I have a VPC with RDS available in a private subnet. I can connect to this from an EC2 box from within the subnet. However, my Lambdas cannot connect!
Please could you look at the following configuration and spot my mistake?
Lambda config:
$ aws lambda get-function-configuration --function-name test
{
"FunctionName": "test",
"Role": "arn:aws:iam::xxxx:role/lambda_role",
...
"VpcConfig": {
"SubnetIds": [
"subnet-00f3f0cb6957dbefa",
"subnet-0d3d2cf4df53a862f"
],
"SecurityGroupIds": [
"sg-018da51b77f57eabf"
],
"VpcId": "vpc-0704ca4d3f652fe9e"
},
...
"RevisionId": "e55b6fa2-998a-4b18-a620-69a218882b4e"
}
Execution role:
$ aws list-attached-role-policies --role-name lambda_role
{
"AttachedPolicies": [
{
"PolicyName": "AWSLambdaVPCAccessExecutionRole",
"PolicyArn": "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
]
}
VPC:
$ aws ec2 describe-vpcs --vpc-ids vpc-0704ca4d3f652fe9e
{
"Vpcs": [
{
"CidrBlock": "10.1.0.0/16",
"DhcpOptionsId": "dopt-7764271f",
"State": "available",
"VpcId": "vpc-0704ca4d3f652fe9e",
"InstanceTenancy": "default",
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0c110a5fa85eb8883",
"CidrBlock": "10.1.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false,
"Tags": []
}
]
}
Security Group:
$ aws ec2 describe-security-groups --group-ids sg-018da51b77f57eabf
{
"SecurityGroups": [
{
"Description": "Security group for Lambdas",
"GroupName": "lambda-sg",
"IpPermissions": [],
"OwnerId": "xxxxx",
"GroupId": "sg-018da51b77f57eabf",
"IpPermissionsEgress": [
{
"FromPort": 0,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 65535,
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0704ca4d3f652fe9e"
}
]
}
RDS security group (specifies both public and private subnets):
$ aws ec2 describe-security-groups --group-ids sg-0fbf7205b5d5fa98c
{
"SecurityGroups": [
{
"Description": "Security group for RDS instance",
"GroupName": "rds-sg",
"IpPermissions": [
{
"FromPort": 3306,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "10.1.2.0/24"
},
{
"CidrIp": "10.1.1.0/24"
},
{
"CidrIp": "10.1.4.0/24"
},
{
"CidrIp": "10.1.3.0/24"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 3306,
"UserIdGroupPairs": []
}
],
"OwnerId": "xxxxxx",
"GroupId": "sg-0fbf7205b5d5fa98c",
"IpPermissionsEgress": [],
"VpcId": "vpc-0704ca4d3f652fe9e"
}
]
}
Linked:
AWS Lambda Function not joining VPC
Try to enable ICMP on any security group and any network ACL. It could simply be a PMTUD blackhole situation.
Related
I'm using Laravel.
I want to deploy it to ECS (B/G) to see how it works.
In the development environment, Laravel is running.
I was able to launch my Laravel project on EC2 using docker.
I want to use Fargate for the first time and deploy to ECS!
Also, CodeBuild has completed successfully.
appspec.yml
version: 0.0 Resources:
- TargetService:
Type: AWS::ECS::Service
Properties:
TaskDefinition: "<TASK_DEFINITION>"
LoadBalancerInfo:
ContainerName: "nginx"
ContainerPort: "80"
taskdef.json
{
"taskRoleArn": "arn:aws:iam::**********:role/ecsTaskExecutionRole",
"executionRoleArn": "arn:aws:iam::**********:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/****-system",
"awslogs-region": "******",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": [
"sh",
"-c"
],
"command": [
"php artisan config:cache && php artisan migrate && chmod -R 777 storage/ && chmod -R 777 bootstrap/cache/"
],
"cpu": 0,
"environment": [
{
"name": "APP_ENV",
"value": "staging"
}
],
"workingDirectory": "/var/www/html",
"image": "<IMAGE1_NAME>",
"name": "php"
},
{
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/****-system",
"awslogs-region": "****",
"awslogs-stream-prefix": "ecs"
}
},
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"environment": [
{
"name": "APP_ENV",
"value": "staging"
}
],
"workingDirectory": "/var/www/html",
"image": "**********.dkr.ecr.**********.amazonaws.com/**********-nginx:latest",
"name": "nginx"
}
],
"placementConstraints": [],
"memory": "2048",
"family": "*****-system",
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"cpu": "1024",
"volumes": []
}
CodeDeploy stopped at INSTALL, and there are no errors.
As you can see in the capture, we can confirm that "<TASK_DEFINITION>" has been replaced.
I'd like to know if there's any information I'm missing.
I'm not sure how to set environment variables such as ".env", so I'm thinking this might be the cause.
CodeDeploy Failed
Revision
Task Definitions
ECR
ECR nginx
ECR src(laravel)
If you want to change .env file to set env variable, you may use ssh connection to your webserver and run nano .env command at root folder, to write the file.
You can also modify the file using ftp connection.
