By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What does "ingress port override" on a service connect service really do?

0

I'm trying out service connect for a couple of services. I'm usign awscdk, and there is a property ingress_port_override on ServiceConnectService.

The port on the Service Connect agent container to use for traffic ingress to this service

https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ecs/ServiceConnectService.html#aws_cdk.aws_ecs.ServiceConnectService

At first I though that I would be able to expose a service connect service on a different port than what the exposed service was running on. So if SERVICE B runs on port 8182, I would be able to expose that service on port 80 to other services via service connect :

[SERVICE A] -> request via service connect to http://my.internal-service.com -> [SERVICE CONNECT PROXY : 80 ] -> [SERVICE B : 8182]

I did try that, but got an error that ports below 1024 was reserved. I didn't try a higher port number, as i then just as well could stick to port 8182.

Topics
Containers
Tags
ECS Service Discovery
Language
English
sbrattla
asked 9 months ago410 views
1 Answer
1

Hi,

The property ingress_port_override matches with the ingressPortOverride attribute of a ServiceConnectService data type, required by the services property of a ServiceConnectConfiguration type [1]. You can use this data type with your service definition (in CreateService [2], for example)

As you can read in the data type description [3], ingress_port_override is the port number for the Service Connect proxy to listen on. Use the value of this field to bypass the proxy for traffic on the port number specified in the named portMapping in the task definition of this application, and then use it in your VPC security groups to allow traffic into the proxy for this Amazon ECS service.

In awsvpc mode and Fargate, the default value is the container port number. The container port number is in the portMapping in the task definition. In bridge mode, the default value is the ephemeral port of the Service Connect proxy.

In case you want to expose your container on a different port than it is listening on (based on your container image definition), you need to use portMapping property [4] of your task definition, with the containerPort and hostPort set accordingly [5].

References:

[1] https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ServiceConnectConfiguration.html - ServiceConnectConfiguration data type

[2] https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_CreateService.html

[3] https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ServiceConnectService.html#ECS-Type-ServiceConnectService-ingressPortOverride

[4] PortMapping - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html

[5] https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ecs/PortMapping.html

AWS
SUPPORT ENGINEER
Janko
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content