Internal WebSocket URL with ALB and SSL configuration

​@rylanatsafe would you be able to help out on this one too please? thanks

Hi ​@anryan 

Did you end up getting this working?  

What error are you seeing in the logs?

The core nodes are the only ones that can support the WebSocket.

1. During installation did you enable https and provide a PFX?
2. Is your LB configured for HTTPS to FME Flow or HTTPS termination at the LB?
3. If using HTTPS behind the LB, did you adjust for WSS URLs when you configured HTTPS  (or if enabled HTTPS during installation - verified the websocket is properly configured)? 

The Internal Web Socket URL can pass to the LB URL as long as the LB is going to forward the request/connection one node and only failover to the other node if an issue occurs (no round-robin).

It’s not clear what you want to achieve here and we might ask you to submit a support ticket if you haven’t yet resolved the issue.

Additional information.

https://docs.safe.com/fme/html/FME-Flow/AdminGuide/configuring_for_https.htm
Might have some checks you can perform: https://support.safe.com/hc/en-us/articles/25407415461517-Configuring-FME-Flow-for-HTTPS

This article has a section on WebSockets and is meant for public accessibility.
https://support.safe.com/hc/en-us/articles/25407742345357-Enabling-FME-Flow-for-Public-Access#h_01JZRFGTAXYC1SES506CR92HXZ 

More to come.

Hi ​@anryan just wanted to add a few points here. 

The WebSocket Server is part of the FME Flow Core process, so WebSocket traffic should be routed only to the Core EC2 instance(s), not the Engine nodes. You can see the Enabling FME Flow for Public Access documentation for more details.
In AWS ALB, you could use an HTTPS listener on port 443 and forward WebSocket upgrade requests to a target group on port 7078 containing only the Core instances, meaning port 7078 does not need to be exposed externally.

For health checks, the health check can be pointed to the FME Flow REST API healthcheck endpoint on the Core instance, which should return HTTP 200 when healthy.
Note that as of FME Flow 2026.1 the V3 API has been removed so please refer to this documentation and you can access your V4 API docs at http://<yourFMEFlowHost>/fmeapiv4/docs/index.html. Additional details can be found here

For the "Internal WebSocket URL" setting in the Web UI, despite the field being labelled "Internal", you can set this to your public-facing load balancer URL as also pointed out in this documentation. 
With SSL enabled through the ALB this would be wss://<your-alb-dns>, or your DNS alias/CNAME if you have one. For the External WebSocket Port field, if WebSocket traffic is flowing through port 443 via the ALB you can leave this blank, as 443 is the default WSS port.

It is also worth noting as mentioned in this documentation, setting longer client- and server-side timeouts on the load balancer to allow for longer WebSocket connections.

If you continue running into issues with the ALB configuration or health checks, as also mentioned by  ​@steveatsafe please feel free to reach out to Safe Support and we'd be happy to help further.