AWS ECS Private and Public Services

Asked 10/8, 2019 at 21:1 Answered 18/8, 2019 at 2:2

Solved amazon-web-services amazon-ec2 amazon-ecs service-discovery private-subnet

I have a scenario where I have to deploy multiple micro-services on AWS ECS. I want to make services able to communicate with each other via APIs developed in each micro-service. I want to deploy the front-end on AWS ECS as well that can be accessed publicly and can also communicate with other micro-services deployed on AWS ECS. How can I achieve this? Can I use AWS ECS service discovery by having all services in a private subnet to enable communication between each of them? Can I use Elastic Load Balancer to make front-end micro-service accessible to end-users over the internet only via HTTP/HTTPS protocols while keeping it in a private subnet?

Guillermoguilloche answered 10/8, 2019 at 21:1 Comment(0)

The combination of both AWS load balancer ( for public access) and Amazon ECS Service Discovery ( for internal communication) is the perfect choice for the web application.

Built-in service discovery in ECS is another feature that makes it easy to develop a dynamic container environment without needing to manage as many resources outside of your application. ECS and Route 53 combine to provide highly available, fully managed, and secure service discovery

Service discovery is a technique for getting traffic from one container to another using the containers direct IP address, instead of an intermediary like a load balancer. It is suitable for a variety of use cases:

Private, internal service discovery
Low latency communication between services
Long lived bidirectional connections, such as gRPC.

Yes, you can use AWS ECS service discovery having all services in a private subnet to enable communication between them.

This makes it possible for an ECS service to automatically register itself with a predictable and friendly DNS name in Amazon Route 53. As your services scale up or down in response to load or container health, the Route 53 hosted zone is kept up to date, allowing other services to lookup where they need to make connections based on the state of each service.

Yes, you can use Load Balancer to make front-end micro-service accessible to end-users over the internet. You can look into this diagram that shows AWS LB and service discovery for a Web application in ECS.

You can see the backend container which is in private subnet, serve public request through ALB while rest of the container use AWS service discovery.

Amazon ECS Service Discovery

Let’s launch an application with service discovery! First, I’ll create two task definitions: “flask-backend” and “flask-worker”. Both are simple AWS Fargate tasks with a single container serving HTTP requests. I’ll have flask-backend ask worker.corp to do some work and I’ll return the response as well as the address Route 53 returned for worker. Something like the code below:

@app.route("/")
namespace = os.getenv("namespace")
worker_host = "worker" + namespace
def backend():
    r = requests.get("http://"+worker_host)
    worker = socket.gethostbyname(worker_host)
    return "Worker Message: {]\nFrom: {}".format(r.content, worker)

Note that in this private architecture there is no public subnet, just a private subnet. Containers inside the subnet can communicate to each other using their internal IP addresses. But they need some way to discover each other’s IP address.

AWS service discovery offers two approaches:

DNS based (Route 53 create and maintains a custom DNS name which resolves to one or more IP addresses of other containers, for example, http://nginx.service.production Then other containers can send traffic to the destination by just opening a connection using this DNS name)
API based (Containers can query an API to get the list of IP address targets available, and then open a connection directly to one of the other container.)

You can read more about AWS service discovery and use cases amazon-ecs-service-discovery and here

Lalla answered 18/8, 2019 at 2:2 Comment(4)

if my web-tier or front-end is a separate ECS service deployed in a public subnet, can it still use service discovery to talk with my back-end ECS service( which is inside a private subnet ) or do you recommend any other communication mechanism ? – Branson 9/11, 2020 at 5:40

From web-tier, you should use a Load balancer, private service discovery only work with in AWS network. – Lalla 9/11, 2020 at 6:4

the web-tier is deployed in a public subnet of the same VPC. what do you mean by'within AWS network' ? – Branson 9/11, 2020 at 6:46

Will the load balancer target group and the service discovery service concur on what the active instances are? If not, you may find (brief?) situations when an instance is reachable by one mechanism but not the other (though they are probably eventually consistent at steady state). – Opprobrious 27/2 at 23:52

According to the documentation, "Amazon ECS does not support registering services into public DNS namespaces"

In other words, when it registers the DNS, it only uses the service's private IP address which would likely be problematic. The DNS for the "public" services would register to the private IP addresses which would only work, for example, if you were on a VPN to the private network, regardless of what your subnet rules were.

I think a better solution is to attach the services to one of two load balancers... one internet facing, and one internal. I think this works more naturally for scaling the services up anyway. Service discovery is cool, but really more for services talking to each other, not for external clients.

Avid answered 12/8, 2019 at 14:11 Comment(1)

I'm wondering why your answer got so few upvotes. I have a network with a private ALB and was about to ditch it for ServiceDiscovery only until I read your answer and realized that there are valid cases for having both. Thanks. – Gallopade 5/8, 2021 at 19:56

I want to deploy the front-end on AWS ECS as well that can be accessed publicly and can also communicate with other micro-services deployed on AWS ECS.

I would use Service Discovery to wire the services internally and the Elastic Load Balancer integration to make them accessible for the public.

The load balancer can do the load balancing on one side and the DNS SRV records can do the load balancing for your APIs internally.

There is a similar question here on Stack Overflow and the answer [1] to it outlines a possible solution using the load balancer and the service discovery integrations in ECS.

Can I use Elastic Load Balancer to make front-end micro-service accessible to end-users over the internet only via HTTP/HTTPS protocols while keeping it in a private subnet?

Yes, the load balancer can register targets in a private subnet.

References

[1] https://mcmap.net/q/1323661/-ecs-service-with-two-load-balancers-for-same-port-internal-and-internet-facing

Puritanism answered 17/8, 2019 at 23:1 Comment(0)

References

Recommended topics

Hot tags