Amazon ECS Service Connect with shared Amazon Cloud Map namespaces - Amazon Elastic Container Service
Considerations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon ECS Service Connect with shared Amazon Cloud Map namespaces

Amazon ECS Service Connect supports using shared Amazon Cloud Map namespaces across multiple Amazon Web Services accounts within the same Amazon Web Services Region. This capability enables you to create distributed applications where services running in different Amazon Web Services accounts can discover and communicate with each other through Service Connect. Shared namespaces are managed using Amazon Resource Access Manager (Amazon RAM), which allows secure cross-account resource sharing. For more information about shared namespaces, see Cross-account Amazon Cloud Map namespace sharing in the Amazon Cloud Map Developer Guide.

Important

You must use the AWSRAMPermissionCloudMapECSFullPermission managed permission to share the namespace for Service Connect to work properly with the namespace.

When you use shared Amazon Cloud Map namespaces with Service Connect, services from multiple Amazon Web Services accounts can participate in the same service namespace. This is particularly useful for organizations with multiple Amazon Web Services accounts that need to maintain service-to-service communication across account boundaries while preserving security and isolation.

Note

To communicate with services that are in different VPCs, you will need to configure inter-VPC connectivity. This can be achieved using a VPC Peering connection. For more information, see Create or delete a VPC Peering connection in the Amazon Virtual Private Cloud VPC Peering guide.

Considerations

Consider the following when using shared Amazon Cloud Map namespaces with Service Connect:

  • Amazon RAM must be available in the Amazon Web Services Region where you want to use the shared namespace.

  • The shared namespace must be in the same Amazon Web Services Region as your Amazon ECS services and clusters.

  • You must use the namespace ARN, not the ID, when configuring Service Connect with a shared namespace.

  • All namespace types are supported: HTTP, Private DNS, and Public DNS namespaces.

  • If access to a shared namespace is revoked, Amazon ECS operations that require interaction with the namespace (such as CreateService, UpdateService, and ListServicesByNamespace) will fail. For more information about troubleshooting permissions issues with shared namespaces, see Troubleshooting Amazon ECS Service Connect with shared Amazon Cloud Map namespaces.

  • For service discovery using DNS queries in a shared private DNS namespace:

    • The namespace owner will need to call create-vpc-association-authorization with the ID of the private hosted zone associated with the namespace, and the consumer's VPC.

      aws route53 create-vpc-association-authorization --hosted-zone-id Z1234567890ABC --vpc VPCRegion=us-east-1,VPCId=vpc-12345678

    • The namespace consumer will need to call associate-vpc-with-hosted-zone with the ID of the private hosted zone.

      aws route53 associate-vpc-with-hosted-zone --hosted-zone-id Z1234567890ABC --vpc VPCRegion=us-east-1,VPCId=vpc-12345678

  • Only the namespace owner can manage the resource share.

  • Namespace consumers can create and manage services within the shared namespace but cannot modify the namespace itself.

  • Discovery names must be unique within the shared namespace, regardless of which account creates the service.

  • Services in the shared namespace can discover and connect to services from other Amazon accounts that have access to the namespace.

  • When enabling TLS for Service Connect and using a shared namespace, the Amazon Private CA Certificate Authority (CA) is scoped to the namespace. When access to the shared namespace is revoked, access to the CA is stopped.