Open rickychew77 opened 2 months ago
iamhopaul123
commented
2 months ago Hello @rickychew77. I don't get why we need to do this through security group 🤔 Right now the backend service only allows access from all services deployed within the same environment. Do you mean you want the backend service to be only accessible from a specific LBWS, whereas all the other services deployed to the same environment can't access?
rickychew77
commented
2 months ago yes, i am not sure if this is the best practice to do, but basically is to allowing frontend ECS connectiion to backend ECS, both are within same VPC.
iamhopaul123
commented
2 months ago Yeah in that scenario using service connect or service discovery that comes with the Copilot deployment would be recommended. You can check the endpoints by doing copilot svc show!
rickychew77
commented
2 months ago Yes, understand that using service connect (Cloud Map) that comes with Copilot deployment.
However, we still need to configure the backend ECS security group to allow access from frontend ECS (both created via copilot.) The default inbound rule only have this rule Ingress from other containers in the same security group.
Currently it's not a blocker, just that we have perform clickops in aws console.
Describe your idea/feature/enhancement
For some project that is simple front end backend architecture, I would like to have the Backend Service's Security Group inbound rule that was created by default from Copilot to allow Load Balanced Web Service's connection. Understand that there is there is a way to import existing security_group here however this does not achieve what I described above.
Proposal
Is there a way to allow multiple copilot services to "discover" each other given the IAM permission was sorted out, so that not only security group but any other potential configuration can be seamless.
Additional Details
Maybe in either one of the services there is a field in the manifest.yml to point to each other?