I have a consul running locally on a dev machine. I also have one golang service running on two different ports on the same machine. Is there a way to register them as one service but two instances in consul using golang API (for example, is it possible to specify the node name when registering)?
Here's a very basic example which registers two instances of a service named my-service. Each instance is configured to listen on a different port, 8080 and 8081 respectively.
The key thing to note is that the service instances are also registered with a unique service ID in order to disambiguate between instance A and instance B of my-service which are running on the same agent.
package main
import (
"fmt"
"github.com/hashicorp/consul/api"
)
func main() {
// Get a new client
client, err := api.NewClient(api.DefaultConfig())
if err != nil {
panic(err)
}
service_name := "my-service"
service_ports := [2]int{8080, 8081}
for idx, port := range service_ports {
svc_reg := &api.AgentServiceRegistration{
ID: fmt.Sprintf("%s-%d", service_name, idx),
Name: service_name,
Port: port,
}
client.Agent().ServiceRegister(svc_reg)
}
}
After running go mod init consul-register (or any module name), and executing the code with go run main.go, you can see the service has been registered in the catalog.
$ consul catalog services
consul
my-service
Both service instances are correctly being returned for service discovery queries over DNS or HTTP.
$ dig #127.0.0.1 -p 8600 -t SRV my-service.service.consul +short
1 1 8080 b1000.local.node.dc1.consul.
1 1 8081 b1000.local.node.dc1.consul.
$ curl localhost:8500/v1/health/service/my-service
[
{
"Node": {
"ID": "11113853-a8e0-5787-7482-538078db855a",
"Node": "b1000.local",
"Address": "127.0.0.1",
"Datacenter": "dc1",
"TaggedAddresses": {
"lan": "127.0.0.1",
"lan_ipv4": "127.0.0.1",
"wan": "127.0.0.1",
"wan_ipv4": "127.0.0.1"
},
"Meta": {
"consul-network-segment": ""
},
"CreateIndex": 11,
"ModifyIndex": 13
},
"Service": {
"ID": "my-service-0",
"Service": "my-service",
"Tags": [],
"Address": "",
"Meta": null,
"Port": 8080,
"Weights": {
"Passing": 1,
"Warning": 1
},
"EnableTagOverride": false,
"Proxy": {
"Mode": "",
"MeshGateway": {},
"Expose": {},
"TransparentProxy": {}
},
"Connect": {},
"CreateIndex": 14,
"ModifyIndex": 14
},
"Checks": [
{
"Node": "b1000.local",
"CheckID": "serfHealth",
"Name": "Serf Health Status",
"Status": "passing",
"Notes": "",
"Output": "Agent alive and reachable",
"ServiceID": "",
"ServiceName": "",
"ServiceTags": [],
"Type": "",
"Definition": {},
"CreateIndex": 11,
"ModifyIndex": 11
}
]
},
{
"Node": {
"ID": "11113853-a8e0-5787-7482-538078db855a",
"Node": "b1000.local",
"Address": "127.0.0.1",
"Datacenter": "dc1",
"TaggedAddresses": {
"lan": "127.0.0.1",
"lan_ipv4": "127.0.0.1",
"wan": "127.0.0.1",
"wan_ipv4": "127.0.0.1"
},
"Meta": {
"consul-network-segment": ""
},
"CreateIndex": 11,
"ModifyIndex": 13
},
"Service": {
"ID": "my-service-1",
"Service": "my-service",
"Tags": [],
"Address": "",
"Meta": null,
"Port": 8081,
"Weights": {
"Passing": 1,
"Warning": 1
},
"EnableTagOverride": false,
"Proxy": {
"Mode": "",
"MeshGateway": {},
"Expose": {},
"TransparentProxy": {}
},
"Connect": {},
"CreateIndex": 15,
"ModifyIndex": 15
},
"Checks": [
{
"Node": "b1000.local",
"CheckID": "serfHealth",
"Name": "Serf Health Status",
"Status": "passing",
"Notes": "",
"Output": "Agent alive and reachable",
"ServiceID": "",
"ServiceName": "",
"ServiceTags": [],
"Type": "",
"Definition": {},
"CreateIndex": 11,
"ModifyIndex": 11
}
]
}
]
Is it possible to configure a consul agent sidecar with a websocket upstream? I have tried the following configuration but it doesn't work:
{
"bind_addr": "172.17.0.2",
"data_dir": "/consul/data",
"datacenter": "dc1",
"node_id" : "98dc3bf4-a364-46d9-8b72-624963064ab2",
"node_name": "socket-client-agent",
"leave_on_terminate": true,
"ports": [
{
"grpc": 8502
}
],
"server": false,
"service": [
{
"address": "172.17.0.3",
"connect": [
{
"sidecar_service": [
{
"checks": [
{
"interval": "10s",
"name": "socket-client-sidecar-proxy",
"tcp": "172.17.0.3:21000"
}
],
"port": 21000,
"proxy": [
{
"config": [
{
"bind_address": "0.0.0.0",
"bind_port": 21000,
"protocol": "tcp"
}
],
"upstreams": [
{
"destination_name": "sockets-server",
"local_bind_port": 5001,
"config": {
"protocol": "tcp"
}
}
]
}
]
}
]
}
],
"id": "socket-client-0",
"name": "socket-client",
"port": 5000
}
],
"ui_config": [
{
"enabled": false
}
]
}
From the configuration I'm trying to connect to sockets-server service which uses websockets protocol. I'm using envoy as sidecar proxy.
