From 8172c237287963a2df5a589f0c1db947692966a5 Mon Sep 17 00:00:00 2001 From: Nicolas De Loof Date: Wed, 16 Sep 2020 11:15:26 +0200 Subject: [PATCH 1/2] Configure existing security-groups by `external.name` Signed-off-by: Nicolas De Loof --- engine/context/ecs-integration.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/engine/context/ecs-integration.md b/engine/context/ecs-integration.md index e6ae56c16272..ed201cf21066 100644 --- a/engine/context/ecs-integration.md +++ b/engine/context/ecs-integration.md @@ -252,6 +252,9 @@ services: The Docker ECS integration relies on [Amazon CloudFormation](https://docs.aws.amazon.com/cloudformation/){: target="_blank" class="_"} to manage the application deployment. To get more control on the created resources, you can use `docker compose convert` to generate a CloudFormation stack file from your Compose file. This allows you to inspect resources it defines, or customize the template for your needs, and then apply the template to AWS using the AWS CLI, or the AWS web console. + +## Using existing AWS network resources + By default, the Docker ECS integration creates an ECS cluster for your Compose application, a Security Group per network in your Compose file on your AWS account’s default VPC, and a LoadBalancer to route traffic to your services. If your AWS account does not have [permissions](https://github.com/docker/ecs-plugin/blob/master/docs/requirements.md#permissions){: target="_blank" class="_"} to create such resources, or you want to manage these yourself, you can use the following custom Compose extensions: - Use `x-aws-cluster` as a top-level element in your Compose file to set the ARN @@ -264,9 +267,15 @@ of a VPC when deploying a Compose application. - Use `x-aws-loadbalancer` as a top-level element in your Compose file to set the ARN of an existing LoadBalancer. -- Use `x-aws-securitygroup` inside a network definition in your Compose file to -set the ARN of an existing SecurityGroup used to implement network connectivity -between services. +- Use `external: true` inside a network definition in your Compose file for Docker ECS integration _not_ to create a Security Group, and + set `name` with ID of existing SecurityGroup you want ot use for network connectivity between services: + +```yaml +networks: + back_tier: + external: true + name: "sg-1234acbd" +``` ## Local simulation From a77b8558d8675e15a2a5327469edd9f7d158c7fd Mon Sep 17 00:00:00 2001 From: Usha Mandya <47779042+usha-mandya@users.noreply.github.com> Date: Wed, 16 Sep 2020 14:53:16 +0100 Subject: [PATCH 2/2] Minor style updates --- engine/context/ecs-integration.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/engine/context/ecs-integration.md b/engine/context/ecs-integration.md index ed201cf21066..fedbe7016014 100644 --- a/engine/context/ecs-integration.md +++ b/engine/context/ecs-integration.md @@ -252,10 +252,9 @@ services: The Docker ECS integration relies on [Amazon CloudFormation](https://docs.aws.amazon.com/cloudformation/){: target="_blank" class="_"} to manage the application deployment. To get more control on the created resources, you can use `docker compose convert` to generate a CloudFormation stack file from your Compose file. This allows you to inspect resources it defines, or customize the template for your needs, and then apply the template to AWS using the AWS CLI, or the AWS web console. - ## Using existing AWS network resources -By default, the Docker ECS integration creates an ECS cluster for your Compose application, a Security Group per network in your Compose file on your AWS account’s default VPC, and a LoadBalancer to route traffic to your services. If your AWS account does not have [permissions](https://github.com/docker/ecs-plugin/blob/master/docs/requirements.md#permissions){: target="_blank" class="_"} to create such resources, or you want to manage these yourself, you can use the following custom Compose extensions: +By default, the Docker ECS integration creates an ECS cluster for your Compose application, a Security Group per network in your Compose file on your AWS account’s default VPC, and a LoadBalancer to route traffic to your services. If your AWS account does not have [permissions](https://github.com/docker/ecs-plugin/blob/master/docs/requirements.md#permissions){: target="_blank" class="_"} to create such resources, or if you want to manage these yourself, you can use the following custom Compose extensions: - Use `x-aws-cluster` as a top-level element in your Compose file to set the ARN of an ECS cluster when deploying a Compose application. Otherwise, a @@ -267,8 +266,10 @@ of a VPC when deploying a Compose application. - Use `x-aws-loadbalancer` as a top-level element in your Compose file to set the ARN of an existing LoadBalancer. -- Use `external: true` inside a network definition in your Compose file for Docker ECS integration _not_ to create a Security Group, and - set `name` with ID of existing SecurityGroup you want ot use for network connectivity between services: +- Use `external: true` inside a network definition in your Compose file for +Docker ECS integration to _not_ create a Security Group, and set `name` with the +ID of an existing SecurityGroup you want to use for network connectivity between +services: ```yaml networks: @@ -277,7 +278,6 @@ networks: name: "sg-1234acbd" ``` - ## Local simulation When you deploy your application on ECS, you may also rely on the additional AWS services.