ECS Fargate mirroring
  • 12 Jun 2024
  • 4 Minutes to read
  • PDF

ECS Fargate mirroring

  • PDF

Article summary

AWS Fargate is a technology for Amazon Elastic Container Service (Amazon ECS) that allows you to run containers without having to manage the underlying instances. With AWS Fargate, you do not have to worry about provisioning, patching, or scaling instances, which makes it easier to run containers. Traceable provides a solution to mirror ECS Fargate traffic. 

Configuring mirroring for ECS Fargate consists of two steps:

  1. Installing Traceable Platform agent.
  2. Configuring mirroring.

Before you begin

Make a note of the following before proceeding with configuration:

  • Keep the Traceable agent token handy. Navigate to Traceable's platform and navigate to Settings (image-1638268402925)AccountAccess Tokens  Agent Token. Copy and save the token. It would be required in the Traceable agent installation process.

Installation

The installation is done in two parts:

  1. Installing Traceable Platform agent
  2. Editing your ECS task definition to include Traceable packet-forwarder container as a sidecar.

Step 1 – Install Traceable Platform agent

You can install Traceable Platform agent in one of the following ways. 

Option 1 –  Use cloud-formation template

You can install Traceable Platform agent in ECS using the cloud-formation template. Follow the doc AWS VPC traffic mirroring using cf-template for the installation. Notable CloudFormation parameters to be used for the installation:

  • Traffic mirroring source 
    • MirrorSourceType: FARGATE 
    • MirrorSource: Leave this field empty.
  • Amazon EC2 configuration (Traffic mirroring target)
    • SubnetIds - Subnet IDs of the mirrored ECS cluster.

Option 2 – Use Terraform template

You can install Traceable Platform agent in ECS using Terraform template. For more information on installation using Terraform template, see AWS VPC traffic mirroring using terraform template. Make a note of the following terraform variables:

  • For mirror_source object, make sure to configure the following:
    • Type: Configure FARGATE option in the mirror source type.
    • Value: Leave this variable empty.
      ActionScript
      mirror_source = {
        type   = "FARGATE"
        value  = ""
        vpc_id = <VPC ID OF SOURCE ECS CLUSTER>
      }

Option 3 - Use install script

You can use the installation script with mirror option to install Traceable Platform agent. For more information on the script, see Traffic mirroring for VM topic. Make note of the following command-line arguments:

  • Use --interface and provide the name of the primary interface on your VM. You can run ifconfig command to find the primary interface.
  • Use -f "udp and port 4789" for the FILTER_OPTION argument.

Make sure to configure the security group attached to your VM to receive udp traffic on port 4789 from CIDR ranges of the subnets of your source ECS cluster.

Note
If you are using the installation script, then provide the IP address of your VM as the value of the environment variable DESTINATION of the container definition in Step 2 below.



Step 2 – Configure mirroring

To configure mirroring for ECS, edit your ECS Task definition to add a network tap sidecar container in of the following ways. Make a note of the following: 

  • Replace <AWS_REGION> with the AWS region of your ECS cluster. 
  • Replace  <CLOUDWATCH_LOG_GROUP_NAME> with the name of the cloudwatch log group where you want to send the logs from the Traceable sidecar container.

Option 1 - Update Terraform template

If you are managing your ECS tasks with Terraform templates, update the aws_ecs_task_definition resource with this additional container_definition:

    {
      name  = "traceable-agent-packet-forwarder"
      image = "traceableai/packet-forwarder:1.0.10"
      essential = true
      environment = [
        {
          name  = "BPF_FILTER",
          value = "tcp"
        },
        {
          name  = "DESTINATION",
          value = "mirroring-fargate.private.traceable.ai"
        },
        {
          name  = "INTERFACE",
          value = "any"
        },
        {
          name  = "MTU",
          value = "9000"
        },
        {
          name  = "STAT_DURATION",
          value = "30"
        }
      ]
      logConfiguration = {
        logDriver = "awslogs"
        options = {
          awslogs-group         = "<CLOUDWATCH_LOG_GROUP_NAME>"
          awslogs-region        = "<AWS_REGION>"
          awslogs-stream-prefix = "ecs"
        }
      }
    }

Option 2 - Update task definition with JSON

You can also go to the Task definitions in the ECS page of your AWS account, and create a new revision for the task definition with JSON. Add the following to the container definitions:

        {
            "name": "traceable-agent-packet-forwarder",
            "image": "traceableai/packet-forwarder:1.0.10",
            "essential": true,
            "environment": [
                {
                    "name": "BPF_FILTER",
                    "value": "tcp"
                },
                {
                    "name": "DESTINATION",
                    "value": "mirroring-fargate.private.traceable.ai"
                },
                {
                    "name": "INTERFACE",
                    "value": "any"
                },
                {
                    "name": "MTU",
                    "value": "9000"
                },
                {
                    "name": "STAT_DURATION",
                    "value": "30"
                }
            ],
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group":         "<CLOUDWATCH_LOG_GROUP_NAME>",
                    "awslogs-region":        "<AWS_REGION>",
                    "awslogs-stream-prefix": "ecs"
                },
                "secretOptions": []
            }
        }

After you have updated the Task definition, redeploy your ECS Task with the new definition. Make a note of the following:


Troubleshooting

In case you are unable to view the traffic in Traceable Platform, check for the following:

  • Check if your ECS cluster's Security Group permits outgoing UDP connection to port 4789 for the CIDRs of Traceable ECS cluster's subnets, Instance group, and the private IP of the VM with Traceable agent (if installation script was used in step 1).

  • Verify that the Security Group of the ECS cluster/Instances where Traceable Platform agent is running allows outbound connection to api.traceable.ai:443.

Was this article helpful?

What's Next