Service Connect considerations Service Connect console experience Service Connect pricing Service Connect parameters

Service Connect

Amazon ECS Service Connect provides management of service-to-service communication as Amazon ECS configuration. It does this by building both service discovery and a service mesh in Amazon ECS. This provides the complete configuration inside each Amazon ECS service that you manage by service deployments, a unified way to refer to your services within namespaces that doesn't depend on the Amazon VPC DNS configuration, and standardized metrics and logs to monitor all of your applications on Amazon ECS. Amazon ECS Service Connect only interconnects Amazon ECS services.

The following diagram shows an example Service Connect network with 2 subnets in the VPC and 2 services. A client service that runs WordPress with 1 task in each subnets. A server service that runs MySQL with 1 task in each subnet. Both services are highly available and resilient to task and Availability Zone issues because each service runs multiple tasks that are spread out over 2 subnets. The solid arrows show a connection from WordPress to MySQL. For example, a mysql --host=mysql CLI command that is run from inside the WordPress container in the task with the IP address 172.31.16.1. The command uses the short name mysql on the default port for MySQL. This name and port connects to the Service Connect proxy in the same task. The proxy in the WordPress task uses round-robin load balancing and any previous failure information in outlier detection to pick which MySQL task to connect to. As shown by the solid arrows in the diagram, the proxy connects to the second proxy in the MySQL task with the IP Address 172.31.16.2. The second proxy connects to the local MySQL server in the same task. Both proxies report connection performance that is visible in graphs in the Amazon ECS and Amazon CloudWatch consoles so that you can get performance metrics from all kinds of applications in the same way.

Example Service Connect network showing minimal HA services

Overview of steps to configure Service Connect

Follow these steps to configure Service Connect for a group of related services.

Important

Amazon ECS Service Connect creates AWS Cloud Map services in your account. Modifying these AWS Cloud Map resources by manually registering/deregistering instances, changing instance attributes, or deleting a service may lead to unexpected behaviour for your application traffic or subsequent deployments.
Amazon ECS Service Connect doesn't support links in the task definition.

Add port names to the port mappings in your task definitions. Additionally, you can identify the layer 7 protocol of the application, to get additional metrics.
Create an ECS cluster with a AWS Cloud Map namespace or create the namespace separately. For simple organization, create an Amazon ECS cluster with the name that you want for the namespace and specify the identical name for the namespace. In this case, Amazon ECS creates a new HTTP namespace with the necessary configuration. Amazon ECS Service Connect doesn't use or create DNS hosted zones in Amazon Route 53.
Configure services to create Service Connect endpoints within the namespace.
Deploy services to create the endpoints. Amazon ECS adds a Service Connect proxy container to each task, and creates the Service Connect endpoints in AWS Cloud Map. This container isn't configured in the task definition, and the task definition can be reused without modification to create multiple services in the same namespace or in multiple namespaces.
Deploy client apps as services to connect to the endpoints. Amazon ECS connects them to the Service Connect endpoints through the Service Connect proxy in each task.

Applications only use the proxy to connect to Service Connect endpoints. There is no additional configuration to use the proxy. The proxy performs round-robin load balancing, outlier detection, and retries. For more information about the proxy, see Service Connect proxy.
Monitor traffic through the Service Connect proxy in Amazon CloudWatch.

Regions with Service Connect

Amazon ECS Service Connect is available in the following AWS Regions:

Region Name	Region
US East (Ohio)	us-east-2
US East (N. Virginia)	us-east-1
US West (N. California)	us-west-1
US West (Oregon)	us-west-2
Africa (Cape Town)	af-south-1
Asia Pacific (Hong Kong)	ap-east-1
Asia Pacific (Jakarta)	ap-southeast-3
Asia Pacific (Mumbai)	ap-south-1
Asia Pacific (Hyderabad)	ap-south-2
Asia Pacific (Osaka)	ap-northeast-3
Asia Pacific (Seoul)	ap-northeast-2
Asia Pacific (Singapore)	ap-southeast-1
Asia Pacific (Sydney)	ap-southeast-2
Asia Pacific (Melbourne)	ap-southeast-4
Asia Pacific (Tokyo)	ap-northeast-1
Canada (Central)	ca-central-1
Canada West (Calgary)	ca-west-1
China (Beijing)	cn-north-1 (Note: TLS for Service Connect is not available in this region.)
China (Ningxia)	cn-northwest-1 (Note: TLS for Service Connect is not available in this region.)
Europe (Frankfurt)	eu-central-1
Europe (Ireland)	eu-west-1
Europe (London)	eu-west-2
Europe (Paris)	eu-west-3
Europe (Milan)	eu-south-1
Europe (Spain)	eu-south-2
Europe (Stockholm)	eu-north-1
Europe (Zurich)	eu-central-2
Israel (Tel Aviv)	il-central-1
Middle East (Bahrain)	me-south-1
Middle East (UAE)	me-central-1
South America (São Paulo)	sa-east-1

