Howdy I m losing my mind trying to get my Fargate ECS contai Pulumi Community #getting-started

Howdy, I'm losing my mind trying to get my Fargate...

narrow-boots-93205

01/24/2024, 10:20 PM

Howdy, I'm losing my mind trying to get my Fargate/ECS container to be able to access external services. It seems like any request that uses an external service is failing while other api request are working fine. Is there an egress security group I need to add or something similar?

miniature-musician-31262

01/24/2024, 10:22 PM

There's an example in the docs that contains an

egress

block -- have you tried this? https://www.pulumi.com/docs/clouds/aws/guides/ecs/#creating-an-ecs-cluster-in-a-vpc

cuddly-computer-18851

01/25/2024, 12:11 AM

Do you tasks have public IPs, or in a subnet routed via a NAT GW?

narrow-boots-93205

01/25/2024, 12:27 AM

Let me just attach the code I'm currently using.

Copy code

const cluster = new awsx.classic.ecs.Cluster('cluster');

export const alb = new awsx.classic.lb.ApplicationLoadBalancer( 'net-lb', {
  external: true,
  securityGroups: cluster.securityGroups
});
const atg = alb.createTargetGroup('app-tg', { port: 4000, deregistrationDelay: 0, protocol: 'HTTP' });
export const webHTTPS = atg.createListener('webHTTPS', {
  external: true,
  port: 443,
  protocol: 'HTTPS',
  sslPolicy: 'ELBSecurityPolicy-2016-08',
  certificateArn: config.certificateArn
});

const fargateSecurityGroup = new aws.ec2.SecurityGroup('fargateSecurityGroup', {
  egress: [
    {
      fromPort: 0,
      toPort: 0,
      protocol: '-1',
      cidrBlocks: [ '0.0.0.0/0' ],
      ipv6CidrBlocks: [ '::/0' ]
    }
  ]
});

const appService = new awsx.classic.ecs.FargateService('app-svc', {
  cluster,
  securityGroups: [ fargateSecurityGroup.id, ...cluster.securityGroups.map(g => g.id) ],
  taskDefinitionArgs: {
    container: {
      image: img.imageUri,
      cpu: 102 /*10% of 1024*/,
      memory: 50 /*MB*/,
      portMappings: [
        // webHTTP,
        webHTTPS
      ]
    }
  },
  desiredCount: 1
});

narrow-boots-93205

01/25/2024, 12:29 AM

Basically have an ALB forwarding https traffic to the port used by the container. Not really sure if I should convert this to awsx instead of classic but the example I started this project with was using classic.

cuddly-computer-18851

01/25/2024, 12:45 AM

You need to provide networking configuration

narrow-boots-93205

01/25/2024, 12:55 AM

To the FargateService? The non classic ones have a parameters

networkConfiguration

. Is that what you are talking about?

cuddly-computer-18851

01/25/2024, 1:11 AM

https://www.pulumi.com/registry/packages/aws/api-docs/ecs/service/#servicenetworkconfiguration Personally I would not recommend using

awsx

- they're a poorly document / maintained abstraction compared to the core packages.

Open in Slack

Previous Next