityGroups:
        - !Ref ALBSecurityGroup
      IpAddressType: "ipv4"

  HubListener:
    Type: "AWS::ElasticLoadBalancingV2::Listener"
    Properties:
      LoadBalancerArn: !Ref ApplicationLoadBalancer
      Port: 50051
      Protocol: HTTPS
      SslPolicy: "ELBSecurityPolicy-2016-08"
      Certificates:
        - CertificateArn: !Ref AlbCertificateArn
      DefaultActions:
        - Order: 1
          TargetGroupArn: !Ref HubTargetGroup
          Type: "forward"

  HubTargetGroup:
    Type: "AWS::ElasticLoadBalancingV2::TargetGroup"
    Properties:
      Port: 50051
      Protocol: HTTPS
      ProtocolVersion: GRPC
      HealthCheckEnabled: true
      HealthCheckPath: "/grpc.health.v1.Health/Check"
      HealthCheckPort: "traffic-port"
      HealthCheckProtocol: HTTP
      TargetType: ip
      Matcher:
        GrpcCode: 0
      VpcId: !Ref VpcId

Answer 1

Turns out the target group just needs to be switched to protocol HTTP for the SSL offloading to work.

I had initially assumed that this would not be permitted, since a listener forwarding to a GRPC target group must use HTTPS as protocol but that constraint does not apply to the target group itself.