I'm attempting to deploy a load balanced webservice using AWS copilot.
The app that runs in this service needs to connect to a postgres database outside of AWS using an ssl connection.
When I run the app locally, it successfully connects to and queries the database as expected.
But when I deploy the app as an ECS service using copilot, a web request to the service that triggers a DB query by the app causes an "Internal Server Error" response, with the logs from the service showing the database adapter emitting "SSL SYSCALL error: EOF detected".
I'm wondering whether the problem lies in the default configuration of the security group that copilot creates for the ECS service. That security group specifies an outbound rule that allows traffic to all destinations via all ports and protocols. On the other hand, there are only two ingress rules. One allows connections from all containers within the same security group, the other allows connections from the security group of the ALB that is set up as part of copilot's default "load balanced web service" setup. Do I need to modify the service's security group to make ssl connections between my tasks and my external DB possible?
It seems to me that another possibility is that I need to add instructions at the build step of my container image to open up port 443. Right now, the only "EXPOSE" line in my docker file is EXPOSE 8080
, since the app running on my container listens on 8080. Do I also need to EXPOSE 443
?
Additional info: I increased the CPU and Memory of the tasks deployed by the service. This stopped the "SSL SYSCALL error: EOF detected" exception. But connection to the DB is still failing, now with the exception: "couldn't get a connection after 30.00 sec". (I have my adapter configured to timeout after 30 seconds when attempting to get a connection from the DB.) So something is definitely getting in the way of my container (when running on AWS, not locally) connecting to my DB.
Thanks!