Open fdhex opened 1 year ago
Yes that would be awesome! Please help us prioritize this feature request with upvotes 👍. Thanks!
@pahud Can I take this?
Is it currently possible to connect ApplicationLoadBalancedFargateService
to service connect by using its underlying created FargateService
? It seems doable, but I am trying this without success so far. My frontend service (ApplicationLoadBalancedFargateService
) is able to connect to the backend service (FargateService
) port but is getting 504 timeout errors, and the request is not showing up in the backend service logs.
I am running the frontend and backend in different ECS clusters, not sure if that is a problem.
These errors are showing up in the service connect logs: CONSECUTIVE_LOCAL_ORIGIN_FAILURE
, CONSECUTIVE_5XX
.
The frontend service /etc/hosts
file does have entries for backend-api
.
This is my approach:
SharedCloudMapStack
this.nameSpace = new servicediscovery.HttpNamespace(this, 'MyNamespace', {
name: 'local',
});
BackendStack
new ecs.FargateService(
...
serviceConnectConfiguration: {
namespace: props.nameSpace.namespaceArn,
logDriver: serviceConnectLogger,
services: [
{
portMappingName: 'backend',
dnsName: 'backend-api'
},
],
},
)
FrontendStack
const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(...)
albFargateService.service.enableServiceConnect({
logDriver: serviceConnectLogger,
namespace: props.nameSpace.namespaceArn
});
After setting up a similar app architecture in ECS copilot CLI and observing what it does, I determined that Security Groups which allow ingress are also required to get this working.
I added this CDK code to my stack:
// This security group setup is based on what ecs copilot does
// A shared security group is added to all services to allow inter communication
const sgALB = new ec2.SecurityGroup(this, 'ALBSecurityGroup', {
vpc,
description: 'Allow all HTTP access',
allowAllOutbound: true
});
sgALB.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(80), 'allow http access at 80');
const sgServicesShared = new ec2.SecurityGroup(this, 'ServicesSecurityGroup', {
vpc,
description: 'Shared security group for all services',
allowAllOutbound: true
});
sgServicesShared.addIngressRule(sgServicesShared, ec2.Port.allTcp(), 'Ingress from other containers in the same security group');
sgServicesShared.addIngressRule(sgALB, ec2.Port.allTcp(), 'HTTP ingress from the public ALB');
then add the security groups for the services:
...
securityGroups: [
sgServicesShared
]
...
And for the ALB:
albFargateService.loadBalancer.addSecurityGroup(sgALB);
Maybe the docs should be updated to note the security groups requirement for developers as this was not clear to me.
Describe the feature
At this time the different *Service (eg ApplicationLoadBalancerFargateService) that can be created with the ECS Patterns lib do not support ECS Service Connect as available in the ECS module.
Use Case
Support ECS Service Connect
Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
2.93.0
Environment details (OS name and version, etc.)
all