connecting via ssl to external DB from load balanced web service deployed using copilot

0

I'm attempting to deploy a load balanced webservice using AWS copilot.

The app that runs in this service needs to connect to a postgres database outside of AWS using an ssl connection.

When I run the app locally, it successfully connects to and queries the database as expected.

But when I deploy the app as an ECS service using copilot, a web request to the service that triggers a DB query by the app causes an "Internal Server Error" response, with the logs from the service showing the database adapter emitting "SSL SYSCALL error: EOF detected".

I'm wondering whether the problem lies in the default configuration of the security group that copilot creates for the ECS service. That security group specifies an outbound rule that allows traffic to all destinations via all ports and protocols. On the other hand, there are only two ingress rules. One allows connections from all containers within the same security group, the other allows connections from the security group of the ALB that is set up as part of copilot's default "load balanced web service" setup. Do I need to modify the service's security group to make ssl connections between my tasks and my external DB possible?

It seems to me that another possibility is that I need to add instructions at the build step of my container image to open up port 443. Right now, the only "EXPOSE" line in my docker file is EXPOSE 8080, since the app running on my container listens on 8080. Do I also need to EXPOSE 443?

Additional info: I increased the CPU and Memory of the tasks deployed by the service. This stopped the "SSL SYSCALL error: EOF detected" exception. But connection to the DB is still failing, now with the exception: "couldn't get a connection after 30.00 sec". (I have my adapter configured to timeout after 30 seconds when attempting to get a connection from the DB.) So something is definitely getting in the way of my container (when running on AWS, not locally) connecting to my DB.

Thanks!

1 Answer
0

Hi Stu,

I have two suggestions:

  1. Check if there is anything on the DB side which might prevent blocking access from AWS (firewall, ACLs etc.)
  2. See if this solution covers your scenarion: https://repost.aws/questions/QUMVmuIeh0QmKgvfI195n7AQ/app-in-aws-ecs-fargate-can-t-connect-to-remote-database-in-liquid-web

Cheers, P

AWS
Pawel
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions