Using shared AWS Cloud Map namespaces with Amazon ECS Service Connect
Setting up shared AWS Cloud Map namespaces for Service Connect involves the following steps: Namespace owner creating the namespace, owner sharing it through AWS Resource Access Manager (AWS RAM), consumer accepting the resource share, and consumer configuring Service Connect to use the shared namespace.
Step 1: Create the AWS Cloud Map namespace
The namespace owner creates a AWS Cloud Map namespace that will be shared with other accounts.
To create a namespace for sharing using the AWS Management Console
-
Open the AWS Cloud Map console at https://console.aws.amazon.com/cloudmap/
. -
Choose Create namespace.
-
Enter a Namespace name. This name will be used by services across all participating accounts.
-
For Namespace type, choose the appropriate type for your use case:
-
API calls ‐ HTTP namespaces for service discovery without DNS functionality.
-
API calls and DNS queries in VPCs ‐ Private DNS namespaces for service discovery with private DNS queries in a VPC.
-
API calls and public DNS queries ‐ Public DNS namespaces for service discovery with public DNS queries.
-
-
Choose Create namespace.
Step 2: Share the namespace using AWS RAM
The namespace owner uses AWS RAM to share the namespace with other AWS accounts.
To share a namespace using the AWS RAM console
-
Open the AWS RAM console at https://console.aws.amazon.com/ram/
. -
Choose Create resource share.
-
For Name, enter a descriptive name for the resource share.
-
In the Resources section:
-
For Resource type, choose Cloud Map Namespaces.
-
Select the namespace you created in the previous step.
-
-
In the Managed permissions section, specify AWSRAMPermissionCloudMapECSFullPermission.
Important
You must use the
AWSRAMPermissionCloudMapECSFullPermission
managed permission to share the namespace for Service Connect to work properly with the namespace. -
In the Principals section, specify the AWS accounts you want to share the namespace with. You can enter account IDs or organizational unit IDs.
-
Choose Create resource share.
Step 3: Accept the resource share
Namespace consumer accounts must accept the resource share invitation to use the shared namespace.
To accept a resource share invitation using the AWS RAM console
-
In the consumer account, open the AWS RAM console at https://console.aws.amazon.com/ram/
. -
In the navigation pane, choose Shared with me, then choose Resource shares.
-
Select the resource share invitation and choose Accept resource share.
-
After accepting, note the shared namespace ARN from the resource details. You'll use this ARN when configuring Service Connect services.
Step 4: Configure an Amazon ECS service with the shared namespace
After accepting the shared namespace, the namespace consumer can configure Amazon ECS services to use the shared namespace. The configuration is similar to using a regular namespace, but you must specify the namespace ARN instead of the name. For a detailed service creation procedure, see Creating an Amazon ECS rolling update deployment.
To create a service with a shared namespace using the AWS Management Console
Open the console at https://console.aws.amazon.com/ecs/v2
. -
On the Clusters page, choose the cluster that you want to create the service in.
-
Under Services, choose Create.
-
After filling in other details depending on your workload, in the Service Connect section, choose Use Service Connect.
-
For Namespace, enter the full ARN of the shared namespace.
The ARN format is:
arn:aws:servicediscovery:
region
:account-id
:namespace/namespace-id
-
Configure the remaining Service Connect settings as needed for your service type (client or client-server).
-
Complete the service creation process.
You can also configure services using the AWS CLI or AWS SDKs by specifying the
shared namespace ARN in the namespace
parameter of the
serviceConnectConfiguration
.
aws ecs create-service \ --cluster my-cluster \ --service-name my-service \ --task-definition my-task-def \ --service-connect-configuration '{ "enabled": true, "namespace": "arn:aws:servicediscovery:us-west-2:123456789012:namespace/ns-abcdef1234567890", "services": [{ "portName": "web", "discoveryName": "my-service", "clientAliases": [{ "port": 80, "dnsName": "my-service" }] }] }'