ECS Service Connect: A Practical Guide to Connecting Microservices
As microservices architectures grow, managing service-to-service communication becomes more challenging. Teams often rely on internal load balancers, manual DNS configuration, or external service discovery tools, which increases operational complexity.
Amazon ECS Service Connect simplifies this process by providing built-in service discovery and secure connectivity between ECS services. It removes the need for custom DNS setups and third-party service mesh solutions.
This blog documents my hands-on experience setting up ECS Service Connect using Amazon ECS Fargate. The goal is to demonstrate how multiple microservices can communicate securely and reliably with minimal configuration.
Video Walkthrough: ECS Service Connect in Action
If you prefer a visual guide, here's a practical walkthrough of Service Connect.
This clip starts at 19:35. Watch the full video on YouTube, or jump to 19:35.
Overview of Amazon ECS and Service Connect
Amazon Elastic Container Service (ECS) is a fully managed container orchestration platform that allows you to run and scale containerized applications without managing servers.
Before Service Connect, inter-service communication in ECS typically required:
- Application Load Balancers or Network Load Balancers
- AWS Cloud Map for service discovery
- Manual DNS and networking configuration
While these approaches work, they introduce additional components that are often unnecessary for internal service communication.
ECS Service Connect integrates service discovery directly into ECS. It provides consistent DNS names, managed connectivity, and built-in observability, all configured at the service level.
Prerequisites
Before starting, ensure you have the following:
- An AWS account with permissions to manage ECS, ECR, IAM, and VPC resources
- AWS CLI and Docker installed on your local machine
- An Amazon ECR repository
- A VPC with public and private subnets
- Basic familiarity with ECS and container concepts
Step 1: Create and Push an Nginx Image to Amazon ECR
To demonstrate service communication, we will use a simple Nginx container.
# Authenticate Docker with ECR
aws ecr get-login-password --region us-east-1 \
| docker login --username AWS --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com
# Create an ECR repository
aws ecr create-repository --repository-name nginx-service
# Pull the Nginx image
docker pull nginx
# Tag the image for ECR
docker tag nginx:latest <AWS_ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/nginx-service:latest
# Push the image to ECR
docker push <AWS_ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/nginx-service:latest
Step 2: Create an ECS Cluster
- Open the Amazon ECS Console.
- Click Create Cluster.
- Select Networking only (Fargate).
- Provide a cluster name, for example:
nginx-cluster. - Review the configuration and create the cluster.
Step 3: Create Required IAM Roles
ECS Task Execution Role
This role allows ECS to pull images from ECR and send logs to CloudWatch.
Steps:
- Trusted entity: Elastic Container Service
- Attach the policy
AmazonECSTaskExecutionRolePolicy - Name the role
ecsTaskExecutionRole
ECS Task Role
This role allows containers to interact with AWS services at runtime. To enable ECS Exec, create a policy with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSExec",
"Effect": "Allow",
"Action": [
"ssmmessages:OpenDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:CreateControlChannel"
],
"Resource": "*"
}
]
}
Attach this policy to a role named ecsTaskRole.
Step 4: Create an ECS Task Definition
- Go to Task Definitions in the ECS Console
- Click Create new task definition
- Choose Fargate as the launch type
- Use
awsvpcas the network mode - Assign the task role
ecsTaskRole - Assign the execution role
ecsTaskExecutionRole
Add a container with the following configuration:
- Container name:
nginx - Image: ECR image URI
- Port mapping: container port 80
Enable CloudWatch logging if permissions are configured.
Step 5: Create ECS Services and Enable Service Connect
Create the First Service: nginx-a
- Cluster:
nginx-cluster - Launch type: Fargate
- Task definition: nginx
- Service name:
nginx-a
Select your VPC and subnets.
Enable Service Connect and set the discovery name to nginx-a.
Create the service.
Create the Second Service: nginx-b
Repeat the same steps and configure:
- Service name:
nginx-b - Discovery name:
nginx-b
Each service must have a unique discovery name within the same namespace.
Step 6: Enable ECS Exec
ECS Exec must be enabled using the AWS CLI.
aws ecs update-service \
--cluster nginx-cluster \
--service nginx-a \
--task-definition nginx-task \
--force-new-deployment \
--enable-execute-command
Run the same command for the nginx-b service.
Confirm ECS Exec is enabled from the ECS Console.
Step 7: Test Service-to-Service Communication
Exec into a Running Container
aws ecs execute-command \
--cluster nginx-cluster \
--task <task-id> \
--container nginx \
--interactive \
--command "/bin/bash"
Test Communication Using Service Connect DNS
From inside the nginx-a container, run:
curl nginx-b.nginx-ns:80
If the configuration is correct, you will receive the default Nginx HTML response from the nginx-b service.
Repeat the test from nginx-b to nginx-a to confirm two-way communication.
Use Cases for ECS Service Connect
- Simplified internal service communication
- Secure traffic flow between authorized services
- Reduced dependency on internal load balancers
- Built-in observability with ECS metrics and logs
Conclusion
ECS Service Connect makes service-to-service communication in ECS simpler and more manageable. By integrating service discovery and secure connectivity directly into ECS, it removes much of the complexity traditionally associated with microservices networking.
For teams running containerized workloads on AWS, ECS Service Connect provides a practical and efficient way to build scalable microservices architectures.