Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
(aws-ecs): ELB TG can't connect to ECS EC2 instances ( healthcheck failed )
See original GitHub issueELB TG can’t connect to ECS EC2 instances ( healthcheck failed ) when use cluster.AsgCapacity over cluster.addCapacity .
Reproduction Steps
const.taskDefinition = new ecs.TaskDefinition(this, 'Backend', {
family: 'someFamily',
compatibility: ecs.Compatibility.EC2,
executionRole,
networkMode: ecs.NetworkMode.BRIDGE,
taskRole,
});
taskDefinition.addContainer('backend', {
image: ecs.ContainerImage.fromRegistry('hashicorp/http-echo'),
memoryLimitMiB: 512,
command: [
`-listen=:${containerPort}`,
'-text="hello world"'
],
environment: {},
portMappings: [
{
containerPort: containerPort,
protocol: ecs.Protocol.TCP,
},
],
});
const sg = new ec2.SecurityGroup(this, `SG${identifier}`, {
vpc: this.cluster.vpc,
});
const autoScalingGroup = new autoscaling.AutoScalingGroup(this, `asg${identifier}`, {
vpc: this.cluster.vpc,
instanceType: new ec2.InstanceType(instanceType),
machineImage: ecs.EcsOptimizedImage.amazonLinux2(),
minCapacity: clusterMinCapacity,
maxCapacity: clusterMaxCapacity,
desiredCapacity: clusterDesiredCapacity,
associatePublicIpAddress: true,
cooldown: cdk.Duration.minutes(1),
keyName: clusterKeyName,
securityGroup: sg,
});
const asgProvider = new ecs.AsgCapacityProvider(this, `AsgProvider${identifier}`, {
autoScalingGroup,
canContainersAccessInstanceRole: true,
enableManagedScaling: false,
enableManagedTerminationProtection: false,
});
this.cluster.addAsgCapacityProvider(asgProvider);
What did you expect to happen?
I expect aws-ecs library automatically create security group with required inbound rules or have some method to allow connect ELB TG to EC2 instances
I expect method addAsgCapacityProvider add automatically access ELB TG to EC2 instances.
Normal SG created with cluster.addCapacity
What actually happened?
Actually EC2 instances create with only my security group inbound rules ( SSH ).
How I temporarily fixed this issue. I compared security group where create with cluster.addCapacity() and created SG with ASG provider.
This code fix trouble but I think this code must be default in aws-cdk.
Or I don’t understand from AWS CDK ECS last update and deprecation cluster.addCapacity
this.ecsPatternService.loadBalancer.connections.allowTo(sg, ec2.Port.tcpRange(32768, 65535), `allow ELB TG connect to EC2 ${instanceType}`);
Environment
- CDK CLI Version : 1.104.0 (build 44d3383)
- Framework Version : ^1.104.0
- Node.js Version : v14.16.0
- OS : Fedora release 33 (Thirty Three)
- Language (Version) : TypeScript (3.8.3)
Issue Analytics
- State:
- Created 2 years ago
- Reactions:7
- Comments:15 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@MrArnoldPalmer Sure, I will try to create my first PR to open source 😃
@rix0rrr still an issue, specifically when upgrading from CDK v1 to v2 where
AddAutoScalingGroupis deprecated. Above workaround from @spg works.With
.AddAutoScalingGroup, the following rules are in place. With.AddAsgCapacityProvider, the following diff appears (i.e. the rules get dropped), making the service unavailable for requests.Tested with
cdk v2.33.0.