4

AWS Cloud Map allows you to set up some namespace for your VPC, and then assign names within that namespace to individual services. The names can either be A) privately discoverable only by API calls, B) discoverable via API calls or via DNS privately within the VPC, or C) discoverable via public DNS and by API calls. ECS can interact with Cloud Map to automatically register services. All this is referred to in AWS ECS as Service Discovery.

AWS ECS also has a relatively new thing called Service Connect. It leverages Cloud Map but also adds a sidecar "proxy" container to your ECS service, effectively creating an automatic service mesh.

I got Service Connect working with ECS using CloudFormation. In my CloudFormation AWS::ECS::Cluster I configured ServiceConnectDefaults to the Cloud Map namespace I want to use, such as example.internal. Then I set enabled: true for the AWS::ECS::Service definitions under ServiceConnectConfiguration, along with a few extra details such as providing a name for the service/port. Assuming I've named my service/port my-service, I believe now that some other service using Service Connect in the same VPC could connect to my-service.example.internal and the sidecar-proxy would figure out some instance of my-service to connect to, without even using DNS! (I haven't tested that yet; I first wanted to get some clarification with the current question.)

But I would like private DNS access as well, if nothing else than to be able to go to Cloud9 and issue e.g. a curl my-service.example.internal/api/test without needing to look up the IP address of one of the my-service instances. I found out that I can define a AWS::ServiceDiscovery::PrivateDnsNamespace and a AWS::ServiceDiscovery::Service (using the same name my-service) and even associate the latter with my ECS service using ServiceRegistries. But then when I try to deploy my CloudFormation stack, I get an error:

Invalid request provided: CreateService error: Service already exists.

I'm guessing that internally to get Service Connect to work, ECS created its own AWS::ServiceDiscovery::Service, at which point it saw that my CloudFormation stack had already created a AWS::ServiceDiscovery::Service with the same name. But if I don't create AWS::ServiceDiscovery::Service myself, the one that ECS creates won't provide a DNS entry for my-service.

Am I to infer that AWS ECS can work with Service Connect (in which case there will be no service DNS entries, but the sidecar proxies will use API calls to look up registered services), or Service Discovery (in which I manually create Cloud Map DNS entries and ECS will automatically register them based upon the AWS::ServiceDiscovery::Service I associate with the ECS service), but not both at the same time? Or did I configure something incorrectly?

I guess if I'm using Service Discovery and get DNS entries, I can simply indicate the (private in my case) DNS entries in the other services and they will find them via Cloud Map, providing me the same capabilities as Service Connect without the need for a sidecar proxy. But maybe Service Connect has some extra monitoring capabilities I'll be losing?

Can someone confirm is this a correct understanding, and elaborate on the practical differences and implications between using Service Connect or Service Discovery with ECS?

Garret Wilson
  • 18,219
  • 30
  • 144
  • 272
  • I struggled with this for days before I realised that Service Connect was not going to add a DNS-capable AWS::ServiceDiscovery::Service for me. I just created my own and used AWS::ECS::Service ServiceRegistry to register my container. My Service Discovery client is a legacy app, so it needs to do a DNS lookup and I don't benefit much from Service Connect in this case. – Maj Apr 23 '23 at 00:30

1 Answers1

5

The benefit that Service Connect brings over service discovery using plain Cloud Map is faster failover when service instances go down. Using DNS-based lookup with Cloud Map means that when a service goes down, it may take a while (based on TTL settings) for your client to realize that it should get a new IP address. Even worse, your client library may keep the same IP address cached even longer, and/or your client's retry logic may keep trying trying the same IP address upon failure.

Service Connect on the other hand introduces a sidecar "proxy" container that that intercepts outgoing connections and routes them to the correct destinations. The sidecar uses API calls to Cloud Map to look up an IP address of a healthy instance of the service in real time, rather than relying on DNS entries, which may be stale. This brings the standard benefits of a service mesh such as Envoy, except that in this case Service Connect manages the sidecar for you. See Migrate existing Amazon ECS services from service discovery to Amazon ECS Service Connect for more discussion on these benefits.

Because Service Connect doesn't rely on DNS, it doesn't bother registering even private DNS entries, and instead registers endpoints with Cloud Map that are privately discoverable only by API calls. There seems to be no way to tell Service Connect to register the service names in the DNS as well.

You cannot use both Service Connect and Service Discovery at once for the same service name, because as mentioned in the question, both Service Connect and Service Discovery will try to register the same service name with Cloud Map. But you can use them both together using two different service names! If you define your task definition port mappings and service ServiceConnectConfiguration using a service/port discovery name such as my-service-connect, having specified the ECS cluster ServiceConnectDefaults with a namespace of example.internal, your other ECS services can connect to my-service-connect.example.internal even though there are no DNS entries for that name, as described above.