Service Connect considerations

Tasks that run in Fargate must use the Fargate Linux platform version 1.4.0 or higher to use Service Connect.
The ECS agent version on the container instance must be 1.67.2 or higher.
Container instances must run the Amazon ECS-optimized Amazon Linux 2023 AMI version 20230428 or later, or Amazon ECS-optimized Amazon Linux 2 AMI version 2.0.20221115 to use Service Connect. These versions have the Service Connect agent in addition to the Amazon ECS container agent. For more information about the Service Connect agent, see Amazon ECS Service Connect Agent on GitHub.
Container instances must have the ecs:Poll permission for the resource arn:aws:ecs:region:0123456789012:task-set/cluster/*. If you are using the ecsInstanceRole, you don't need to add additional permissions. The AmazonEC2ContainerServiceforEC2Role managed policy has the necessary permissions. For more information, see Amazon ECS container instance IAM role.
Only services that use rolling deployments are supported with Service Connect.
Task definitions must set the task memory limit to use Service Connect. For more information, see Service Connect proxy.
Task definitions that set container memory limits for all containers instead of setting the task memory limit aren't supported.

You can set container memory limits on your containers, but you must set the task memory limit to a number greater than the sum of the container memory limits. The additional CPU and memory in the task limits that aren't allocated in the container limits are used by the Service Connect proxy container and other containers that don't set container limits. For more information, see Service Connect proxy.
You can configure Service Connect in a service to use any AWS Cloud Map namespace in the same AWS Region in the same AWS account.
Each Amazon ECS service can belong to only one namespace.
Only the tasks that Amazon ECS services create are supported.
All endpoints must be unique within a namespace.
All discovery names must be unique within a namespace.
Existing services must be redeployed before the applications in them can resolve new endpoints. New endpoints that are added to the namespace after the most recent deployment won't be added to the task configuration. For more information, see Deployment order.
You can create a namespace when creating a new cluster. Amazon ECS Service Connect doesn't delete namespaces when clusters are deleted. You must delete namespaces directly in AWS Cloud Map if you are done using them.
Application Load Balancer traffic defaults to routing through the Service Connect agent in awsvpc network mode. If you want non-service traffic to bypass the Service Connect agent, use the ingressPortOverride parameter in your Service Connect service configuration.

Service Connect doesn't support the following:

Windows containers
HTTP 1.0
Standalone tasks
Services that use the blue/green and external deployment types.
External container instance for Amazon ECS Anywhere aren't supported with Service Connect.
PPv2

Service Connect console experience

To create a new namespace, either create a new Amazon ECS cluster using the Amazon ECS console and specify a namespace name to create, or use the AWS Cloud Map console. Amazon ECS Service Connect can use any instance discovery type of AWS Cloud Map namespace. We recommend the API calls type to make the minimum amount of additional resources. To create a new Amazon ECS cluster and namespace in the Amazon ECS console, see Creating a cluster for the Fargate and External launch type using the console.

Every AWS Cloud Map namespace in this AWS account in the selected AWS Region is displayed in the Namespaces in the Amazon ECS console.

To delete a namespace, use the AWS Cloud Map console. A namespace must be empty before it can be deleted.

To create a new Amazon ECS task definition, or register a new revision to an existing task definition and use Service Connect, see Creating a task definition using the console.

To create a new Amazon ECS service that uses Service Connect, see Creating a service using the console.

Service Connect pricing

Amazon ECS Service Connect pricing depends on whether you use AWS Fargate or Amazon EC2 infrastructure to host your containerized workloads. When using Amazon ECS on AWS Outposts, the pricing follows the same model that's used when you use Amazon EC2 directly. For more information, see Amazon ECS Pricing.

AWS Cloud Map usage is completely free, when it’s consumed through Amazon ECS Service Connect.

Service Connect parameters

The following parameters have extra fields when using Service Connect.

Parameter location	App type	Description	Required?
Task definition	Client	There are no changes available for Service Connect in client task definitions.	N/A
Task definition	Client-server	Servers must add `name` fields to ports in the `portMappings` of containers. For more information, see portMappings	Yes
Task definition	Client-server	Servers can optionally provide an application protocol (for example, HTTP) to receive protocol-specific metrics for their server applications (for example, `HTTP 5xx`).	No
Service definition	Client	Client services must add a `serviceConnectConfiguration` to configure the namespace to join. This namespace must contain all of the server services that this service needs to discover. For more information, see serviceConnectConfiguration.	Yes
Service definition	Client-server	Server services must add a `serviceConnectConfiguration` to configure the DNS names, port numbers, and namespace that the service is available from. For more information, see serviceConnectConfiguration.	Yes
Cluster	Client	Clusters can add a default Service Connect namespace. New services in the cluster inherit the namespace when Service Connect is configured in a service. For more information, see Amazon ECS clusters.	No
Cluster	Client-server	There are no changes available for Service Connect in clusters that apply to server services. Server task definitions and services must set the respective configuration.	N/A

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Interconnecting services

Concepts