ECS Fargate mirroring
  • 07 Jun 2023
  • 3 Minutes to read
  • PDF

ECS Fargate mirroring

  • PDF

Article Summary

AWS Fargate is a technology for Amazon Elastic Container Service (Amazon ECS) that allows you to run containers without having to manage the underlying instances. With AWS Fargate, you don't have to worry about provisioning, patching, or scaling instances, which makes it easier to run containers. Traceable provides a solution to mirror ECS Fargate traffic. 

Configuring mirroring for ECS Fargate consists of two steps:

  1. Installing Traceable Platform agent.
  2. Configuring mirroring.

Before you begin

Keep Traceable agent token handy. Navigate to Traceable's platform and navigate to Administration (image-1638268402925) > Account > Access Tokens > Agent Token. Copy and save the token. It would be required in the Traceable agent installation process.


Step 1 – Install Traceable Platform agent

You can install Traceable Platform agent in one of the following ways. 

Option 1 – Use install script

You can use the installation script with mirror option to install Traceable Platform agent. For more information on the script, see Traffic mirroring for VM topic.

Option 2 – Use Terraform template

You can install Traceable Platform agent in ECS using Terraform template. Make sure to use MANUAL mode for AWS VPC mirroring. For more information on installation using Terraform template, see AWS VPC traffic mirroring using terraform template. Make a note of the following terraform variables:

  • For mirror_source object, make sure to configure the following:
    • Type: Configure the MANUAL option in the mirror source type.
    • Value: Leave this variable empty.
  • deploy_traceable_agent_in_ecs: Set this option to true if you wish to set up the Traceable Platform agent in a new ECS cluster. Set it to false, if you wish to set up the Traceable Platform agent in an EC2 cluster.
  • traceable_refresh_token: Enter the Traceable token that you had saved in the Before you begin section.
  • traceable_environment: Configure the Traceable environment name, for example, Dev, QA, production, and so on.
  • traceable_service_name: Provide the service name for mirrored traffic. This is the name that would appear on the Traceable Dashboard for the mirrored traffic.

Step 2 – Configure mirroring

To configure mirroring for ECS, edit your ECS Task definition to add a network tap sidecar container with the following configuration. You would need to make a change in line number 17 with DNS of NLB that is front ending the Platform agent. The line number is marked with #update in the snippet below.

{
      "dnsSearchDomains": null,
      "environmentFiles": null,
      "logConfiguration": null,
      "entryPoint": [],
      "portMappings": [],
      "command": [],
      "linuxParameters": null,
      "cpu": 0,
      "environment": [
        {
          "name": "BPF_FILTER",
          "value": "tcp"
        },
        {
          "name": "DESTINATION",
          "value": "<Traceable Platform agent's IP or NLB DNS NAME>" # update 
        },
        {
          "name": "INTERFACE",
          "value": "any"
        },
        {
          "name": "MTU",
          "value": "9000"
        },
        {
          "name": "STAT_DURATION",
          "value": "30"
        }
      ],
      "resourceRequirements": null,
      "ulimits": null,
      "dnsServers": null,
      "mountPoints": [],
      "workingDirectory": null,
      "secrets": null,
      "dockerSecurityOptions": null,
      "memory": null,
      "memoryReservation": null,
      "volumesFrom": [],
      "stopTimeout": null,
      "image": "traceableai/packet-forwarder",
      "startTimeout": null,
      "firelensConfiguration": null,
      "dependsOn": null,
      "disableNetworking": null,
      "interactive": null,
      "healthCheck": null,
      "essential": true,
      "links": null,
      "hostname": null,
      "extraHosts": null,
      "pseudoTerminal": null,
      "user": null,
      "readonlyRootFilesystem": null,
      "dockerLabels": null,
      "systemControls": null,
      "privileged": null,
      "name": "packet-forwarder"
    }

After you have updated the Task definition, redeploy your ECS Task with the new definition.

Make a note of the following points:

  • Make sure that the security group of the task allows outgoing UDP to port number 4789 to the subnet of the ECS cluster running the Traceable Platform agent.
  • Allow outbound connection from the ECS cluster running the Traceable Platform agent on api.traceable.ai:443.



Was this article helpful?

What's Next