我有一个带有 4 个子网的 VPC,两个公有子网和两个私有子网(每个 AZ 中一个私有和一个公有)。我正在使用私有子网中的 fargate 任务启动 ecs 服务,并为 ecs 任务分配一个安全组,该安全组允许来自应用程序负载均衡器的安全组的传入流量。负载均衡器属于内部类型,并在同一私有子网中启动。我的 cloudformation 文件如下所示:
---
AWSTemplateFormatVersion: 2010-09-09
Description: ECS task some server
Parameters:
VpcId:
Type: String
VpcCidr:
Type: String
SubnetIds:
Type: CommaDelimitedList # private subnets
Cluster:
Type: String
ServiceName:
Type: String
ContainerPort:
Type: String
# ENVIRONMENT VARS
Image:
Type: String
DBUrl:
Type: String
DBUser:
Type: String
DBPassword:
Type: String
NoEcho: true
Resources:
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub /ecs/${ServiceName}
RetentionInDays: '1827' # 5 years
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${ServiceName}-ExecutionRole
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: ECSTaskExecutionRolePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
# download images from ECR
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
# upload logs to CloudWatch
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
TaskRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${ServiceName}-TaskRole
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: ECSTaskRolePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- appsync:GraphQL
Resource:
- '*'
TaskDefinition:
Type: AWS::ECS::TaskDefinition
DependsOn:
- LogGroup
Properties:
Family: !Ref ServiceName
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
Cpu: 1024 # .25 vCPU (256/512/1024/2048/4096)
Memory: 8GB # (0.5GB/1GB/2GB/.../30GB)
ExecutionRoleArn: !Ref ExecutionRole
TaskRoleArn: !Ref TaskRole
ContainerDefinitions:
- Name: !Ref ServiceName
Image: !Ref Image
PortMappings:
- ContainerPort: !Ref ContainerPort
Environment:
- Name: LOG_LEVEL
Value: debug
- Name: DBURL
Value: !Sub jdbc:mysql://${DBUrl}:3306/db
- Name: DBUSER
Value: !Ref DBUser
- Name: DBPASSWORD
Value: !Ref DBPassword
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-region: !Ref AWS::Region
awslogs-group: !Ref LogGroup
awslogs-stream-prefix: !Ref ServiceName
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub ${ServiceName}-loadbalancer
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: !Ref ContainerPort
ToPort: !Ref ContainerPort
CidrIp: !Ref VpcCidr
ContainerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub ${ServiceName}-container
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
FromPort: 0
ToPort: 65535
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
TargetType: ip
Name: !Ref ServiceName
Port: !Ref ContainerPort
Protocol: HTTP
VpcId: !Ref VpcId
HealthCheckPath: /healthcheck
HealthCheckProtocol: HTTP
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Type: application
IpAddressType: ipv4
Scheme: internal
Subnets: !Ref SubnetIds
SecurityGroups:
- !Ref LoadBalancerSecurityGroup
Listener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- TargetGroupArn: !Ref TargetGroup
Type: forward
LoadBalancerArn: !Ref LoadBalancer
Port: !Ref ContainerPort
Protocol: HTTP
Service:
Type: AWS::ECS::Service
DependsOn: Listener
Properties:
ServiceName: !Ref ServiceName
Cluster: !Ref Cluster
TaskDefinition: !Ref TaskDefinition
DesiredCount: 1
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
Subnets: !Ref SubnetIds
SecurityGroups:
- !Ref ContainerSecurityGroup
LoadBalancers:
- ContainerName: !Ref ServiceName
ContainerPort: !Ref ContainerPort
TargetGroupArn: !Ref TargetGroup
Outputs:
LoadBalancerArn:
Value: !Ref LoadBalancer
LoadBalancerDNS:
Value: !GetAtt LoadBalancer.DNSName
LoadbalancerName:
Value: !GetAtt LoadBalancer.LoadBalancerName
健康检查 url 肯定是正确的,它与容器在同一个端口上并返回 200 状态代码。但是由于某种原因,负载均衡器目标一直超时,我可能在这里遗漏了一些东西。任何帮助将不胜感激!