Requirements for Consul on AWS Elastic Container Service (ECS)

The following requirements must be met in order to install Consul on ECS:

  • Launch Type: Fargate and EC2 launch types are supported.
  • Network Mode: Only awsvpc mode is supported.
  • Subnets: ECS Tasks can run in private or public subnets. Tasks must have network access to Amazon ECR or other public container registries to pull images.
  • Consul Servers: You can use your own Consul servers running on virtual machines or use HashiCorp Cloud Platform Consul to host the servers for you. For development purposes or testing, you may use the dev-server Terraform module that runs the Consul server as an ECS task. The dev-server does not support persistent storage.
  • ACL Controller: If you are running a secure Consul installation with ACLs enabled, configure the ACL controller.
    • Admin Partitions: EnterpriseRequirements - 图1EnterpriseConsul on ECS supports admin partitions when ACLs are enabled and the ACL controller is configured. The ACL controller manages one admin partition and each ECS cluster requires an ACL controller. Each mesh-task must also be configured to use a Consul Enterprise client.
    • Namespaces: EnterpriseRequirements - 图2EnterpriseNamespaces are supported when ACLs are enabled and the ACL controller is configured. Each mesh-task must also be configured to use a Consul Enterprise client.
  • Sidecar containers: Consul on ECS requires two sidecar containers to run in each ECS task: a Consul agent container and a sidecar proxy container. These additional sidecar containers must be included in the ECS task definition. The Consul ECS Terraform module will include these sidecar containers for you. If you do not use Terraform, you can construct the task definition yourself by following our documentation.
  • Routing: With your application running in tasks as part of the mesh, you must specify the upstream services that your application calls. You will also need to change the URLs your application uses to ensure the application is making requests through the service mesh.
  • Bind Address: Once all communication is flowing through the service mesh, you should change the address your application is listening on to 127.0.0.1 so that it only receives requests through the sidecar proxy.