I have an ECS cluster setup with a container that runs a microservice hosting a public and private HTTP server.
I have the public HTTP server being connected through an Elastic Load Balancer which is working correctly, however the internal HTTP server is being routed via AWS Cloud Map and Route 53 with a private hosted zone.
AWS Cloud Map finds the instance correctly, however when trying to access the private endpoint from another ECS task I get a no such host error.
Any suggestions on what could be the cause?
Thanks!
For me it's resolved that DNS Hostnames and DNS resolution are enabled in your VPC settings,
Go to your VPC dashboard then press on "Actions" button then
Press Edit DNS hostnames
Check the "Enable" checkbox
and same goes for DNS resolution.
Related
I am running a Spring Boot Application (as a RESTful Webservice) dockerized in an EC2 Instance. If I start the container, everything is working fine, but only with HTTP. e.g. http://ec2-54-93-55.eu-central...com
I already tried setting up the Security Groups of my EC2 Instance, where I enabled HTTPS, but it still does not work.
Now I want to add a SSL Certificate to my Instance with the AWS Certificate Manager. The problem is now, that I need a hosted domain for this and I can not use the Domain of my EC2 Instance.
I tried setting it up as api.mydomain.com and it is verified now. How can I now connect my EC2 Instance with this domain?
I tried creating an Alias in Route 53 by routing api.mydomain.com to the EC2 public DNS. But this did not work too.
You will not be able to attach an ACM public certificate to your EC2 instance as they are required to be attached to either one of these resources:
CloudFront
Elastic Load Balancer.
Once these are configured you will need to update the DNS record on your hosting provider to target the CNAME of whichever of these resources they use.
If you were using Route 53 as your hosting provider you would add your record to the public hosted zone for that domain, however this process is slightly different for each DNS provider.
I am trying to launch a task in Amazon ECS but getting the following error:
CannotPullContainerError: Error response from daemon, request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).
I was able to pull container in my local environment and it works fine but getting this error while trying to deploy in amazon environment.
The suggested checks from Amazon are as follows:
Confirm that the subnet used to run a task has a route to an internet gateway or NAT gateway in a route table.
Note: Instead of an internet gateway or NAT gateway, you can use AWS PrivateLink. To avoid errors, be sure to correctly configure AWS PrivateLink or HTTP proxy.
If you're launching tasks in a public subnet, choose ENABLED for Auto-assign public IP when you launch a task in the Amazon EC2 console. This allows your task to have outbound network access to pull an image.
If you're using an Amazon provided DNS in your Amazon VPC, confirm that the security group attached to the instance has outbound access allowed for HTTPS (port 443).
If you're using a custom DNS, confirm that outbound access is allowed for DNS (UDP and TCP) on port 53 and HTTPS access on port 443.
Verify that your network ACL rules aren't blocking traffic to the registry.
This error ultimately points to a network connectivity issue between the subnet or MicroVM your container runs on and the ECS service.
By default it will traverse the public internet (unless you have setup the correct VPC endpoints). So if you do not have outbound internet support you will not be able to connect to the ECR endpoint.
Setup
I've got the below configured in a single AWS account. If it helps, the Client is Kibana and the Service is ElasticSearch.
What I'm trying to do
Route traffic from the "Client" EC2 instances to an Internal Application Load Balancer using a Route53 Alias Record in a Private Hosted Zone.
I've followed AWS's documentation, and as I understand it, I should just be able to create the alias record in the Private Hosted zone... and the good new is, I can
The Hosted Zone name is internal.my_company.com
The Alias name is service.internal.my_company.com
Problem
If I open a Session Manager terminal on one of the Clients and run the following:
curl <internal_load_balancer_dns>:9200
I get a response from the Service as expected
However, if I run
curl service.internal.my_company.com:9200
I get the following response
curl: (6) Could not resolve host: service.internal.my_company.com
I've googled around, but can't find anything recent relating to this. Have I missed something in letting Route53 know how to reach the Internal Load Balancer?
Let me know if you need more information about the setup.
Thanks
Is the VPC hosting your private subnets associated with the private hosted zone? (Probably so, since you have to pick a VPC when creating the zone.)
For the VPC, did you enable DnsHostnames and DnsSupport?
VPC --> Actions
I have hosted our applications on ECS Cluster (EC2 Mode) in a private subnet. I am facing problem with inter-service communication.
I have set task networking mode as bridge.
Depending on Route53 private hosted zone for service discovery.
The services are getting registered under Route53 with SRV record type.
Using . for pointing to our hosted service. For example, I have hosted redis container with namespace "local" and service name as "redisdb" then referring that service in application as "redisdb.local"
But I am getting an error in our application saying: "Name or Service not known". I have also tried with AWSVPC mode with A record type. But still I am facing same issue.
Am I missing anything here? Any help would be appreciated.
hmm, finally the issue was resolved by enabling the dns hostname
I've read through all the white papers for Route53, Private Hosted Zones, and Workspaces and I'm too the point of banging my head on the wall. :p
I'm having trouble getting an EC2 instance and an Amazon Workspace within a private cloud to communicate using a Fully Qualified Domain Name. I need them to communicate with a FQDN instead of an IP address so that I can have an encrypted connection with an SSL.
Here is my configuration:
Setup a VPC with two public subnets, a route table, and internet gateway.
VPC is setup with DNSResolution and DNSHostnames enabled.
Setup a Simple AD for the workspace within the private VPC.
Setup an EC2 instance within the private VPC with a public subnet.
Setup the EC2 instance with a security group that allows port 80,443, and 5003 open to 0.0.0.0/0.
Setup a workspace within the private VPC with no security group.
Disabled the firewall within the EC2 instance and Workspace.
Setup a Hosted Zone on Route53 configured for Private and linked to the VPC.
Setup an A Record pointing the private IP of the EC2 instance.
If I run a ping from the Workspace to the DNS record that was setup in Route53, I get a successful connection.
If I try to reach the EC2 server using a Web browser on Port 80 or Port 443 using the DNS record, it fails.
If I try to reach the Ec2 server using an application that runs on Port 5003 using the DNS record, it fails.
If I try to reach the EC2 server with either web browser or application by referencing the IP, it is successful. So I know that my ports aren't being blocked.
Did I configure the route53 record incorrectly or am I missing a particular IAM Role permission set?
Thanks and let me know if I need to elaborate on any of the configuration.
SimpleAD DNS is being used instead of Route53. If the zone is the same then only one or the other can be used I'm afraid.
For example if you have host.com DNS zone in SimpleAD then the workspace won't use R53 for any *.host.com resolution. Try a different private zone in R53 and therefore fqdn for the EC2 instance private IP address.
https://forums.aws.amazon.com/thread.jspa?threadID=215126