Amazon ECS
AWS Fargate 用户指南 (API 版本 2014-11-13)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

AWS App Mesh 和 Amazon ECS 入门

AWS App Mesh 是一种基于 Envoy 代理的服务网格,可轻松监控和控制微服务。App Mesh 将标准化微服务进行通信的方式,从而为您提供端到端可见性并有助于确保您的应用程序的高可用性。

App Mesh 将为您提供对应用程序中的每个微服务的一致可见性和网络流量控制。有关更多信息,请参阅 AWS App Mesh 用户指南

本主题可帮助您将 AWS App Mesh 与在 Amazon ECS 上运行的现有微服务应用程序结合使用。

先决条件

App Mesh 支持对其组件使用服务发现命名的微服务应用程序。要使用此入门指南,您必须在已配置服务发现的 Amazon ECS 上运行微服务应用程序。

有关 Amazon ECS 上的服务发现的更多信息,请参阅Service Discovery

步骤 1:创建您的服务网格

A service mesh is a logical boundary for network traffic between the services that reside within it. For more information, see Service Meshes in the AWS App Mesh 用户指南.

After you create your service mesh, you can create virtual services, virtual nodes, virtual routers, and routes to distribute traffic between the applications in your mesh.

使用 AWS 管理控制台创建新服务网格

  1. Open the App Mesh console at https://console.amazonaws.cn/appmesh/.

  2. Choose Create mesh.

  3. For Mesh name, specify a name for your service mesh.

  4. Choose Create mesh to finish.

步骤 2:创建您的虚拟节点

A virtual node acts as a logical pointer to an Amazon ECS service. For more information, see Virtual Nodes in the AWS App Mesh 用户指南.

When you create a virtual node, you must specify a service discovery method for your task group. Any inbound traffic that your virtual node expects should be specified as a listener. Any outbound traffic that your virtual node expects to reach should be specified as a backend.

您必须为应用程序中的每个微服务创建虚拟节点。

在 AWS 管理控制台 中创建虚拟节点。

  1. Choose the mesh that you created in the previous steps.

  2. Choose Virtual nodes in the left navigation.

  3. Choose Create virtual node.

  4. For Virtual node name, enter a name for your virtual node.

  5. For Service discovery method, choose one of the following options:

    • DNS – Specify the DNS-registered hostname of the actual service that the virtual node represents. For additional information about using DNS as a service discovery method, see Virtual Nodes.

    • AWS Cloud Map – Specify the service name and namespace. Optionally, you can also specify attributes that App Mesh can query AWS Cloud Map for. Only instances that match all of the specified key/value pairs will be returned. To use AWS Cloud Map, your account must have the AWSServiceRoleForAppMesh service-linked role.

  6. To specify any backends (for egress traffic) for your virtual node, or to configure inbound and outbound access logging information, choose Additional configuration.

    1. To specify a backend, choose Add backend and enter a virtual service name or full Amazon Resource Name (ARN) for the virtual service that your virtual node communicates with. Repeat this step until all of your virtual node backends are accounted for.

    2. To configure logging, enter the HTTP access logs path that you want Envoy to use. We recommend the /dev/stdout path so that you can use Docker log drivers to export your Envoy logs to a service such as Amazon CloudWatch Logs.

      注意

      Logs must still be ingested by an agent in your application and sent to a destination. This file path only instructs Envoy where to send the logs.

  7. Specify a Port and Protocol for the Listener.

  8. If you want to configure a health check for your listener, ensure that Health check enabled is selected and then complete the following substeps. If not, clear this check box. A health check policy is optional, but if you specify any values for a health policy, then you must specify values for Healthy threshold, Health check interval, Health check protocol, Timeout period, and Unhealthy threshold.

    1. For Health check protocol, choose a protocol. If you select grpc, then your service must conform to the GRPC Health Checking Protocol.

    2. For Health check port, specify the port that the health check should run on.

    3. For Healthy threshold, specify the number of consecutive successful health checks that must occur before declaring the listener healthy.

    4. For Health check interval, specify the time period in milliseconds between each health check execution.

    5. For Path, specify the destination path for the health check request. This value is only used if the Health check protocol is http or http2. The value is ignored for other protocols.

    6. For Timeout period, specify the amount of time to wait when receiving a response from the health check, in milliseconds.

    7. For Unhealthy threshold, specify the number of consecutive failed health checks that must occur before declaring the listener unhealthy.

