Recently, I found myself struggling more than expected with updating the security group in ECS on Fargate. In this post, I would like to share the update process that I discovered during my research.
Configuring Security Groups in ECS
In ECS, instead of defining the security group at the task level, it is necessary to set it at the Elastic Network Interface (ENI) or the ECS service level. While in ECS on EC2, the security group is specified in the settings of the EC2 instance or Auto Scaling Group, in ECS on Fargate, it is specified in the networkConfiguration parameter of the ECS service.
Updating the Network Configuration of the ECS Service
To update the network configuration of the ECS service, you use the AWS CLI. Specifically, you can specify a new security group ID by executing the following command:
$ aws ecs update-service --cluster your-cluster-name --service your-service-name --network-configuration "awsvpcConfiguration={subnets=[subnet-1,subnet-2],securityGroups=[sg-1,sg-2],assignPublicIp=ENABLED}"
In this command, you need to appropriately replace the ECS cluster name, service name, subnet ID, and security group ID. Additionally, you can control the assignment of a public IP address by setting the value of assignPublicIp to ENABLED or DISABLED.
Updating the Tasks of the ECS Service
Next, update the task or service and launch new tasks with the new security group settings. This is because the network configuration is determined when the task is launched and cannot be changed until the task ends.
When you update the service settings, a new task is launched, and the existing task stops. Use the following command for this:
$ aws ecs update-service --cluster your-cluster-name --service your-service-name --force-new-deployment
By executing this command, the service launches a new task and stops the existing task. At this time, the updated network configuration is applied when the new task is launched.
To update the new task without causing downtime, set minimumHealthyPercent to 100%. By doing this, ECS does not stop existing tasks until the new task is successfully launched and passes the health check.
How to Check Existing Security Groups
Finally, let me explain how to check the existing security group. By using the AWS CLI to get the details of the ECS service, you can check the existing network settings. Use the following command:
$ aws ecs describe-services --cluster your-cluster-name --services your-service-name
Again, you need to appropriately replace the ECS cluster name and the service name.
Top comments (0)