ECS Fargate Gateways
Amazon Fargate is a popular option for deploying containerized infrastructure. This document is a step-by-step guide to getting strongDM gateways up and running in Fargate. If you just need to set up relays, you can use the table of contents and skip to the Standard Relays step.
Environment
The diagram above shows the essential components needed to deploy an SDM gateway as a Fargate task using AWS' ECS. With the exception of the Fargate section everything else will be configured under the EC2 dashboard.
VPC with internet gateway
- Public Subnet
- Routed to Internet gateway
- 0.0.0.0/0 => IGW
- NAT Gateway
- NLB
- Private Subnet
- Routed to NAT gateway
- 0.0.0.0/0 => NAT
- Fargate task
- Public IP disabled
- NLB => Discovery service
NAT Gateway
- Assign to the public subnet
- Route traffic from the private subnet to this gateway
Network Load Balancer NLB
Deploy an NLB to match the diagram by using the following settings.
Configure Load Balancer
- Internet Facing
yes
- Listener
TCP:5000
- 5000 is the default TCP port specified for SDM gateways but can be modified for your environment
- Availability Zone
- Link to zone where public subnet resides
- Assign to the public subnet
- IPv4 Address
- An elastic IP is not required
- If selecting assigned by AWS use the DNS name when creatign the gateway token.
Configure Security Settings
- bypass
Configure Routing
- Target Group
- Target type
IP
- Protocol
TCP
- Port
5000
- This port needs to match the port you plan to expose on the Fargate container.
- Target type
- Health Check
- Protocol
TCP
- Protocol
Configure Register Targets
- bypass
Review
Review settings and create NLB
Generate SDM Gateway Token
Input the DNS name and listener port from the NLB as the hostname and port number into the add gateway form. This will generate a unique SDM gateway token.
Read Gateways for more information.
Fargate Task Definition
For the remaining sections switch to the ECS dashboard.
Configure Task
- launch type:
Fargate
- Task Role:
None
- Network Mode:
awsvpc
- Task Execution Role:
ecsTaskExecutionRole
- Any role with permission to download docker images.
- Task memory:
1GB
- Task CPU:
0.5 vCPU
Add Container
- Image:
quay.io/sdmrepo/relay
- Memory limit, soft limit
1024
- Port mappings
- Protocol:
TCP
- Container port:
5000
- Needs to match the BIND port specified for the SDM token
- Environment Variable
- Key:
SDM_RELAY_TOKEN
- Value:
xxxxSDMxxxGATEWAYxxxTOKENxxx
Review Task
Review settings and create
Create Cluster
Services are associated with an ECS cluster. Start by creating a cluster with type Network Only
. After creating the cluster, create a service from the cluster menu.
Discovery Service
Configure Service
- Launch type:
Fargate
- Task definition: Use the task definition created in the previous step
- Cluster: Should already be associated
- Service name: Choose a unique name
- Number of tasks:
1
- Only one task is allowed as the gateway token cannot be active on more than one gateway.
- Minimum healthy percentage:
0
- Maximum healthy percentage:
100
- Deployment type: Rolling update
Configure Network
- Cluster VPC: Fargate VPC
- Subnet: Private subnet created earlier
- Without this the NLB will not be able to reach the container e.g.
10.0.7.0/24
- Without this the NLB will not be able to reach the container e.g.
- Security groups:
- Allow inbound: The port specified during the token creation from the VPC CIDR
- e.g.
inbound TCP:5000
from source10.0.0.0/16
- Auto-assigned public IP:
DISABLED
- Load Balancer:
Network Load Balancer
- Load Balancer Name: NLB created earlier
- Add the container name from the Fargate task created earlier
- This automatically assigns the IP assigned to the container during creation to the NLB
Set Auto Scaling
- do not autoscale
Review Service
- Verify details and create.
Verify Gateway
It should take a couple of minutes for the IP address to show up in the target group associated with the NLB, after which the gateway should appear in the strongDM admin UI with an active heartbeat.
If any errors occur or if the gateway does not report "online" status, please contact support@strongdm.com for assistance.
Redundant Gateways
It is recommended to deploy gateways in pairs for redundency. SDM gateways automatically load balance and fail over when necessary. Because of this SDM gateways should not be behind the same load balancer.
Because each gateway requires a unique gateway token, a new Fargate task will need to be defined and associated with a new discovery service. However, both services can reside in the same ECS Cluster.
Standard Relays
Unlike the gateway a relay does not bind to an interface and port, so they will not need to be paired with a load balancer. Still each relay will need to be defined by its own Fargate task as the token is unique and cannot be active in more than one relay process. Read Standard Relays for more information.