  9. Choose Create virtual node to finish.

  10. Repeat this procedure as necessary to create virtual nodes for each remaining service in your application.

步骤 3:创建您的虚拟路由器

Virtual routers handle traffic for one or more virtual services within your mesh. After you create a virtual router, you can create and associate routes for your virtual router that direct incoming requests to different virtual nodes. For more information, see Virtual Routers in the AWS App Mesh 用户指南.

为您应用程序中的每个微服务创建虚拟路由器。

在 AWS 管理控制台 中创建虚拟路由器。

  1. Choose Virtual routers in the left navigation.

  2. Choose Create virtual router.

  3. For Virtual router name, specify a name for your virtual router. Up to 255 letters, numbers, hyphens, and underscores are allowed.

  4. For Listener, specify a Port and Protocol for your virtual router.

  5. Choose Create virtual router to finish.

  6. Repeat this procedure as necessary to create virtual routers for each remaining service in your application.

步骤 4:创建您的路由

A route is associated with a virtual router, and it' used to match requests for a virtual router and distribute traffic accordingly to its associated virtual nodes. For more information, see Routes in the AWS App Mesh 用户指南.

为您的应用程序中的每个微服务创建路由。

在 AWS 管理控制台 中创建路由。

  1. Choose Virtual routers in the left navigation.

  2. Choose the virtual router that you want to associate a new route with.

  3. In the Routes table, choose Create route.

  4. For Route name, specify the name to use for your route.

  5. For Route type, choose the protocol that you want to route.

  6. (Optional) For Route priority, specify a priority from 0-1000 to use for your route. Routes are matched based on the specified value, where 0 is the highest priority.

  7. For Virtual node name, choose the virtual node that this route will serve traffic to.

  8. For Weight, choose a relative weight for the route. Select Add target to add additional virtual nodes. The total weight for all targets combined must be less than or equal to 100.

  9. (Optional) To use HTTP path and header-based routing, choose Additional configuration.

  10. (Optional) To use HTTP path-based routing, specify the Prefix that the route should match. For additional information about path-based routing, see Path-based Routing.

  11. (Optional) Select a Method. For additional information about HTTP header-based routing, see HTTP Headers.

  12. (Optional) Select a Scheme.

  13. (Optional) Select Add header. Enter the Header name that you want to route based on, select a Match type, and enter a Match value. Selecting Invert will match the opposite.

  14. (Optional) Select Add header. You can add up to ten headers.

  15. Choose Create route to finish.

  16. Repeat this procedure as necessary to create routes for each remaining service in your application.

步骤 5:创建您的虚拟服务

A virtual service is an abstraction of a real service that is provided by a virtual node directly or indirectly by means of a virtual router. Dependent services call your virtual service by its virtualServiceName, and those requests are routed to the virtual node or virtual router that is specified as the provider for the virtual service. For more information, see Virtual Services in the AWS App Mesh 用户指南.

为您的应用程序中的每个微服务创建虚拟服务。

在 AWS 管理控制台 中创建虚拟服务。

  1. Choose Virtual services in the left navigation.

  2. Choose Create virtual service

  3. For Virtual service name, choose a name for your virtual service. We recommend that you use the service discovery name of the real service that you're targeting (such as service-a.default.svc.cluster.local). The name that you specify must resolve to a non-loopback IP address.

  4. For Provider, choose the provider type for your virtual service:

    • If you want the virtual service to spread traffic across multiple virtual nodes, select Virtual router and then choose the virtual router to use from the drop-down menu.

    • If you want the virtual service to reach a virtual node directly, without a virtual router, select Virtual node and then choose the virtual node to use from the drop-down menu.

    • If you don't want the virtual service to route traffic at this time (for example, if your virtual nodes or virtual router doesn't exist yet), choose None. You can update the provider for this virtual service later.

  5. Choose Create virtual service to finish.

  6. Repeat this procedure as necessary to create virtual services for each remaining service in your application.

Update Your Microservice Task Definitions

Proxy Configuration

To configure your Amazon ECS service to use App Mesh, your service's task definition must have the following proxy configuration section. Set the proxy configuration type to APPMESH and the containerName to envoy. Set the following property values accordingly.

IgnoredUID

Envoy doesn't proxy traffic from processes that use this user ID. You can choose any user ID that you want for this (our examples use 1337 for historical purposes), but this ID must be the same as the user ID for the Envoy container in your task definition. This matching allows Envoy to ignore its own traffic without using the proxy.

ProxyIngressPort

This is the ingress port for the Envoy proxy container. Set this value to 15000.

