Consul on AWS Elastic Container Service (ECS) architecture
This topic provides reference information about the Consul's deployment architecture on AWS ECS. The following diagram shows the main components of the Consul architecture when deployed to an ECS cluster.
Consul starts several components and containers inside the ECS cluster. Refer to Startup sequence for details about the order of the startup procedure:
The control-plane container performs the following actions:
- Logs into Consul servers
- Communicates directly with Consul server
- Registers proxies and services
- Creates a bootstrap configuration file for Consul dataplane container and stores it in a shared volume
- Synchronizes ECS health checks
- Watches the Consul server for changes
The dataplane process runs in the same container as the Envoy proxy and performs the following actions:
- Consumes and configures itself according to the bootstrap configuration written by the control-plane container.
- Contains and starts up the Envoy sidecar.
One ECS task in the cluster contains the controller container, which performs the following actions:
- Creates AWS IAM auth methods
- Creates ACL policies and roles
- Maintains ACL state
- Removes tokens when services exit
- Deregisters services if the ECS task exits without deregistering them
- Registers a synthetic node that enables Consul to register services to the catalog
Deploying Consul to ECS starts the following process to build the architecture:
- The control-plane container starts and logs into Consul.
- The control-plane container registers services and proxies with the Consul servers.
- The control-plane container writes the bootstrap configuration for the Consul dataplane process and stores it in a shared volume.
- The dataplane container starts and configures itself using the bootstrap configuration generated by the control-plane container.
- The dataplane container starts the Envoy sidecar proxy.
- The control-plane container starts listening for ECS health checks.
- When the ECS task indicates that the application instance is healthy, the control-plane container marks the service as healthy and starts allowing traffic to flow.
Consul leverages AWS components to facilitate its own security features.
Consul on ECS uses the AWS IAM auth method so that ECS tasks can automatically obtain Consul ACL tokens during startup.
When ACLs are enabled, the Terraform modules for Consul on ECS support AWS IAM auth methods by default. The ECS controller sets up the auth method on the Consul servers. The
mesh-task module configures the ECS task definition to be compatible with the auth method.
A unique task IAM role is required for each ECS task family. A task family represents only one Consul service and the task IAM role must encode the Consul service name. As a result, task IAM roles must not be shared by different task families.
By default, the mesh-task module creates and configures the task IAM role for you.
To pass an existing IAM role to the mesh-task module using the
task_role input variable, configure the IAM role as described in ECS Task Role Configuration to be compatible with the AWS IAM auth method.
The ECS task role is an IAM role associated with an ECS task.
When an ECS task starts up, it runs a
consul login command. The command obtains credentials for the task role from AWS and then uses those credentials to sign the login request to the AWS IAM auth method. The credentials prove the ECS task's identity to the Consul servers.
You must configure the task role with the following details for it to be compatible with the AWS IAM auth method:
iam:GetRolepermission to fetch itself. Refer to IAM Policies for additional information.
consul.hashicorp.com.service-nametag on the task role which contains the Consul service name for the application in this task.
- When using Consul Enterprise, add a
consul.hashicorp.com.namespacetag on the task role indicating the Consul Enterprise namespace where this service is registered.