By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why do all ingress traffic to a Service Connect enabled service go via the Service Connect proxy?

0

I have enabled Service Connect (SC) on an API. The configuration can be seen in the below image.

I have only enabled SC on that single service. My understanding is that in order for other consuming services to reach the API service via SC, that must be enabled specifically for each consuming service.

What puzzles me is that once I enable SC on this single API service, all requests from all services seems to pass via its SC proxy. Furthermore, I do not have to use any SC DNS/Discovery name for this to happen.

What I have done :

  • Enabled SC on an API service.
  • Run a request from any other service to the API service using the hostname api.localzone:8182. (localzone is the Cloudmap Namespace)
  • The response contains the header server: envoy which means the request passes through the API's SC proxy.

I don't get this. My understanding is that traffic should not pass via SC as long as I am not on a SC enabled consumer or as long as I do not use the SC DNS/Discovery name.

I must be doing something wrong. How can it be that all traffic from all services pass through the service proxy for the api service?

Enter image description here

The network bindings for the api task itself shows that port 8182 belongs to the api task

The network bindings for the api task itself shows that port 8182 belongs to the api task

Enter image description here

Topics
ServerlessContainers
Tags
AWS FargateECS Service Discovery
Language
English
sbrattla
asked 6 months ago194 views
1 Answer
0

As mentioned in official ECS documentation[1], "Amazon ECS configures the task and containers so that applications only connect to the proxy if the application is connecting to the endpoint names in the same namespace. All other traffic doesn't use the proxy. The other traffic includes IP addresses in the same VPC, AWS service endpoints, and external traffic." The other traffic that includes egress traffic do not use the service connect proxy.

Also as service is configured as the client-server service and based on doc[2], if any of the containers expose and listen on a port for network traffic, choose a client-server service. These applications don't need to connect to other client-server services in the same namespace, but the client configuration is configured. A backend, middleware, business tier, or most microservices would use this type of Service Connect configuration. If you want a frontend, reverse proxy, or load balancer application to receive traffic from other services configured with Service Connect in the same namespace, these services should use this type of Service Connect configuration.

To answer your question, we require details that are non-public information. Please open a support case with AWS using the following link [3].

Reference: [1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect-concepts.html#service-connect-concepts-proxy [2] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect-concepts.html#service-connect-concepts-terms [3] https://console.aws.amazon.com/support/home#/case/create

Ashish
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content