How to configure AWS ECS Service Discovery for external access?

Question

I have a setup of 2 services: A and B. There is a requirement that:

Service B should be able to access service A
Users inside the corporate VPN can access service B

I have provisioned the setup using Terraform ECS service discovery, where I specified service A with a service_registries section. The aws_service_discovery_private_dns_namespace and aws_service_discovery_service are specified as followed.

resource "aws_service_discovery_private_dns_namespace" "example" {
  name        = "hoge.example.local"
  description = "example"
  vpc         = aws_vpc.example.id
}

resource "aws_service_discovery_service" "example" {
  name = "example"

  dns_config {
    namespace_id = aws_service_discovery_private_dns_namespace.example.id

    dns_records {
      ttl  = 10
      type = "SRV"
    }

    routing_policy = "MULTIVALUE"
  }

  health_check_custom_config {
    failure_threshold = 1
  }
}

I can see a CloudMap entry created, with the correct namespace, and service name pointing to the correct IP address. When I access this IP address directly http://10.1.0.16:9000 (under VPN), I can access service A, but when I use http://example.hoge.example.local:9000, then the browser wait indefinitely for a response. I read from a few documents that SRV record lookup is different from A record lookup, but I have no clue how to fix this.

The diagram of the setup is included.

Many thanks!

Is there a reason you are using `SRV` records instead of `A` or `CNAME`? You can't test SRV records using something like `curl` or a web browser. You would have to use a DNS tool like `nslookup` to test if you can resolve the `SRV` record. — Mark B, Apr 08 '21 at 18:40
A record cannot map to services with many tasks. SRV record is required with dynamic port mapping. When I was configuring the service discovery, SRV is the only selectable option, so I went with that. — Khanetor, Apr 08 '21 at 19:12
OK, so then you need to read up on how SRV records work, and how you would test them. Like trying to go to `http://example.hoge.example.local:9000` will never work with an SRV record (also notice how you are specifying the port number there instead of relying on SRV to tell you the port). An application using an SRV record would perform a DNS resolution and get the SRV record's value(s), and then use the value(s) to build a connection. To test it you will need to do the same thing. — Mark B, Apr 08 '21 at 19:18

How to configure AWS ECS Service Discovery for external access?

0 Answers0