Okay, I've followed the docs on How to create Task Definition using AWS console. I also created a cluster before creating Task Definition. Task (i.e. the container) is running using provided image URI which is on ECR. I can see logs nicely on CloudWatch as well as in ECS itself.
When I go to:
Amazon Elastic Container Service -> Clusters -> AwsTutorialECSCluster -> Tasks -> myTaskId -> Configuration
I can see public IP. The application in question is simple Spring Boot app with default settings.
@SpringBootApplication
@RestController
@RequestMapping("aws")
public class AwsTutorialApplication {
public static void main(String[] args) {
SpringApplication.run(AwsTutorialApplication.class, args);
}
@GetMapping("/hello")
public String helloAws(){
return "Hello from AWS!";
}
}
I cannot get response when I try any of the following:
http://publicIp:8080/aws/hello
http://publicIp:80/aws/hello
http://publicIp/aws/hello
While creating Task definition I also added the Role with managed policy: AwsTutorialECS_FullAccess_Role
I will pass json Task definition:
{
"taskDefinitionArn": "arn:aws:ecs:eu-central-1:myAccount:task-definition/NewTaskDefinition:1",
"containerDefinitions": [
{
"name": "spring-boot-container",
"image": "myAcc.dkr.ecr.eu-central-1.amazonaws.com/aws-tutorial:latest",
"cpu": 0,
"memory": 3072,
"portMappings": [
{
"name": "spring-boot-container-8080-tcp",
"containerPort": 8080,
"hostPort": 8080,
"protocol": "tcp",
"appProtocol": "http"
}
],
"essential": true,
"environment": [],
"environmentFiles": [],
"mountPoints": [],
"volumesFrom": [],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-create-group": "true",
"awslogs-group": "/ecs/NewTaskDefinition",
"awslogs-region": "eu-central-1",
"awslogs-stream-prefix": "ecs"
}
}
}
],
"family": "NewTaskDefinition",
"taskRoleArn": "arn:aws:iam::myAccount:role/AwsTutorialECS_FullAccess_Role",
"executionRoleArn": "arn:aws:iam::myAccount:role/ecsTaskExecutionRole",
"networkMode": "awsvpc",
"revision": 1,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"name": "ecs.capability.execution-role-ecr-pull"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"name": "ecs.capability.task-eni"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.29"
}
],
"placementConstraints": [],
"compatibilities": [
"EC2",
"FARGATE"
],
"requiresCompatibilities": [
"FARGATE"
],
"cpu": "1024",
"memory": "3072",
"runtimePlatform": {
"cpuArchitecture": "X86_64",
"operatingSystemFamily": "LINUX"
},
"registeredAt": "2023-03-21T18:20:52.034Z",
"registeredBy": "arn:aws:iam::accountiD:user/myUserName",
"tags": []
}
User has AdministratorAccess IAM role.
Why is this so complicated?!?
Update 1:
Based on the comments for security groups. I delete Task Definition, unregistered and stop Task. Recreated everything again. When I go to Deploy -> Run Task:
Still cannot hit an endpoint. Also, I disabled cors with @CrossOrigin and:
@Configuration
public class Config implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**").allowedMethods("*");
}
}
You have
HTTPport80open in the security group. You are selectingHTTPbecause you are using the HTTP protocol, but you aren't using the standard HTTP port (80), you are using port8080instead. So selectingHTTPwhich is just a shortcut for port80is not going to work for you. You have to add aTCPrule to your security group with port8080to allow the traffic to your service.Note that there is no reason to recreate everything just to get to that screen again. You can go into the EC2 section of the AWS console, find the security group there, and just add a new inbound rule for port
8080.