ecs agent / ALB health checks

[mbaciu-gpsw]

Hello,

On ecs variant: i'm looking for a way to expose ecs agent tcp/51678 port from outside in order to use it for ALB health checks.
On an already running bottlerocket instance I was able to do it with
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 51678 -j DNAT --to-destination 127.0.0.1:51678

Couple of questions:

• is there a better way of checking if ecs-agent is healthy?
• can the above iptables line (or similar to the same effect) be added to the ecs agent unit file? What I'd really like is have eg a list of subnets from which connections to ecs-agents are allowed, configurable in the ecs section of user data. But, for our use case, having it open to the whole world works too, since we're taking care of filtering traffic with sg rules.

Thanks!

[arnaldo2792]

Hi there, for your second question, have you tried to use a bootstrap container to set up the different iptables rules you need? That will guarantee the host is set up the way you want it before the ECS agent runs. As a side note, you can further narrow down the access to subnets by using security groups. That will guarantee that, even though the port is wide open to world, only the subnets you specify in the security group rules have access to the instance's port.

For the first question, I have reached out to an engineer that works in the ECS team, I'll reply back once I hear from them.

[mbaciu-gpsw]

Hi,

you're absolutely right re: 2nd point: I was able to accomplish this by using a bootstrap container, though at first look seemed a little overkill to have that just to ran an iptables command (as opposed to eg setting up additional volumes for the instance).
I ended up pulling the bootstrap container from an ECR private registry (with additional permissions added to the instance profile); I personally found the documentaion on this area lacking a bit, but that might be just me not reading it right.
Thanks for the help, seems we're on the right path now!

[arnaldo2792]

I personally found the documentation on this area lacking a bit, but that might be just me not reading it right.

We are working on improving this and we will like your feedback, could you please specify which part wasn't clear or is incomplete? 😅

[mbaciu-gpsw]

Eg, this bit from the docs: "For host-container and bootstrap-container images from Amazon ECR private repositories, registry mirrors are currently unsupported.". I read this as: "if you want to use custom host container images, you have to make them public" 🤷 .