https://pulumi.com logo
#getting-started
Title
# getting-started
n

narrow-boots-93205

01/24/2024, 10:20 PM
Howdy, I'm losing my mind trying to get my Fargate/ECS container to be able to access external services. It seems like any request that uses an external service is failing while other api request are working fine. Is there an egress security group I need to add or something similar?
m

miniature-musician-31262

01/24/2024, 10:22 PM
There's an example in the docs that contains an
egress
block -- have you tried this? https://www.pulumi.com/docs/clouds/aws/guides/ecs/#creating-an-ecs-cluster-in-a-vpc
c

cuddly-computer-18851

01/25/2024, 12:11 AM
Do you tasks have public IPs, or in a subnet routed via a NAT GW?
n

narrow-boots-93205

01/25/2024, 12:27 AM
Let me just attach the code I'm currently using.
Copy code
const cluster = new awsx.classic.ecs.Cluster('cluster');

export const alb = new awsx.classic.lb.ApplicationLoadBalancer( 'net-lb', {
  external: true,
  securityGroups: cluster.securityGroups
});
const atg = alb.createTargetGroup('app-tg', { port: 4000, deregistrationDelay: 0, protocol: 'HTTP' });
export const webHTTPS = atg.createListener('webHTTPS', {
  external: true,
  port: 443,
  protocol: 'HTTPS',
  sslPolicy: 'ELBSecurityPolicy-2016-08',
  certificateArn: config.certificateArn
});

const fargateSecurityGroup = new aws.ec2.SecurityGroup('fargateSecurityGroup', {
  egress: [
    {
      fromPort: 0,
      toPort: 0,
      protocol: '-1',
      cidrBlocks: [ '0.0.0.0/0' ],
      ipv6CidrBlocks: [ '::/0' ]
    }
  ]
});

const appService = new awsx.classic.ecs.FargateService('app-svc', {
  cluster,
  securityGroups: [ fargateSecurityGroup.id, ...cluster.securityGroups.map(g => g.id) ],
  taskDefinitionArgs: {
    container: {
      image: img.imageUri,
      cpu: 102 /*10% of 1024*/,
      memory: 50 /*MB*/,
      portMappings: [
        // webHTTP,
        webHTTPS
      ]
    }
  },
  desiredCount: 1
});
Basically have an ALB forwarding https traffic to the port used by the container. Not really sure if I should convert this to awsx instead of classic but the example I started this project with was using classic.
c

cuddly-computer-18851

01/25/2024, 12:45 AM
You need to provide networking configuration
n

narrow-boots-93205

01/25/2024, 12:55 AM
To the FargateService? The non classic ones have a parameters
networkConfiguration
. Is that what you are talking about?
c

cuddly-computer-18851

01/25/2024, 1:11 AM
https://www.pulumi.com/registry/packages/aws/api-docs/ecs/service/#servicenetworkconfiguration Personally I would not recommend using
awsx
- they're a poorly document / maintained abstraction compared to the core packages.