Currently Consul does not configure Envoy correctly to support WebSocket upgrades. This GitHub issue has more detail on the issue, and potential fix – https://github.com/hashicorp/consul/issues/9473.
I am very new to spring boot in pivotal cloud foundry. I am able to deploy the apps and bind them to config-server. When i access the app, it is asking for login details. I tried with pivotal credentials it didn't worked. I am struggling from days to find the credentials for this. Can someone help where can i find the username and password.
I have checked VCAP_SERVICES env variable but no luck. Below is my VCAP_SERVICES
{
"VCAP_SERVICES": {
"p-config-server": [
{
"binding_name": null,
"credentials": {
"access_token_uri": "https://p-spring-cloud-services.uaa.run.pivotal.io/oau
th/token",
"client_id": "p-config-server-066a4553-a934-4d52-b016-30e2ab7e6d90",
"client_secret": "rHnPwJj613pP",
"uri": "https://config-da1be911-4c82-41a3-a3bd-0b06ea295480.cfapps.io"
},
"instance_name": "config-server",
"label": "p-config-server",
"name": "config-server",
"plan": "trial",
"provider": null,
"syslog_drain_url": null,
"tags": [
"configuration",
"spring-cloud"
],
"volume_mounts": []
}
],
"p-service-registry": [
{
"binding_name": null,
"credentials": {
"access_token_uri": "https://p-spring-cloud-services.uaa.run.pivotal.io/oau
th/token",
"client_id": "p-service-registry-ae9f69cf-258d-45ea-821e-1fa4db37f1a3",
"client_secret": "XJOLKHZqwssd",
"uri": "https://eureka-89a144f4-7dc7-4b6d-8152-c4414b748ec0.cfapps.io"
},
"instance_name": "service-registry",
"label": "p-service-registry",
"name": "service-registry",
"plan": "trial",
"provider": null,
"syslog_drain_url": null,
"tags": [
"eureka",
"discovery",
"registry",
"spring-cloud"
],
"volume_mounts": []
}
]
}
}
{
"VCAP_APPLICATION": {
"application_id": "1b398fd8-61f2-47e3-875d-d3fe7574513a",
"application_name": "customer-service",
"application_uris": [
"customer-service-demo.cfapps.io"
],
"application_version": "d0243f11-b7af-4bb3-b3a3-b7a4c95e6298",
"cf_api": "https://api.run.pivotal.io",
"limits": {
"disk": 1024,
"fds": 16384,
"mem": 1024
},
"name": "customer-service",
"organization_id": "8e425cae-75a0-433a-a8a7-79c4f81d7c85",
"organization_name": "MSA_springboot",
"process_id": "1b398fd8-61f2-47e3-875d-d3fe7574513a",
"process_type": "web",
"space_id": "8902b90c-9964-4f9d-b426-ca1635589ebe",
"space_name": "development",
"uris": [
"customer-service-demo.cfapps.io"
],
"users": null,
"version": "d0243f11-b7af-4bb3-b3a3-b7a4c95e6298"
}
}
User-Provided:
SPRING_PROFILES_ACTIVE: dev
No running env variables have been set
No staging env variables have been set```[enter image description here][1]
[1]: https://i.stack.imgur.com/9kNWC.png
I installed DC/OS with 3 masters and 3 agents and face a problem with virtual networking. Here is my Marathon app spec:
{
"id": "/nginx",
"cmd": null,
"cpus": 1,
"mem": 128,
"disk": 0,
"instances": 1,
"container": {
"type": "DOCKER",
"volumes": [],
"docker": {
"image": "nginx",
"network": "BRIDGE",
"portMappings": [
{
"containerPort": 80,
"hostPort": 0,
"servicePort": 10002,
"protocol": "tcp",
"name": "main1",
"labels": {
"VIP_0": "9.0.0.0:34562"
}
}
],
"privileged": false,
"parameters": [],
"forcePullImage": false
}
},
"portDefinitions": [
{
"port": 10002,
"protocol": "tcp",
"labels": {}
}
]
}
I see the following in the DC/OS virtual network section:
VIRTUAL NETWORK NAME | SUBNET | AGENT PREFIX LENGTH
dcos 9.0.0.0/8 24
The containers stays in waiting for a long time. If I remove the port mapping section it runs successfully.
Basically I need to know how to work with this new virtual network, and fix the service discovery and load balancing without using any extra stuff.
Took me some time to figure it out as well...
You need to:
Remove all ports assignment in the task definition
Describe the name of the network to attach to (default network created is named "dcos")
{
"id": "yourtask",
"container": {
"type": "DOCKER",
"docker": {
"image": "your/image",
"network": "USER"
}
},
"acceptedResourceRoles" : [
"slave_public"
],
"ipAddress": {
"networkName": "dcos"
},
"instances": 2,
"cpus": 0.2,
"mem": 128
}