AWS Elastic Container Service (ECS) setup

  Last updated 2024-02-20

IMPORTANT

This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.

You can deploy the Next-Gen WAF as a sidecar into AWS Elastic Container Service (ECS). This deployment option is compatible with both Fargate and EC2 launch types.

Prerequisites

Copy the agent keys for your site (also known as workspace). You will use these keys when setting up the Next-Gen WAF as a sidecar for AWS ECS.

Setting up AWS ECS

To set up the Next-Gen WAF as a sidecar for AWS ECS, consult Amazon's ECS tutorial and sidecar documentation. Be sure to:

  • set the storage volume type for the task definition to Bind Mount.
  • add a dedicated container for the Next-Gen WAF agent, being sure to set:
    • the Name field to sigsci-agent.
    • the Image URI* field to signalsciences:sigsci-agent:<agent-version>. You will need to replace <agent-version> with a specific agent version. If you set the variable to latest, AWS may upgrade the Next-Gen WAF agent at inconvenient times.
  • set resource limits (ulimits) for the Next-Gen WAF agent container. The nofile soft and hard limits should be 65335. Setting these limits too low (the default is 1024) will cause more harm than if you set them too high.
  • create an environment variable for the Agent Secret Key, being sure to set:
    • the Key field to SIGSCI_SECRETACCESSKEY.
    • the Value field to the secretaccesskey value that you copied while completing the installation prerequisites.
  • create an environment variable for the Agent Access Key, being sure to set:
    • the Key field to SIGSCI_ACCESSKEYID.
    • the Value field to the accesskeyid value that you copied while completing the installation prerequisites.
  • set the mount point path for the Next-Gen WAF agent container to /var/run. This is the default path for the Next-Gen WAF agent, but you can configure an alternative path.

Example JSON configuration

NOTE

You will need to replace all instances of REPLACEME in this example JSON.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
{
    "ipcMode": null,
    "executionRoleArn": "arn:aws:iam::REPLACEME:role/ecsTaskExecutionRole",
    "containerDefinitions": [
        {
            "dnsSearchDomains": null,
            "logConfiguration": {
                "logDriver": "awslogs",
                "secretOptions": null,
                "options": {
                    "awslogs-group": "/ecs/sigsci-example",
                    "awslogs-region": "us-west-1",
                    "awslogs-stream-prefix": "ecs"
                }
            },
            "entryPoint": null,
            "portMappings": [
                {
                    "hostPort": 8080,
                    "protocol": "tcp",
                    "containerPort": 8080
                }
            ],
            "command": null,
            "linuxParameters": null,
            "cpu": 0,
            "environment": [
                {
                    "name": "apache_port",
                    "value": "8080"
                },
                {
                    "name": "sigsci_rpc",
                    "value": "/var/run/sigsci.sock"
                }
            ],
            "dnsServers": null,
            "mountPoints": [
                {
                    "readOnly": null,
                    "containerPath": "/var/run",
                    "sourceVolume": "run"
                }
            ],
            "workingDirectory": null,
            "secrets": null,
            "dockerSecurityOptions": null,
            "memory": null,
            "memoryReservation": null,
            "volumesFrom": [],
            "stopTimeout": null,
            "image": "signalsciences/sigsci-agent:latest",
            "startTimeout": null,
            "firelensConfiguration": null,
            "dependsOn": null,
            "disableNetworking": null,
            "interactive": null,
            "healthCheck": null,
            "essential": true,
            "links": null,
            "hostname": null,
            "extraHosts": null,
            "pseudoTerminal": null,
            "user": null,
            "readonlyRootFilesystem": null,
            "dockerLabels": null,
            "systemControls": null,
            "privileged": null,
            "name": "apache"
        },
        {
            "dnsSearchDomains": null,
            "logConfiguration": {
                "logDriver": "awslogs",
                "secretOptions": null,
                "options": {
                    "awslogs-group": "/ecs/sigsci-example",
                    "awslogs-region": "us-west-1",
                    "awslogs-stream-prefix": "ecs"
                }
            },
            "entryPoint": null,
            "portMappings": [],
            "command": null,
            "linuxParameters": null,
            "cpu": 0,
            "environment": [
                {
                    "name": "SIGSCI_ACCESSKEYID",
                    "value": "REPLACEME"
                },
                {
                    "name": "SIGSCI_SECRETACCESSKEY",
                    "value": "REPLACEME"
                }
            ],
            "ulimits": [
                {
                    "name": "nofile",
                    "softLimit": 65335,
                    "hardLimit": 65335
                }
            ],
            "dnsServers": null,
            "mountPoints": [
                {
                    "readOnly": null,
                    "containerPath": "/var/run",
                    "sourceVolume": "run"
                }
            ],
            "workingDirectory": null,
            "secrets": null,
            "dockerSecurityOptions": null,
            "memory": null,
            "memoryReservation": null,
            "volumesFrom": [],
            "stopTimeout": null,
            "image": "signalsciences/sigsci-agent:latest",
            "startTimeout": null,
            "firelensConfiguration": null,
            "dependsOn": null,
            "disableNetworking": null,
            "interactive": null,
            "healthCheck": null,
            "essential": true,
            "links": null,
            "hostname": null,
            "extraHosts": null,
            "pseudoTerminal": null,
            "user": null,
            "readonlyRootFilesystem": null,
            "dockerLabels": null,
            "systemControls": null,
            "privileged": null,
            "name": "agent"
        }
    ],
    "memory": "4096",
    "taskRoleArn": "arn:aws:iam::REPLACEME:role/EcsServiceRole2",
    "family": "sigsci-example",
    "pidMode": null,
    "requiresCompatibilities": [
        "FARGATE"
    ],
    "networkMode": "host",
    "cpu": "2048",
    "inferenceAccelerators": null,
    "proxyConfiguration": null,
    "volumes": [
        {
            "efsVolumeConfiguration": null,
            "name": "run",
            "host": {
                "sourcePath": null
            },
            "dockerVolumeConfiguration": null
        }
    ],
    "tags": []
}
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2024