aws-fargate | AWS Fargate is a technology that allows you to run | Continuous Deployment library

new to the CDK and relatively new to AWS

I'm following this tutorial which includes creating a fargate based private API, and accessing it on the public internet through an ec2 instance which is publicly exposed.

I'm picking through, minimally correcting various issues which gets everything running. It comes time to build with:

I currently have a set up in AWS with something like the following:

Image source from task networking in aws fargate.

I am using AWS ECR to store my docker image and in my task definition, as container image, I am using the provided URI of the repository. Everything is in the same region and they are working just fine.

However I want to strengthen the security on AWS by whitelisting specific ports only. From security groups point of view, I have updated them as needed and everything is still working as expected. However for Network ACL, I am having some issues with the Fargate task. In ACL section in the public subnet, for inbound rules, I want to allow access to only HTTPS and HTTP from the internet (0.0.0.0/0). Doing so is resulting into this issue with my fargate task: ResourceInitializationError: unable to pull secrets or registry auth: pull command failed: : signal: killed. It is to be noted that the outbound rules for both subnets (private and public) allows traffic to anywhere (0.0.0.0/0).

I understand that the Fargate task needs to connect to the internet to pull the docker image in ECR and the NAT helps do that. docker pull or docker push uses HTTPS and the private subnet has allowed all traffic from all source and the same for outbound.

NACLs for public subnets

Please advice on how to amend the Network ACL to whitelist specific ports only.

P.S: The last resort would be to use AWS PrivateLink to access the ECR repository, but I don't want to do that yet.

I am trying to mount a persistent storage in a Fargate container.

• I have set up an EFS file system.
• I have set up an ECS Cluster.
• EFS and ECS share one subnet.
• When I try to create a task definition, I choose Fargate and then on Add container. I scroll down to Storage and Logging and cannot choose the EFS file system in Mount points. I cannot choose anything here, the only choice I have is:

This SO question suggests it is possible, but here it was answered using the AWS Cli Application. I wonder if I cannot just do it from the AWS Console (which is the web interface).

I have an EKS cluster that is Fargate only. I really don't want to have to manage instances myself. I'd like to deploy Prometheus to it - which requires a persistent volume. As of two months ago this should be possible with EFS (managed NFS share) I feel that I am almost there but I cannot figure out what the current issue is

What I have done:

• Set up an EKS fargate cluster and a suitable fargate profile
• Set up an EFS with an appropriate security group
• Installed the CSI driver and validated the EFS as per AWS walkthough

All good so far

I set up the persistent volume claims (which I understand must be done statically) with:

I want to using prometheus in EKS on AWS fargate
I follow this.
https://aws.amazon.com/jp/blogs/containers/monitoring-amazon-eks-on-aws-fargate-using-prometheus-and-grafana/
but I can't create persistent volume claims.
this is prometheus-storageclass.yaml.

This is a follow up to my previous question. I'm successfully able to access the public IP over fargate. However, after trying to attach Application load balancer, I cannot access application over public DNS. The registered target always show unhealthy status with 502 error.

Sharing my configuration settings-

VPC Route Table Public Subnet Route Table public subnet config Route Table private subnet Route Table private subnet config ACL subnet associations ACL inbound rules ACL outbound rules security inbound rules security outbound rules internet gateway nat gateway target group target group health status task details service ALB settings ALB listeners Target group with 8081 port

I have deployed the docker image of my spring boot application over aws ECR, following creation of AWS fargate cluster. PFA screenshots of the configurations stating task, security, service and cluster definition.I can ping my public ip successfully. But I can't access my application over neither load balancer nor public ip. The urls I tried to access application were

public_ip:8081/my_rest_end_point

and

load_balancer_public_dns:8081/my_reset_end_point

I have tested running my docker image on local host using port 8081 and the same 8081 port I have configured for port mapping in my Fargate container configuration (reference: service definition). How can I access my application? I have followed almost all the articles over Medium and AWS.

Tutorials followed: https://medium.com/underscoretec/deploy-your-own-custom-docker-image-on-amazon-ecs-b1584e62484

https://medium.com/faun/aws-fargate-services-deployment-with-continuous-delivery-pipeline-b67d33407c88

I am trying to setup AWS API Gateway to access a fargate container in a private VPC as described here. For this I am using AWS CDK as described below. But when I curl the endpoint after successful cdk deploy I get "Internal Server Error" as a response. I can't find any additional information. For some reason API GW can't reach the container.

So when I curl the endpoint like this:

I am following the note:

https://aws.amazon.com/blogs/devops/use-aws-codedeploy-to-implement-blue-green-deployments-for-aws-fargate-and-amazon-ecs/

I can see new Blue/Green Deployment in ESC-Fargate Service when updating TaskDefinition and Service.

In CodeDeploy, I can see application AppECS-webapi-docker-cluster-webapi-docker-service2 and deployment ground DgpECS-webapi-docker-cluster-webapi-docker-service2

From Deployment Group, I create a Deployemnt:

What I should add in appspec?