But you can additionally define a AWS::ServiceDiscovery::PrivateDnsNamespace of example.internal (which Service Connect will use instead of creating a new one) along with a AWS::ServiceDiscovery::Service using a different service name such as my-service. Associate this service discovery with the ECS service using ServiceRegistries, and you will have the best of both worlds! ECS services can communicate using my-service-connect.example.internal, but you can still go to Cloud9 and connect to my-service.example.internal (note the different name) via the DNS, as ECS will ensure that both are registered. It's not guaranteed that both approaches will refer to the same service instance at any particular time, and if a service instance goes down the DNS approach my-service.example.internal may be stale until the new DNS value is propagated, but for ad-hoc tests in Cloud9 (the motivation for this in the first place) that hardly matters.

I've published a blog post, Using AWS ECS Service Connect and Service Discovery Together, which goes into more depth on how to get this working, complete with CloudFormation template snippets.

Garret Wilson
  • 18,219
  • 30
  • 144
  • 272
  • However on the other hand, if the Service Connect works like this (based on the R53 calls from the sidecars), it still has the limitation of the maximum 8 IP records from one API call (multivalue routing policy in R53), am I right? Does it mean that both Service Discovery and Service Connect are useless for applications requiring more scalability and the only "scalable" way to connect multiple ECS services (each more than 8 tasks running) together is either ALB or App Mesh or am I missing some important concept here? – Hubert Bratek Jul 10 '23 at 14:03
  • 1
    My understanding is that the sidecars do _not_ do Route53 calls. These are two separate, complementary techniques. Please read my answer and blog post carefully. For example I say, "The sidecar uses API calls to Cloud Map to look up an IP address of a healthy instance of the service in real time, rather than relying on DNS entries, which may be stale." I don't think the sidecars of Service Connect use Route53 at all. – Garret Wilson Jul 10 '23 at 15:02
  • I have read it and found this: "Because Service Connect doesn't rely on DNS, it doesn't bother registering even private DNS entries, and instead registers endpoints with Cloud Map that are privately discoverable only by API calls. (These API calls are used by the Service Connect sidecar proxy, for example.) There seems to be no way to tell Service Connect to register the service names in the DNS as well." It actually answers the whole question, but creates a new one - I havent found it in the documentation, can you share the link where did you find it? – Hubert Bratek Jul 10 '23 at 16:33
  • https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html when I read here, for me it looks like it uses Cloud Map, on the similar way as Service Discovery works with Cloud Map and Route 53 private hosted zones and SRV records underneath and multivalue routing. On the other hand, with Service Connect for me seems like the proxy is just refreshing the topology and route tables and is doing the appropriate routing. Where did you find information that proxy works directly on the constant API calls to cloud map and not DNS settings? – Hubert Bratek Jul 10 '23 at 16:33
  • 1
    It says on the page you mentioned: "… a unified way to refer to your services within namespaces that doesn't depend on the Amazon VPC DNS configuration …." That's one of the standard purposes of a service mesh vs DNS-based service discovery. See also [_Migrate existing Amazon ECS services from service discovery to Amazon ECS Service Connect_](https://aws.amazon.com/blogs/containers/migrate-existing-amazon-ecs-services-from-service-discovery-to-amazon-ecs-service-connect/): "… the way Amazon ECS Service Connect handles requests, which no longer relies on DNS hosted zones in Amazon Route 53 …." – Garret Wilson Jul 10 '23 at 19:51
  • 1
    In fact one of the core motivations of this question is that Service Connect by default creates a Cloud Map [`AWS::ServiceDiscovery::HttpNamespace`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicediscovery-httpnamespace.html), which "can't be discovered using DNS" (quoting the documentation), so Service Connect _must_ be using Cloud Map API calls. In other words, transparently using Cloud Map API calls versus Route 53 DNS is pretty much the whole point of Service Connect. – Garret Wilson Jul 10 '23 at 19:55
  • 1
    Perhaps what you're missing is that you can use Cloud Map in two different ways: via the DNS, or solely via API calls. That's why you have [`AWS::ServiceDiscovery::PrivateDnsNamespace`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicediscovery-privatednsnamespace.html) vs [`AWS::ServiceDiscovery::HttpNamespace`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-servicediscovery-httpnamespace.html). Service Connect uses the latter. – Garret Wilson Jul 10 '23 at 19:59
  • 1
    See [What Is AWS Cloud Map?](https://docs.aws.amazon.com/cloud-map/latest/dg/what-is-cloud-map.html]https://docs.aws.amazon.com/cloud-map/latest/dg/what-is-cloud-map.html): "[The namespace] … specifies how you want to locate resources: using AWS Cloud Map DiscoverInstances API calls, DNS queries in a VPC, or public DNS queries" – Garret Wilson Jul 10 '23 at 20:00
  • Got it! Thank you for clarification. Now I understand. So old way of Service Discovery works on the DNS config of AWS CloudMap, and the new one works on the http config of the AWS CloudMap and by making calls to it from the proxies which probably caches those values for some time and returns it. And by default the number of instances returned (so also instances working with the service is 100) https://docs.aws.amazon.com/cloud-map/latest/api/API_DiscoverInstances.html. I believe now I understand the concepts and differences, thank you for clarification! – Hubert Bratek Jul 10 '23 at 23:12