#aws (2024-09)
Discussion related to Amazon Web Services (AWS)
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
2024-09-02
Hello, I’m currently facing an issue with aws load balancer. I have an ecs fargate cluster with about five tasks. However, I noticed that these instances dont scale pass 10 users during a load test. Upon further debugging, I had to ssh into each of these instances and did a htop to see the cpu and memory utilization of these five tasks. I noticed that one of these tasks had 100% cpu utilization and the rest had no cpu utilization. This makes the cpu utilization get very high and makes the ecs tasks unhealthy and unable to receive more traffic. This image shows the ecs cpu utilization for one instance. How can i ensure this traffic is evenly distributing the traffic to all tasks in the ecs service. Upon checking my load balancer access logs, I also noticed that a lot of requests came from one ip address. I tried modifying the load balancer traffic distribution style to round robin but it still doesnt distribute traffic evenly across all my tasks. What can I do to ensure scalability of my application? Has anyone faced this ?
@Jeremy White (Cloud Posse)
you likely have session stickiness on on the load balancer, which means each unique session goes to the same instance, to allow for things like safe deploys (once you hit app version 2.0, you no longer hit 1.0). Your load tester is 1 session, so it always hits 1 server. You could temporarily turn off session stickiness during the load test, or else you might have to lookup how it determines that stickiness, and randomize that on the load tester side. AWS Load balancer sets a cookie for that stickiness, so you’d need to clear cookies. Cookie name is AWSALB at least on mine
Thanks @Michael Galey Currently stickiness if turned off. The problem is that one ecs task takes 87% cpu while the remaining four tasks have 0% utilization. So this has an impact on the scalability of the system. Do you know how I can resolve this ?
usually I think about python applications as needing something to share requests. There are a few ways to do this, but a common couple to try first are gunicorn and uwsgi . Do you have any application that’s sharing the listener port with your server threads/PIDs?
Here’s a site on uWSGI: https://uwsgi-docs.readthedocs.io/en/latest/WSGIquickstart.html
if you are using one of those tool already, could you share your config? Doesn’t have to be all the gory details, but at least some notion of how it decides to spawn your application on a request
the above would be per server, he’s already at full utilization on one server. His load balancer is not balancing the load, at least not from a single source.
if you do 2-3 load tests of smaller size from a few diff ips, does it go to that number of ecs tasks? I’d suggest trying least-request if that’s an option for the load balancer, otherwise maybe just start simple, follow some tutorial for a basic load balancer + hello world, and compare the load balancer config / target group config against yours. I don’t see how it’s the app’s fault here, I think it’s the load balancer config + single origin ip
I better understand now. I’m not sure what’s up, but are you using target groups? Do all the tasks show as healthy?
2024-09-03
2024-09-04
2024-09-05
Hi, Team. I am looking for help with Azure DevOps repository + AWS Amplify deployment.
You’re more likely to get help if you ask questions.
https://github.com/aws/containers-roadmap/issues/474 hey there, how are you all working around aws’ silly limitation on EKS access entries not supporting wildcards? it’s a nightmare for permission set arns, since they have that random string at the end of the permission set role
Codify each arn in aws auth config
Now days the aws auth config file is deprecated
Deprecated method https://docs.aws.amazon.com/eks/latest/userguide/auth-configmap.html
Access entries is the new way https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
You can’t use wildcards/globs in aws auth config or in eks access entries
One way to do it, if youre using terraform, whether with aws auth config or access entries, you can use the data source aws iam roles, specify a wildcard to retrieve all the arns, and then populate the arns in your config map or access entries
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles
data "aws_iam_roles" "default" {
name_regex = ".*project.*"
}
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_access_entry
resource "aws_eks_access_entry" "default" {
for_each = data.aws_iam_roles.default
cluster_name = aws_eks_cluster.default.name
principal_arn = each.value.arn
kubernetes_groups = ["group-1", "group-2"]
type = "STANDARD"
}
yeah, i saw that workaround in the thread
but its so hacky
i also can see it breaking since we use terragrunt, and it’s hard to pass in data calls into module inputs
so we’d have to just rely on “in-module” access entries, and ignore the terragrunt layer, i think (maybe not - haven’t thought abt it enough)
Yes, we’ve run into this as well. It’s one of the reasons we also implement the aws-teams and aws-team-roles architecture in our reference architecture and allow permission sets to assume them. This allows us to have consistent roles for both programmatic/machine access (e.g. GitHub OIDC) as well as for developers.
We talk more about our approach here https://docs.cloudposse.com/layers/identity/
thanks! i’ve been considering going with this approach, but i’m hesitant because of the extra assume role hop (for human users)
especially non-technical users
Yes, the extra assume role hop is really for technical users
But sounds like you’re using EKS. You have technical users.
yeah, but we have a fair amount of non technical users (clickops in the console), and i’m not sure what we’d do for them. i think the extra assume role in the console would make dem go nuts but i guess a hybrid approach could work too…
@Jeremy G (Cloud Posse) might have some updated ideas on this we haven’t yet tried. He’s OoO though.
2024-09-06
2024-09-07
Hey everyone,
Recently we did a change on our ECS infrastructure. We’ve transitioned to using AWS service discovery and have configured our containers to use HTTPS on their hostnames. After resolving various issues with appsettings and Dockerfiles, the HTTPS port is now open.
Previously, we used an ALB for each service in the ECS cluster. With the move to HTTPS and service discovery, we need to set HTTPS as the port for service health checks. The challenge we’re facing is that target groups don’t allow us to define a hostname for service discovery.
You might wonder why we switched to HTTPS. The decision was driven by difficulties we encountered with service discovery, which we found were best addressed by using HTTPS.
I’ve attached the task definition file for one of the services and the appsettings file. These should help illustrate the issue with the target group’s inability to accept a hostname.
Just a note: I’m fairly new to DevOps—only been in this field for two months—and I’m really enjoying the learning process!
this could be useful https://www.youtube.com/watch?v=z1WQ-YSAsVY
here is the text version with links https://fivexl.io/blog/ecs-service-connect-encryption/
Why don’t you let the ECS service manage registration with the target group for you? It’s allowed to use both service discovery AND allow the ECS service to register task IPs with the target group
@andrey.a.devyatkin Thank you so much for the video! @Fizz Yup, this is what i chose to go with, during the creation process when defining the ECS service, i choose the load balancer and then i was prompted to create the Target Group & add it to the listener. All the ports of which i used use HTTPS now and it’s working perfectly, am just adding a route 53 entry and then we will go public!
This is super neat to see, and do share your experience during and after the process! I’m keen to implement ECS Service Connect within Fargate target groups using Terraform provisioning, as soon as I’m able wrap my mind around it.
@Rishav checkout blog post and video above - they go into details of ECS Service Connect implementation for ECS/Fargate
I am a team looking for help with the yml pipeline for Azure DevOps to Azure static Apps service in the nextjs application.
2024-09-08
2024-09-09
Hello, how to deploy docker compose on aws fargate? I searched some but its outdated/retired.
I think you’re looking for https://github.com/aws/amazon-ecs-cli
will check on this.
Yea, unfortunately they deprecated docker compose deployments to ECS in the docker-compose CLI
We were really bummed about that
wow, @Darren Cunningham i didn’t know about this new ECS cli
And this amazon-ecs-cli is different from the other ECS cli by AWS https://aws.github.io/copilot-cli/
2024-09-10
2024-09-11
https://github.com/aws/containers-roadmap/issues/2411
Can we get some traction on this
Support for custom eks access entry policies