带有AWS NLB HealthCheck的GRCP Fargate服务

时间:2018-12-11 05:54:49

标签: amazon-web-services amazon-cloudformation aws-fargate nlb

我正在尝试为grpc设置Fargate服务,这要求我使用NLB,但是,我无法确定如何/如何将运行状况检查值设置为仅启用我的测试服务。

我目前在ecs服务上打开了2个端口,其中9000具有有效的运行状况端点/ v1 / health,还有50051是没有运行状况端点的grpc服务。

我想知道如何配置运行状况以达到9000端口+路径,或者作为替代方案我还能做些什么?

我已经附上了我正在使用的cloudformation脚本,我们将不胜感激,并且目标组是主要的困惑点。

    AWSTemplateFormatVersion: 2010-09-09
Description: Cloudformation stack for the new GRPC endpoints within existing vpc/subnets and using fargate
Parameters:
  stackName:
    Type: String
    Default: cf-myapp-ci-grpc
    Description: The name of the parent Fargate networking stack that you created. Necessary
  env:
    Type: String
    Default: ci
    Description: The name of the parent Fargate networking stack that you created. Necessary
  vpcId:
    Type: String
    Default: vpc-asdfadfdfa
    Description: The name of the parent Fargate networking stack that you created. Necessary
  vpcSubnets:
    Type: CommaDelimitedList
    Default: "subnet-dddd,subnet-dddd,subnet-dddd"
  containerImage:
    Type: String
    Default: container-path-url/myapp/api:custom-grcp_af4cb84
    # Default: nginx:latest
    Description: Container image
  containerPort:
    Type: Number
    Default: 50051
    # 50051
    Description: Internal container port mapping
  hostPort:
    Type: String
    Default: 50051
    # 50051
    Description: External container port mapping
Resources:

  # ------------------------------------------
  # secutiry >>
  InstanceSecurityGroupGrpcSg:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupName: {"Fn::Sub": "sgg-group-${env}-myapp-grpc"}
      GroupDescription: Allow http to client host
      VpcId: {"Ref": vpcId}
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: {"Ref": hostPort}
          ToPort: {"Ref": hostPort}
          CidrIp: 1.1.1.1/0

      SecurityGroupEgress:
        - IpProtocol: '-1'
          FromPort: '0'
          ToPort: '65535'
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: "Name"
          Value: {"Fn::Sub": "sgg-myapp-${env}-grpc"}

  EcsTaskRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: iam-policy-ecs-task-myapp-ci-grpc
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ecr:**'
                  - 'kms:Decrypt'
                  - 'secretsmanager:GetSecretValue'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '/some/stuff/*'

  # ------------------------------------------
  # networking >>

  LoadBalancer:
    Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
    DependsOn:
      - InstanceSecurityGroupGrpcSg
    Properties:
      Name: {"Fn::Sub": "lb-myapp-${env}-internal-grpc"}
      Scheme: internal
      Type: network
      Subnets: {"Ref": vpcSubnets}
      # LoadBalancerAttributes:
        # - Key: idle_timeout.timeout_seconds
        #   Value: '50'
      # SecurityGroups:
      #   - {"Ref": InstanceSecurityGroupGrpcSg}
  LoadBalancerListener:
    Type: 'AWS::ElasticLoadBalancingV2::Listener'
    DependsOn:
      - TargetGroup
    Properties:
      DefaultActions:
        - Type: forward
          TargetGroupArn: {"Ref": TargetGroup}
      LoadBalancerArn: {"Ref": LoadBalancer}
      Port: {"Ref": hostPort}
      Protocol: TCP

  TargetGroup:
    Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
    DependsOn:
      - LoadBalancer
    Properties:
      Name: {"Fn::Sub": "tg-myapp-${env}-grpc-ping-6"}
      Port: {"Ref": hostPort}
      TargetType: ip
      Protocol: TCP
      # HealthCheckPath: "/"
      HealthCheckProtocol: TCP
      HealthCheckPort: 9000
      # # HealthCheckIntervalSeconds: 5
      # # HealthCheckTimeoutSeconds: 3
      # # Matcher:
      # #   HttpCode: '200'
      # HealthyThresholdCount: 2
      # UnhealthyThresholdCount: 2
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: '10'
      VpcId: {"Ref": vpcId}

  # ------------------------------------------
  # logging  >>

  CloudwatchLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: {"Fn::Sub": "/${env}/myapp/grpc"}
      RetentionInDays: 3

  # ------------------------------------------
  # cluster  >>

  EcsCluster:
    Type: 'AWS::ECS::Cluster'
    DependsOn:
      - LoadBalancerListener
    Properties:
      ClusterName: {"Fn::Sub": "ecs-myapp-${env}-grpc"}

  EcsService:
    Type: 'AWS::ECS::Service'
    DependsOn:
      - TaskDefinition
    Properties:
      Cluster: {"Ref": EcsCluster}
      LaunchType: FARGATE
      DesiredCount: '1'
      DeploymentConfiguration:
        MaximumPercent: 150
        MinimumHealthyPercent: 0
      LoadBalancers:
        - ContainerName: {"Fn::Sub": "fg-myapp-${env}-grpc"}
          ContainerPort: {"Ref": containerPort}
          TargetGroupArn: {"Ref": TargetGroup}
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          SecurityGroups:
            - {"Ref": InstanceSecurityGroupGrpcSg}
          Subnets: {"Ref": vpcSubnets}
      TaskDefinition: {"Ref": TaskDefinition}


  # ------------------------------------------
  # grcp task definition >>




  TaskDefinition:
    Type: 'AWS::ECS::TaskDefinition'
    DependsOn:
      - EcsCluster
      - EcsTaskRole
    Properties:
      NetworkMode: awsvpc
      Family: {"Fn::Sub": "td-myapp-${env}-grpc"}
      RequiresCompatibilities:
        - FARGATE
      ExecutionRoleArn: {"Ref": EcsTaskRole}
      Cpu: '1024'
      Memory: '2048'
      ContainerDefinitions:
        - Name: {"Fn::Sub": "fg-myapp-${env}-grpc"}
          Image: {"Ref": containerImage}
          Environment:
            - Name: BUILD_TAG
              Value: 'release_tr-grpc_aab823a'
          PortMappings:
            - ContainerPort: {"Ref": containerPort}
              HostPort: {"Ref": hostPort}
            - ContainerPort: 9000
              HostPort: 9000
          Essential: 'true'
          EntryPoint:
            - "node"
            - "/usr/app/app.js"
            - "--server"
            - "--rpc"
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: {"Ref": CloudwatchLogGroup}
              awslogs-region: {"Ref": "AWS::Region"}
              awslogs-stream-prefix: ci-grpc

1 个答案:

答案 0 :(得分:-1)

您需要设置HealthCheckPath,但要注意,HealthCheckProtocol应该是HTTP或HTTPS而不是TCP according to the docs

TargetGroup:
    Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
    DependsOn:
      - LoadBalancer
    Properties:
      Name: {"Fn::Sub": "tg-myapp-${env}-grpc-ping-6"}
      Port: {"Ref": hostPort}
      TargetType: ip
      Protocol: TCP
      HealthCheckPath: "/v1/health"
      HealthCheckProtocol: HTTP
      HealthCheckPort: 9000
      # # HealthCheckIntervalSeconds: 5
      # # HealthCheckTimeoutSeconds: 3
      # # Matcher:
      # #   HttpCode: '200'
      # HealthyThresholdCount: 2
      # UnhealthyThresholdCount: 2
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: '10'
      VpcId: {"Ref": vpcId}