Configuration
Proxy Configuration
All cluster components, operator, cluster manager, sensor and scanner will all respect the HTTP_PROXY family of environment variables.
Depending on the installation method, Terraform or CloudFormation you can set the URL to the proxy.
- Terraform
- Cloud Formation)
Set the proxy_configuration variable so that proxy settings will be applied.
- First the proxy should be enabled.
- Then set
httpProxyvariable to the URL of the proxy.
httpsProxy will also be set to the same value if omitted.
proxy_configuration = {
enabled = true
httpProxy = "http://proxy.service:1234"
}
Set the Proxy variable to URL to the proxy to use e.a http://proxy.service:1234.
Multi-Cluster Mode
When you run multiple ECS clusters in the same VPC, you can reduce the per-cluster footprint by deploying a single Cluster Manager in the VPC and pointing the sensors and scanners in the other clusters at it. The Cluster Manager is the only Upwind component that needs to be unique per VPC; the sensor and scanner are deployed in every cluster that you want to monitor.
Multi-cluster mode is only supported via the Terraform module. All clusters that share a Cluster Manager must belong to the same VPC. Each cluster you want to monitor still needs its own sensor daemon service and scanner service.
Deploy the shared Cluster Manager
Choose one cluster in the VPC to host the Cluster Manager and install the Upwind components into it as described in the Installation guide. This cluster is sometimes referred to as the "utility" cluster.
Once installed, capture the fully qualified domain name of the Cluster Manager. The Terraform module exposes it as the cluster_manager_discovery_endpoint output:
output "cluster_manager_discovery_endpoint" {
value = module.upwind_aws_ecs_sensor.cluster_manager_discovery_endpoint
}
The value follows the pattern upwind-cluster-manager.upwind-<cluster-name>.private.
Connect additional clusters to the shared Cluster Manager
For every other cluster in the VPC that you want to monitor:
-
Deploy the
upwind-sensordaemon service and theupwind-scannerservice into the cluster. In ECS, task definitions are independent of services, so you can reuse the task definitions created by the Terraform module in the utility cluster and reference them from services in the other clusters. -
Point the sensor and scanner at the shared Cluster Manager by setting
UPWIND_CLUSTER_AGENT_DOMAINon each. The module exposes twomap(string)variables for injecting arbitrary extra environment variables into the sensor and scanner containers:variable "sensor_extra_env" {
description = "Extra environment variables to add to the Upwind Sensor, as a key-value map."
type = map(string)
default = {}
}
variable "scanner_extra_env" {
description = "Extra environment variables to add to the Upwind Scanner, as a key-value map."
type = map(string)
default = {}
}Set them on the module call, including port
8084(the port the tracers use to reach the Cluster Manager):sensor_extra_env = {
UPWIND_CLUSTER_AGENT_DOMAIN = "upwind-cluster-manager.upwind-<utility-cluster>.private:8084"
}
scanner_extra_env = {
UPWIND_CLUSTER_AGENT_DOMAIN = "upwind-cluster-manager.upwind-<utility-cluster>.private:8084"
}This overrides the default service-discovery lookup, which would otherwise resolve to a Cluster Manager that does not exist in the local cluster.
-
Ensure that the security group attached to the EC2 instances in the additional clusters is allowed to reach the Cluster Manager's security group on ports
8082and8444.
ECS multi-cluster topologies vary between environments. If you are unsure how to best fit this pattern to your deployment, contact your Upwind solutions architect for guidance.
gVisor Support
The Upwind Sensor includes support for monitoring applications running in gVisor sandboxes, providing enhanced security isolation for sensitive workloads. gVisor implements a userspace kernel that acts as a security boundary between containerized applications and the host system.
Learn more about gVisor support including configuration, architecture, and deployment options.