ProxyEgressPort

This is the egress port for the Envoy proxy container. Set this value to 15001.

AppPorts

Specify any ingress ports that your application containers listen on. In this example, the application container listens on port 9080.

EgressIgnoredIPs

Envoy doesn't proxy traffic to these IP addresses. Set this value to 169.254.170.2,169.254.169.254, which ignores the Amazon EC2 metadata server and the Amazon ECS task metadata endpoint (which provides IAM roles for tasks credentials).

"proxyConfiguration": { "type": "APPMESH", "containerName": "envoy", "properties": [ { "name": "IgnoredUID", "value": "1337" }, { "name": "ProxyIngressPort", "value": "15000" }, { "name": "ProxyEgressPort", "value": "15001" }, { "name": "AppPorts", "value": "9080" }, { "name": "EgressIgnoredIPs", "value": "169.254.170.2,169.254.169.254" } ] }

Application Container Envoy Dependency

The application containers in your task definitions must wait for the Envoy proxy to bootstrap and start before they can start. To ensure that this happens, you set a dependsOn section in each application container definition to wait for the Envoy container to report as HEALTHY. The following code block shows an application container definition example with this dependency.

{ "name": "app", "image": "application_image", "portMappings": [ { "containerPort": 9080, "hostPort": 9080, "protocol": "tcp" } ], "essential": true, "dependsOn": [ { "containerName": "envoy", "condition": "HEALTHY" } ] }

Envoy Container Definition

Your Amazon ECS services' task definitions must contain the App Mesh custom Envoy container image. You can replace the Region with any Region that App Mesh is supported in. For a list of supported regions, see AWS Service Endpoints.

840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.12.1.0-prod

The Envoy container definition must be marked as essential. The virtual node name for the Amazon ECS service should be set to the APPMESH_VIRTUAL_NODE_NAME, and the user ID value should match the IgnoredUID value from the task definition proxy configuration (in this example, we use 1337). The health check shown here waits for the Envoy container to bootstrap properly before reporting to Amazon ECS that it is healthy and ready for the application containers to start.

The following code block shows an Envoy container definition example.

{ "name": "envoy", "image": "840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.12.1.0-prod", "essential": true, "environment": [ { "name": "APPMESH_VIRTUAL_NODE_NAME", "value": "mesh/meshName/virtualNode/virtualNodeName" } ], "healthCheck": { "command": [ "CMD-SHELL", "curl -s http://localhost:9901/server_info | grep state | grep -q LIVE" ], "startPeriod": 10, "interval": 5, "timeout": 2, "retries": 3 }, "user": "1337" }

Credentials

The Envoy container requires AWS Identity and Access Management credentials for signing requests that are sent to the App Mesh service. Amazon ECS tasks deployed with the Fargate launch type do not have access to the Amazon EC2 metadata server that supplies instance IAM profile credentials. To supply the credentials, you must attach an IAM task role to any tasks deployed with the Fargate launch type. The role doesn't need to have a policy attached to it, but for a task to work properly with App Mesh, the role must be attached to each task deployed with the Fargate launch type.

Update an Existing Task Definition

The Amazon ECS console assists in the process of updating your existing task definitions to add App Mesh integration.

Update a task definition to add App Mesh integration

  1. Open the Amazon ECS console at https://console.amazonaws.cn/ecs/.

  2. From the navigation bar, choose the region that contains your task definition.

  3. In the navigation pane, choose Task Definitions.

  4. On the Task Definitions page, select the box to the left of the task definition to revise and choose Create new revision.

  5. On the Create new revision of Task Definition page, make the following changes to enable App Mesh integration.

    1. For Service Integration, to configure the parameters for App Mesh integration choose Enable App Mesh integration and then do the following:

      1. For Application container name, choose the container name to use for the App Mesh application. This container must already be defined within the task definition.

      2. For Envoy image, use the auto-populated Envoy container image which is 840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.12.1.0-prod.

      3. For Mesh name, choose the App Mesh service mesh to use. This must already be created in order for it to show up. For more information, see Service Meshes in the AWS App Mesh User Guide.

      4. For Virtual node name, choose the App Mesh virtual node to use. This must already be created in order for it to show up. For more information, see Virtual Nodes in the AWS App Mesh User Guide.

      5. For Virtual node port, this will be pre-populated with the listener port set on the virtual node.

      6. Choose Apply, Confirm. This will create a new Envoy proxy container to the task definition, as well as the settings to support it. It will then pre-populate the App Mesh proxy configuration settings for the next step.

