AWS Fargate is a technology for Amazon Elastic Container Service (Amazon ECS) that allows you to run containers without having to manage the underlying instances. With AWS Fargate, you do not have to worry about provisioning, patching, or scaling instances, which makes it easier to run containers. Traceable provides a solution to mirror ECS Fargate traffic.
Configuring mirroring for ECS Fargate consists of two steps:
Installing Traceable Platform agent.
Configuring mirroring.
Before you begin
Make a note of the following before proceeding with the configuration:
Keep the Traceable agent token handy. Navigate to Traceable's platform and navigate to Settings (
) → Account → Access Tokens → Agent Token. Copy and save the token. It is required during the Traceable agent installation process.
Installation
The installation is done in two parts:
Installing Traceable Platform agent
Editing your ECS task definition to include the Traceable packet-forwarder container as a sidecar.
Step 1 – Install Traceable Platform agent
You can install the Traceable Platform agent in one of the following ways.
Option 1 – Use the cloud-formation template
You can install the Traceable Platform agent in ECS using the cloud-formation template. Follow the doc AWS VPC traffic mirroring using cf-template for the installation. Notable CloudFormation parameters to be used for the installation:
Traffic mirroring source
MirrorSourceType:
FARGATEMirrorSource: Leave this field empty.
Amazon EC2 configuration (Traffic mirroring target)
SubnetIds - Subnet IDs of the mirrored ECS cluster.
Option 2 – Use Terraform template
You can install the Traceable Platform agent in ECS using the Terraform template. For more information on installation using Terraform template, see AWS VPC traffic mirroring using terraform template. Make a note of the following Terraform variables:
For mirror_source object, make sure to configure the following:
Type: Configure the
FARGATEoption in the mirror source type.Value: Leave this variable empty.
mirror_source = { type = "FARGATE" value = "" vpc_id = <VPC ID OF SOURCE ECS CLUSTER> }
Option 3 - Use the install script
You can use the installation script with mirror option to install Traceable Platform agent. For more information on the script, see the Mirroring topic. Make note of the following command-line arguments:
Use
--interfaceand provide the name of the primary interface on your VM. You can runifconfigcommand to find the primary interface.Use
-f "udp and port 4789"for theFILTER_OPTIONargument.
Make sure to configure the security group attached to your VM to receive udp traffic on port 4789 from CIDR ranges of the subnets of your source ECS cluster.
Note
If you are using the installation script, then provide the IP address of your VM as the value of the environment variable DESTINATION of the container definition in Step 2 below.
Step 2 – Configure mirroring
To configure mirroring for ECS, edit your ECS Task definition to add a network tap sidecar container in of the following ways. Make a note of the following:
Replace
<AWS_REGION>with the AWS region of your ECS cluster.Replace
<CLOUDWATCH_LOG_GROUP_NAME>with the name of the cloudwatch log group where you want to send the logs from the Traceable sidecar container.
Option 1 - Update the Terraform template
If you are managing your ECS tasks with Terraform templates, update the aws_ecs_task_definition resource with this additional container_definition:
{
name = "traceable-agent-packet-forwarder"
image = "traceableai/packet-forwarder:1.0.10"
essential = true
environment = [
{
name = "BPF_FILTER",
value = "tcp"
},
{
name = "DESTINATION",
value = "mirroring-fargate.private.traceable.ai"
},
{
name = "INTERFACE",
value = "any"
},
{
name = "MTU",
value = "9000"
},
{
name = "STAT_DURATION",
value = "30"
}
]
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = "<CLOUDWATCH_LOG_GROUP_NAME>"
awslogs-region = "<AWS_REGION>"
awslogs-stream-prefix = "ecs"
}
}
}Option 2 - Update task definition with JSON
You can also go to the Task Definitions section on the ECS page of your AWS account and create a new revision for the task definition using JSON. Add the following to the container definitions:
{
"name": "traceable-agent-packet-forwarder",
"image": "traceableai/packet-forwarder:1.0.10",
"essential": true,
"environment": [
{
"name": "BPF_FILTER",
"value": "tcp"
},
{
"name": "DESTINATION",
"value": "mirroring-fargate.private.traceable.ai"
},
{
"name": "INTERFACE",
"value": "any"
},
{
"name": "MTU",
"value": "9000"
},
{
"name": "STAT_DURATION",
"value": "30"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "<CLOUDWATCH_LOG_GROUP_NAME>",
"awslogs-region": "<AWS_REGION>",
"awslogs-stream-prefix": "ecs"
},
"secretOptions": []
}
}After you have updated the Task definition, redeploy your ECS Task with the new definition. Make a note of the following:
Troubleshooting
In case you are unable to view the traffic in Traceable Platform, check for the following:
Check if your ECS cluster's Security Group permits outgoing UDP connection to port 4789 for the CIDRs of Traceable ECS cluster's subnets, Instance group, and the private IP of the VM with Traceable agent (if installation script was used in step 1).
Verify that the Security Group of the ECS cluster/Instances where Traceable Platform agent is running allows outbound connection to
api.traceable.ai:443.