Service Connect - Amazon Elastic Container Service
Service Connect considerationsService Connect console experienceService Connect pricing
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Service Connect

Amazon ECS Service Connect provides management of service-to-service communication as Amazon ECS configuration. It does this by building both service discovery and a service mesh in Amazon ECS. This provides the complete configuration inside each Amazon ECS service that you manage by service deployments, a unified way to refer to your services within namespaces that doesn't depend on the Amazon VPC DNS configuration, and standardized metrics and logs to monitor all of your applications on Amazon ECS. Amazon ECS Service Connect only interconnects Amazon ECS services.

The following diagram shows an example Service Connect network with 2 subnets in the VPC and 2 services. A client service that runs WordPress with 1 task in each subnets. A server service that runs MySQL with 1 task in each subnet. Both services are highly available and resilient to task and Availability Zone issues because each service runs multiple tasks that are spread out over 2 subnets. The solid arrows show a connection from WordPress to MySQL. For example, a mysql --host=mysql CLI command that is run from inside the WordPress container in the task with the IP address 172.31.16.1. The command uses the short name mysql on the default port for MySQL. This name and port connects to the Service Connect proxy in the same task. The proxy in the WordPress task uses round-robin load balancing and any previous failure information in outlier detection to pick which MySQL task to connect to. As shown by the solid arrows in the diagram, the proxy connects to the second proxy in the MySQL task with the IP Address 172.31.16.2. The second proxy connects to the local MySQL server in the same task. Both proxies report connection performance that is visible in graphs in the Amazon ECS and Amazon CloudWatch consoles so that you can get performance metrics from all kinds of applications in the same way.

Example Service Connect network showing minimal HA services
Overview of steps to configure Service Connect

Follow these steps to configure Service Connect for a group of related services.

Important

Amazon Amazon ECS Service Connect creates Amazon Cloud Map services in your account. Modifying these Amazon Cloud Map resources by manually registering/deregistering instances, changing instance attributes, or deleting a service may lead to unexpected behaviour for your application traffic or subsequent deployments.

  1. Add port names to the port mappings in your task definitions. Additionally, you can identify the layer 7 protocol of the application, to get additional metrics.

  2. Create an ECS cluster with a Amazon Cloud Map namespace or create the namespace separately. For simple organization, create an Amazon ECS cluster with the name that you want for the namespace and specify the identical name for the namespace. In this case, Amazon ECS creates a new HTTP namespace with the necessary configuration. Amazon ECS Service Connect doesn't use or create DNS hosted zones in Amazon Route 53.

  3. Configure services to create Service Connect endpoints within the namespace.

  4. Deploy services to create the endpoints. Amazon ECS adds a Service Connect proxy container to each task, and creates the Service Connect endpoints in Amazon Cloud Map. This container isn't configured in the task definition, and the task definition can be reused without modification to create multiple services in the same namespace or in multiple namespaces.

  5. Deploy client apps as services to connect to the endpoints. Amazon ECS connects them to the Service Connect endpoints through the Service Connect proxy in each task.

    Applications only use the proxy to connect to Service Connect endpoints. There is no additional configuration to use the proxy. The proxy performs round-robin load balancing, outlier detection, and retries. For more information about the proxy, see Service Connect proxy.

  6. Monitor traffic through the Service Connect proxy in Amazon CloudWatch.

Regions with Service Connect

Amazon ECS Service Connect is available in the following Amazon Regions:

Region Name Region

US East (Ohio)

us-east-2

US East (N. Virginia)

us-east-1

US West (N. California)

us-west-1

US West (Oregon)

us-west-2

Africa (Cape Town)

af-south-1

Asia Pacific (Hong Kong)

ap-east-1

Asia Pacific (Jakarta)

ap-southeast-3

Asia Pacific (Mumbai)

ap-south-1

Asia Pacific (Osaka)

ap-northeast-3

Asia Pacific (Seoul)

ap-northeast-2

Asia Pacific (Singapore)

ap-southeast-1

Asia Pacific (Sydney)

ap-southeast-2

Asia Pacific (Tokyo)

ap-northeast-1

Canada (Central)

ca-central-1

China (Beijing)

cn-north-1

China (Ningxia)

cn-northwest-1

Europe (Frankfurt)

eu-central-1

Europe (Ireland)

eu-west-1

Europe (London)

eu-west-2

Europe (Paris)

eu-west-3

Europe (Milan)

eu-south-1

Europe (Stockholm)

eu-north-1

Europe (Zurich)

eu-central-2

Israel (Tel Aviv)

il-central-1

Middle East (Bahrain)

me-south-1

Middle East (UAE)

me-central-1

South America (São Paulo)

sa-east-1

Service Connect considerations

  • Windows containers aren't supported with Service Connect.