    2. For Proxy Configuration, verify all of the pre-populated values. For more information on these fields, see Proxy Configuration.

  6. Verify the information and choose Create.

  7. If your task definition is used in a service, update your service with the updated task definition. For more information, see 更新服务.

Example Task Definitions

The following example Amazon ECS task definitions show, in context, the snippets that you can merge with your existing task groups. Substitute your mesh name and virtual node name for the APPMESH_VIRTUAL_NODE_NAME value and a list of ports that your application listens on for the proxy configuration AppPorts value.

If you're running an Amazon ECS task as described in Credentials, you need an existing task IAM role. You should also add this line of code to the example task definitions that follow: "taskRoleArn": "arn:aws:iam::123456789012:role/ecsTaskRole"

例 JSON for Amazon ECS task definition

{ "family": "appmesh-gateway", "memory": "256", "proxyConfiguration": { "type": "APPMESH", "containerName": "envoy", "properties": [ { "name": "IgnoredUID", "value": "1337" }, { "name": "ProxyIngressPort", "value": "15000" }, { "name": "ProxyEgressPort", "value": "15001" }, { "name": "AppPorts", "value": "9080" }, { "name": "EgressIgnoredIPs", "value": "169.254.170.2,169.254.169.254" } ] }, "containerDefinitions": [ { "name": "app", "image": "application_image", "portMappings": [ { "containerPort": 9080, "hostPort": 9080, "protocol": "tcp" } ], "essential": true, "dependsOn": [ { "containerName": "envoy", "condition": "HEALTHY" } ] }, { "name": "envoy", "image": "840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.12.1.0-prod", "essential": true, "environment": [ { "name": "APPMESH_VIRTUAL_NODE_NAME", "value": "mesh/meshName/virtualNode/virtualNodeName" } ], "healthCheck": { "command": [ "CMD-SHELL", "curl -s http://localhost:9901/server_info | grep state | grep -q LIVE" ], "startPeriod": 10, "interval": 5, "timeout": 2, "retries": 3 }, "user": "1337" } ], "executionRoleArn": "arn:aws:iam::123456789012:role/ecsTaskExecutionRole", "networkMode": "awsvpc" }

例 JSON for Amazon ECS task definition with AWS X-Ray

X-Ray allows you to collect data about requests that an application serves and provides tools that you can use to visualize traffic flow. Using the X-Ray driver for Envoy enables Envoy to report tracing information to X-Ray. You can enable X-Ray tracing using the Envoy configuration. Based on the configuration, Envoy sends tracing data to the X-Ray daemon running as a sidecar container and the daemon forwards the traces to the X-Ray service. Once the traces are published to X-Ray, you can use the X-Ray console to visualize the service call graph and request trace details. The following JSON represents a task definition to enable X-Ray integration.

{ "family": "appmesh-gateway", "memory": "256", "proxyConfiguration": { "type": "APPMESH", "containerName": "envoy", "properties": [ { "name": "IgnoredUID", "value": "1337" }, { "name": "ProxyIngressPort", "value": "15000" }, { "name": "ProxyEgressPort", "value": "15001" }, { "name": "AppPorts", "value": "9080" }, { "name": "EgressIgnoredIPs", "value": "169.254.170.2,169.254.169.254" } ] }, "containerDefinitions": [ { "name": "app", "image": "application_image", "portMappings": [ { "containerPort": 9080, "hostPort": 9080, "protocol": "tcp" } ], "essential": true, "dependsOn": [ { "containerName": "envoy", "condition": "HEALTHY" } ] }, { "name": "envoy", "image": "840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.12.1.0-prod", "essential": true, "environment": [ { "name": "APPMESH_VIRTUAL_NODE_NAME", "value": "mesh/meshName/virtualNode/virtualNodeName" }, { "name": "ENABLE_ENVOY_XRAY_TRACING", "value": "1" } ], "healthCheck": { "command": [ "CMD-SHELL", "curl -s http://localhost:9901/server_info | grep state | grep -q LIVE" ], "startPeriod": 10, "interval": 5, "timeout": 2, "retries": 3 }, "user": "1337" }, { "name": "xray-daemon", "image": "amazon/aws-xray-daemon", "user": "1337", "essential": true, "cpu": 32, "memoryReservation": 256, "portMappings": [ { "containerPort": 2000, "protocol": "udp" } ] } ], "executionRoleArn": "arn:aws:iam::123456789012:role/ecsTaskExecutionRole", "networkMode": "awsvpc" }