Allow public IPs to be assigned to fargate tasks

stelligent / mu

A full-stack DevOps on AWS framework

https://getmu.io

MIT License

974 stars 135 forks source link

Allow public IPs to be assigned to fargate tasks #369

Closed zsims closed 6 years ago

zsims commented 6 years ago

Per https://github.com/stelligent/mu/tree/develop/examples/vpc-target it's possible to bring your own VPC rather than mu creating one.

The fargate tasks thatmu creates currently does not assign public IPs, and assumes that the VPC has a NAT. Per https://aws.amazon.com/blogs/compute/task-networking-in-aws-fargate/ it's recommended that tasks requiring internet access (with a lot of bandwidth) are in a public subnet and assigned a public IP:

If you have tasks that require internet access and a lot of bandwidth for communication with other services, it is best to run them in a public subnet. Give them public IP addresses so that each task can communicate with other services directly.

Can a configuration option be added to assign a public IP to the fargate task? Rather than assuming the subnet is private/has a NAT.

cplee commented 6 years ago

I recommend a new boolean configuration option in mu.yml under the service: called assignPublicIp. This would get passed along as AssignPublicIp under the AwsVpcConfiguration here: https://github.com/stelligent/mu/blob/develop/templates/assets/cloudformation/service-ecs.yml#L263

cplee commented 6 years ago

This can be solved in the short term via custom cloudformation.

In the long term, this could be addressed by a new config option in mu.yml to assign public ip that would require an update here: https://github.com/stelligent/mu/blob/develop/templates/assets/cloudformation/service-ecs.yml#L263

zsims commented 6 years ago

Thanks for the information and the short term work arounds, much appreciated!

I tried with custom CFN, but it doesn't seem to like the Fn::If:

mu.yml

---
environments:
  - name: dev
    provider: ecs-fargate

templates:
  mu-service-ecs-fargate-example-dev:
    Resources:
      EcsService:
        Properties:
          NetworkConfiguration:
            AwsvpcConfiguration:
              AssignPublicIp: ENABLED
service:
  name: ecs-fargate-example
  healthEndpoint: /
  port: 8080
  pathPatterns:
    - /*

Created stack 'mu-service-ecs-fargate-example-dev' mu-service-ecs-fargate-example-dev: MicroserviceTaskDefinition (AWS::ECS::TaskDefinition) CREATE_IN_PROGRESS Resource creation Initiated logEventStatus ▶ ERROR mu-service-ecs-fargate-example-dev: EcsService (AWS::ECS::Service) CREATE_FAILED Encountered unsupported property Fn::If

Am I missing something?

In the meantime, I'll look at raising a PR to add the property as you suggested