AWS Elastic Container Service (ECS) setup

You can deploy the Next-Gen WAF as a sidecar into AWS Elastic Container Service (ECS). This deployment option is compatible with both Fargate and EC2 launch types.

Prerequisites

Copy the agent keys for your site. You will use these keys when setting up the Next-Gen WAF as a sidecar for AWS ECS.

Setting up AWS ECS

To set up the Next-Gen WAF as a sidecar for AWS ECS, consult Amazon's ECS tutorial and sidecar documentation. Be sure to:

  • set the storage volume type for the task definition to Bind Mount.
  • add a dedicated container for the monitoring agent, being sure to set:
    • the Name field to sigsci-agent.
    • the Image URI* field to signalsciences:sigsci-agent:<agent-version>. You will need to replace <agent-version> with a specific agent version. If you set the variable to latest, AWS may upgrade the monitoring agent at inconvenient times.
  • set resource limits (ulimits) for the monitoring agent container. The nofile soft and hard limits should be 65335. Setting these limits too low (the default is 1024) will cause more harm than if you set them too high.
  • create an environment variable for the Agent Secret Key, being sure to set:
    • the Key field to SIGSCI_SECRETACCESSKEY.
    • the Value field to the secretaccesskey value that you copied while completing the installation prerequisites.
  • create an environment variable for the Agent Access Key, being sure to set:
    • the Key field to SIGSCI_ACCESSKEYID.
    • the Value field to the accesskeyid value that you copied while completing the installation prerequisites.
  • set the mount point path for the monitoring agent container to /var/run. This is the default path for the monitoring agent, but you can configure an alternative path.

Example JSON configuration

NOTE

You will need to replace all instances of REPLACEME in this example JSON.

1{
2 "ipcMode": null,
3 "executionRoleArn": "arn:aws:iam::REPLACEME:role/ecsTaskExecutionRole",
4 "containerDefinitions": [
5 {
6 "dnsSearchDomains": null,
7 "logConfiguration": {
8 "logDriver": "awslogs",
9 "secretOptions": null,
10 "options": {
11 "awslogs-group": "/ecs/sigsci-example",
12 "awslogs-region": "us-west-1",
13 "awslogs-stream-prefix": "ecs"
14 }
15 },
16 "entryPoint": null,
17 "portMappings": [
18 {
19 "hostPort": 8080,
20 "protocol": "tcp",
21 "containerPort": 8080
22 }
23 ],
24 "command": null,
25 "linuxParameters": null,
26 "cpu": 0,
27 "environment": [
28 {
29 "name": "apache_port",
30 "value": "8080"
31 },
32 {
33 "name": "sigsci_rpc",
34 "value": "/var/run/sigsci.sock"
35 }
36 ],
37 "dnsServers": null,
38 "mountPoints": [
39 {
40 "readOnly": null,
41 "containerPath": "/var/run",
42 "sourceVolume": "run"
43 }
44 ],
45 "workingDirectory": null,
46 "secrets": null,
47 "dockerSecurityOptions": null,
48 "memory": null,
49 "memoryReservation": null,
50 "volumesFrom": [],
51 "stopTimeout": null,
52 "image": "signalsciences/sigsci-agent:latest",
53 "startTimeout": null,
54 "firelensConfiguration": null,
55 "dependsOn": null,
56 "disableNetworking": null,
57 "interactive": null,
58 "healthCheck": null,
59 "essential": true,
60 "links": null,
61 "hostname": null,
62 "extraHosts": null,
63 "pseudoTerminal": null,
64 "user": null,
65 "readonlyRootFilesystem": null,
66 "dockerLabels": null,
67 "systemControls": null,
68 "privileged": null,
69 "name": "apache"
70 },
71 {
72 "dnsSearchDomains": null,
73 "logConfiguration": {
74 "logDriver": "awslogs",
75 "secretOptions": null,
76 "options": {
77 "awslogs-group": "/ecs/sigsci-example",
78 "awslogs-region": "us-west-1",
79 "awslogs-stream-prefix": "ecs"
80 }
81 },
82 "entryPoint": null,
83 "portMappings": [],
84 "command": null,
85 "linuxParameters": null,
86 "cpu": 0,
87 "environment": [
88 {
89 "name": "SIGSCI_ACCESSKEYID",
90 "value": "REPLACEME"
91 },
92 {
93 "name": "SIGSCI_SECRETACCESSKEY",
94 "value": "REPLACEME"
95 }
96 ],
97 "ulimits": [
98 {
99 "name": "nofile",
100 "softLimit": 65335,
101 "hardLimit": 65335
102 }
103 ],
104 "dnsServers": null,
105 "mountPoints": [
106 {
107 "readOnly": null,
108 "containerPath": "/var/run",
109 "sourceVolume": "run"
110 }
111 ],
112 "workingDirectory": null,
113 "secrets": null,
114 "dockerSecurityOptions": null,
115 "memory": null,
116 "memoryReservation": null,
117 "volumesFrom": [],
118 "stopTimeout": null,
119 "image": "signalsciences/sigsci-agent:latest",
120 "startTimeout": null,
121 "firelensConfiguration": null,
122 "dependsOn": null,
123 "disableNetworking": null,
124 "interactive": null,
125 "healthCheck": null,
126 "essential": true,
127 "links": null,
128 "hostname": null,
129 "extraHosts": null,
130 "pseudoTerminal": null,
131 "user": null,
132 "readonlyRootFilesystem": null,
133 "dockerLabels": null,
134 "systemControls": null,
135 "privileged": null,
136 "name": "agent"
137 }
138 ],
139 "memory": "4096",
140 "taskRoleArn": "arn:aws:iam::REPLACEME:role/EcsServiceRole2",
141 "family": "sigsci-example",
142 "pidMode": null,
143 "requiresCompatibilities": [
144 "FARGATE"
145 ],
146 "networkMode": "host",
147 "cpu": "2048",
148 "inferenceAccelerators": null,
149 "proxyConfiguration": null,
150 "volumes": [
151 {
152 "efsVolumeConfiguration": null,
153 "name": "run",
154 "host": {
155 "sourcePath": null
156 },
157 "dockerVolumeConfiguration": null
158 }
159 ],
160 "tags": []
161}
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.