Docker compose cli support for ECS with VPCs without public subnets

[fdoa]

Description

The current implementation relies on VPCs with public subnets, and if there are no public subnets it throws an error straight away.

I'm working in a use case where the VPC where I want to deploy the stack has only private subnets. I'm using Transit Gateway, and Egress traffic to the internet is done via an egress VPC.

I would like to be able to use Docker compose for this scenario.
A simple solution could be to add the following parameter:

x-aws-subnets:
 - subnet1
 - subnet2

Then based on the discovery of the subnet if it's public or private, it could then determine automatically the LoadBalancer scheme (internal / internet-facing).

[DustinHolden]

I have a working set up with all Fargate instances running within private subnets and then a loadbalancer placed on public subnets.

Have you tried defining the subnets for the loadbalancer? For more context see this issue. I would try just referncing only the private subnets in the x-aws-cloudformation definition.

x-aws-cloudformation:
  Resources:
    YourService:
      Properties:
        NetworkConfiguration:
          AwsvpcConfiguration:
            Subnets:
            - subnet-someprivatesubnet
            - subnet-someotherprivatesubnet
    LoadBalancer:
      Properties:
        Subnets:
            - subnet-someprivatesubnet
            - subnet-someotherprivatesubnet

[thehapyone]

Although the reference issue address this problem, it only solves it for the load balancer side of things. So for example, if your compose contains volumes, the generated template will create EFS mount targets for all subnets in that VPC even though you have manually assign the subnets you want the services to support.

[DustinHolden]

@thehapyone, interestingly enough, I ran into this same issue just a few days ago. Have you found a way or to only create EFS mounts within the private subnets?

[thehapyone]

@DustinHolden After many hours of frustration, I ended up having a separate cloud formation template for creating and managing the EFS volumes and all the required mount targets in their respective subnets. Afterwards, the created volume is used in the docker-compose file has an external volume so no new mount targets will then be created.

[JohnPreston]

Hi all.

@fdoa , You can do all of that very simply with ECS Compose-X
If you had docker-compose defined networks, i.e. private, you can map that to a group of subnets defined in x-vpc and automatically your services will be deployed in these subnets.

For load-balancers, databases etc, there is a similar setting, cleverly called Subnets

I haven't had the use-case yet to change the subnets for EFS, but for EFS volumes @thehapyone , it'd work the same way using x-efs which allows to use that setting.

Note that with x-vpc, the AppSubnets / StorageSubnets / PublicSubnets are "whatever you decide for these to be". They could very well be the same ones, it is just logical names. And you can create your own logical names too.

Hope this helps :)

[fdoa]

Thanks @JohnPreston , I will look into ECS Compose-X, it looks interesting.
For the time being I have "patched" my docker cli to do not look for Internet gateway, and bind to my private subnets. But for a more permanent solution I will need a better support, so Compose-X seems a good candidate.

[JohnPreston]

Cool. I had the same kind of constraints and decided that, users should just be allowed to define which subnets of their VPC to qualify in which ever way they want, and place services in there just as much in anyway they want.

Hit me up if you have any questions.

[xender69]

hi Guys,

Am I using the x-aws-cloudformation correctly in my docker compose file below?

version: '3.8'

x-aws-vpc: "vpc-0f64c8ba9cb5bb10f"

services:
  osticket:
    container_name: osticket-web
    image: osticket/osticket
    environment:
      MYSQL_HOST: db
      MYSQL_PASSWORD: secret
    depends_on:
      - db
    ports:
      - 80:80
  db:
    container_name: osticket-db
    image: mariadb
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: secret
      MYSQL_DATABASE: osticket
      MYSQL_USER: osticket
      MYSQL_PASSWORD: secret
    expose:
      - "3306"
      
x-aws-cloudformation:
  Resources:
    OsticketService:
      Properties:
        NetworkConfiguration:
          AwsvpcConfiguration:
            Subnets:
              - subnet-093223fe760e52016 #public subnet-1
              - subnet-08120f88feb55e3f1 #public subnet-2
    DbService:
      Properties:
        NetworkConfiguration:
          AwsvpcConfiguration:
            Subnets:
              - subnet-0c68a298227d9c2e8 #private subnet-1
              - subnet-042cae15125ba9b1b #private subnet-2

Thank you

Because when I run docker compose up, it still complains:

A load balancer cannot be attached to multiple subnets in the same Availability Zone (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: a719428b-5299-4dda-ab1e-567f4ad52b07; Proxy: null)

[jakcst]

hi Guys,

Am I using the x-aws-cloudformation correctly in my docker compose file below?

version: '3.8'

x-aws-vpc: "vpc-0f64c8ba9cb5bb10f"

services:
  osticket:
    container_name: osticket-web
    image: osticket/osticket
    environment:
      MYSQL_HOST: db
      MYSQL_PASSWORD: secret
    depends_on:
      - db
    ports:
      - 80:80
  db:
    container_name: osticket-db
    image: mariadb
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: secret
      MYSQL_DATABASE: osticket
      MYSQL_USER: osticket
      MYSQL_PASSWORD: secret
    expose:
      - "3306"
      
x-aws-cloudformation:
  Resources:
    OsticketService:
      Properties:
        NetworkConfiguration:
          AwsvpcConfiguration:
            Subnets:
              - subnet-093223fe760e52016 #public subnet-1
              - subnet-08120f88feb55e3f1 #public subnet-2
    DbService:
      Properties:
        NetworkConfiguration:
          AwsvpcConfiguration:
            Subnets:
              - subnet-0c68a298227d9c2e8 #private subnet-1
              - subnet-042cae15125ba9b1b #private subnet-2

Thank you

Because when I run docker compose up, it still complains:

A load balancer cannot be attached to multiple subnets in the same Availability Zone (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: a719428b-5299-4dda-ab1e-567f4ad52b07; Proxy: null)

Any updates on this? I'm getting the same behavior with a simple docker compose up. Both with and without setting the x-aws-vpc:

[xender69]

hi jakcst,

Please look into https://docs.compose-x.io/index.html

and if you have questions, try to png John Preston, he has been a great resource.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.