Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[ecs-patterns]: Please make it possible to specify the vpc subnet selection when using ApplicationLoadBalancedFargateService

See original GitHub issue

When creating a Fargate ecs service from scratch you have an option to specify the Vpc SubnetSelection the service can use in FargateServiceProps in the vpcSubnets field.

But there is no such vpcSubnets option when creating the ApplicationLoadBalancedFargateService in the ApplicationLoadBalancedFargateServiceProps - in that you can only specify the VPC - not the subnetselection.

Use Case

We are trying to follow best practices regarding network splitting for our services and have our vpc split into multiple private subnets in each availability zone - each of these subnets are protected by Network ACL rules limiting the traffic into and between them. Being able to specify which subnets the fargate service can be launched in is needed in such a scenario.

ApplicationLoadBalancedFargateService is a great abstraction and writing the CDK code for each of the constructs it helps create by hand is quite verbose and easy to get wrong.

We noticed this issue since we started out using the ApplicationLoadBalancedFargateService and configured a health check for our application but saw very different deployment times. When we started monitoring the ECS event log to troubleshoot we noticed that ECS was redeploying in a random private subnet in our VPC. When a private subnet that the database subnet ACL rules prevented from connecting to the DBs was chosen the healthcheck failed and ECS redeployed. This could happen many times - but eventually ECS picked one of the private subnets that was allowed to connect to the database subnet and the application got into healthy state.

We then refactored to using FargateService and specified the vpcSubnets property and limited it to the subnets that was allowed to connect to our database subnet and it is working fine for us now with predictive deployment times. But it meant we had to write a lot more CDK code compared to the few lines we had when using ApplicationLoadBalancedFargateService.

Proposed Solution

We suggest adding an optional vpcSubnets property to the ApplicationLoadBalancedFargateServiceProps and make it have the same default behavior as the vpcSubnets property in FargateServiceProps.

If you can do that I assume this should not be a breaking change for existing uses of the ApplicationLoadBalancedFargateService.

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Reactions:23
Comments:10 (2 by maintainers)

Top GitHub Comments

8reactions

suankancommented, Nov 15, 2020

I’m voting with both hands for implementing this!

@frjtrifork There is a possible “hackery” solution that allows you still choose the right set of private subnets for placing ECS Fargate Service and still to use ApplicationLoadBalancedFargateService pattern.

You can instantiate a VPC using static method ec2.Vpc.fromVpcAttributes(...) and specify only the needed Private Subnets in attribute privateSubnetIds. In this case those privateSubnetIds will be the only subnets which ApplicationLoadBalancedFargateService discovers and will place of your ECS Fargate Service always into them.

    const albFargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(this, "FargateService", {
      vpc: ec2.Vpc.fromVpcAttributes(this, 'VPC_PRIVATE_SUBNETS', {
        availabilityZones: cdk.Fn.getAzs(cdk.Aws.REGION),
        vpcId: cdk.Fn.importValue('NAME_OF_CF_EXPORT_WITH_VPCID'),
        privateSubnetIds: [
          cdk.Fn.importValue('NAME_OF_CF_EXPORT_WITH_PRIVATE_SUBNET_1'),
          cdk.Fn.importValue('NAME_OF_CF_EXPORT_WITH_PRIVATE_SUBNET_2'),
          cdk.Fn.importValue('NAME_OF_CF_EXPORT_WITH_PRIVATE_SUBNET_3'),
        ],
      }),
    })

Hope that can help you.

And If you need your ALB to sit in different set of Private Subnets from ECS Fargate Service, then you can use @Tanuel approach by instantiating ALB first and injecting into ApplicationLoadBalancedFargateService.

1reaction

iamhopaul123commented, Nov 13, 2020

Hello @hoegertn, the external contributor seems to have trouble finishing the PR so I opened up a new one, which is under review right now. I’ll ping reviewers next week to see if I can speed it up.

Top Results From Across the Web

class ApplicationLoadBalancedFargateService (construct)

The properties required to create a new task definition. taskSubnets? SubnetSelection, The subnets to associate with the service. vpc? IVpc, The VPC where...

awslabs/aws-cdk - Gitter

Is there a way for me to get a reference to the ISDK instance CDK is using in my code? ... I didn't...

aws-cdk.aws-ecs-patterns - PyPI

You can omit cluster and vpc to let CDK create a new VPC with two AZs and create a ... Select specific vpc...

aws cdk - How to specify subnets when creating an ecs ...

I expected the load balancer to make use of the subnets specified in the VPC definition but that does not seem to be...

cdk-fargate-patterns - npm

CDK patterns for serverless container with AWS Fargate. ... you are allowed to specify vpcSubnets to customize the subnet selection.