我正在使用一对在NetworkLoadBalancer后面的FargateServices进行DNS服务器的CDK部署。由于Fargate不能同时公开TCP和UDP端口,这需要两个独立的服务,一个用于tcp/53
,一个用于udp/53
。
定义和部署TCP服务工作正常:
const taskDefTCP = new TaskDefinition(this, 'TaskDefTCP', {
compatibility: Compatibility.FARGATE,
cpu: '256',
memoryMiB: '512',
});
taskDefTCP.addToTaskRolePolicy(new PolicyStatement({
actions: [
'ssmmessages:CreateControlChannel',
'ssmmessages:CreateDataChannel',
'ssmmessages:OpenControlChannel',
'ssmmessages:OpenDataChannel'
],
resources: ['*'],
}));
taskDefTCP.taskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'));
const containerTCP = taskDefTCP.addContainer('ContainerTCP', {
image: ContainerImage.fromEcrRepository(repository),
portMappings: [{
containerPort: 53,
hostPort: 53,
protocol: ecsProtocol.TCP,
}],
environment: {
"AWS_ENVIRONMENT": 'DEV',
},
logging: LogDrivers.awsLogs({
logGroup: assets.dnsLogGroup,
streamPrefix: 'dns',
})
});
this.serviceSecurityGroup = new SecurityGroup(this, 'ServiceSecurityGroup', {
vpc: assets.vpc,
allowAllOutbound: true, // TODO: Lock this down.
});
this.serviceSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.tcp(53), "TCP Queries");
this.serviceSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.udp(53), "UDP Queries");
this.dnsServiceTCP = new FargateService(this, 'ServiceTCP', {
cluster: cluster,
enableExecuteCommand: true,
assignPublicIp: false,
taskDefinition: taskDefTCP,
securityGroups: [this.serviceSecurityGroup],
vpcSubnets: {
subnets: assets.mycorpNetworkResources.getSubnets(NetworkEnvironment.DEV, SubnetType.DNS),
}
});
const autoScaleTCP = this.dnsServiceTCP.autoScaleTaskCount({maxCapacity: 2, minCapacity: 1});
如果我从上面的代码中添加相同的代码复制/粘贴,只是将TCP更改为UDP,我得到一个错误:
Container 'AuthDNSApplicationStack/TaskDefUDP/ContainerUDP' has no mapping for port undefined and protocol tcp. Did you call "container.addPortMappings()"?
当然它没有TCP的映射。这是一个UDP容器!下面的代码在添加后会产生上面的错误:
const taskDefUDP = new TaskDefinition(this, 'TaskDefUDP', {
compatibility: Compatibility.FARGATE,
cpu: '256',
memoryMiB: '512',
});
taskDefUDP.addToTaskRolePolicy(new PolicyStatement({
actions: [
'ssmmessages:CreateControlChannel',
'ssmmessages:CreateDataChannel',
'ssmmessages:OpenControlChannel',
'ssmmessages:OpenDataChannel'
],
resources: ['*'],
}));
taskDefUDP.taskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'));
const containerUDP = taskDefUDP.addContainer('ContainerUDP', {
image: ContainerImage.fromEcrRepository(repository),
portMappings: [{
containerPort: 53,
hostPort: 53,
protocol: ecsProtocol.UDP,
}],
environment: {
"AWS_ENVIRONMENT": 'DEV',
},
logging: LogDrivers.awsLogs({
logGroup: assets.dnsLogGroup,
streamPrefix: 'dns',
})
});
this.dnsServiceUDP = new FargateService(this, 'ServiceUDP', {
cluster: cluster,
enableExecuteCommand: true,
assignPublicIp: true,
taskDefinition: taskDefUDP,
securityGroups: [this.serviceSecurityGroup],
vpcSubnets: {
subnets: assets.mycorpNetworkResources.getSubnets(NetworkEnvironment.DEV, SubnetType.DNS),
}
});
const autoScaleUDP = this.dnsServiceUDP.autoScaleTaskCount({maxCapacity: 2, minCapacity: 1});
有人知道我在哪里出错了吗?
将dnsServiceUDP
服务添加到带addTarget
的NLB时,在AddNetworkTargetsProps中显式地传递protocol: elbv2.Protocol.UDP
。
如果没有明确提供,目标协议默认为TCP。