  • Tasks that run in Fargate must use the Fargate Linux platform version 1.4.0 or higher to use Service Connect.

  • The ECS agent version on the container instance must be 1.67.2 or higher.

  • Container instances must run the Amazon ECS-optimized Amazon Linux 2023 AMI version 20230428 or later, or Amazon ECS-optimized Amazon Linux 2 AMI version 2.0.20221115 to use Service Connect. These versions have the Service Connect agent in addition to the Amazon ECS container agent. For more information about the Service Connect agent, see Amazon ECS Service Connect Agent on GitHub.

  • Container instances must have the ecs:Poll permission for the resource arn:aws:ecs:region:0123456789012:task-set/cluster/*. If you are using the ecsInstanceRole, you don't need to add additional permissions. The AmazonEC2ContainerServiceforEC2Role managed policy has the necessary permissions. For more information, see Amazon ECS container instance IAM role.

  • External container instance for Amazon ECS Anywhere aren't supported with Service Connect.

  • Only services that use rolling deployments are supported with Service Connect. Services that use the blue/green and external deployment types aren’t supported.

  • Task definitions must set the task memory limit to use Service Connect. For more information, see Service Connect proxy.

  • Task definitions that set container memory limits for all containers instead of setting the task memory limit aren't supported.

    You can set container memory limits on your containers, but you must set the task memory limit to a number greater than the sum of the container memory limits. The additional CPU and memory in the task limits that aren't allocated in the container limits are used by the Service Connect proxy container and other containers that don't set container limits. For more information, see Service Connect proxy.

  • You can configure Service Connect in a service to use any Amazon Cloud Map namespace in the same Amazon Web Services Region in the same Amazon Web Services account.

  • Each Amazon ECS service can belong to only one namespace.

  • Only the tasks that Amazon ECS services create are supported. Standalone tasks can't be configured for Service Connect.

  • All endpoints must be unique within a namespace.

  • All discovery names must be unique within a namespace.

  • Existing services must be redeployed before the applications in them can resolve new endpoints. New endpoints that are added to the namespace after the most recent deployment won't be added to the task configuration. For more information, see Deployment order.

  • You can create a namespace when creating a new cluster. Amazon ECS Service Connect doesn't delete namespaces when clusters are deleted. You must delete namespaces directly in Amazon Cloud Map if you are done using them.

  • Service Connect doesn't support HTTP 1.0.

Service Connect console experience

Service Connect management is available only in the new Amazon ECS console.

To create a new namespace, either create a new Amazon ECS cluster using the Amazon ECS console and specify a namespace name to create, or use the Amazon Cloud Map console. Amazon ECS Service Connect can use any instance discovery type of Amazon Cloud Map namespace. We recommend the API calls type to make the minimum amount of additional resources. To create a new Amazon ECS cluster and namespace in the Amazon ECS console, see Creating a cluster for the Fargate and External launch type using the console.

Every Amazon Cloud Map namespace in this Amazon Web Services account in the selected Amazon Web Services Region is displayed in the Namespaces in the Amazon ECS console.

To delete a namespace, use the Amazon Cloud Map console. A namespace must be empty before it can be deleted.

To create a new Amazon ECS task definition, or register a new revision to an existing task definition and use Service Connect, see Creating a task definition using the console.

To create a new Amazon ECS service that uses Service Connect, see Creating a service using the console.

Service Connect pricing

Amazon ECS Service Connect pricing depends on whether you use Amazon Fargate or Amazon EC2 infrastructure to host your containerized workloads. When using Amazon ECS on Amazon Outposts, the pricing follows the same model that's used when you use Amazon EC2 directly. For more information, see Amazon ECS Pricing.