Install Upwind on Amazon ECS and Amazon EC2
Overview
This topic provides instructions for installing the Upwind components in an ECS cluster using the Amazon EC2 launch type.
Prerequisites
- An existing Amazon ECS cluster . To deploy one, see Getting started with Amazon ECS .
- Upwind Cluster Manager requires at least one private subnet with a NAT Gateway.
- The security group for the cluster manager must allow inbound traffic on port 8082 and 8444 from the EC2 instances in the cluster. By default, the cluster manager will use the default security group for the VPC.
- If the cluster EC2 instances are running on Linux kernel version 4 (for example Amazon Linux 2), you must set the sensor image to the
bcc
flavour. See installation methods for details. - The hop limit for the IMDS service should be set to 2. See AWS documentation on configuring instance metadata options for more information.
- The minimum Docker version for reliable metrics is Docker version v20.10.13 and newer, which is included in Amazon ECS-optimized AMI 20220607 and newer.
Install
Step 1: Generate Credentials
This step is relevant only if you want to create new client credentials. If you already have client credentials, you can skip this step.
Select the + (plus) symbol at the top of the screen and select Connect ECS Cluster. Select Generate a new one to create a new client ID and client secret. Provide a name and select Generate. Alternatively, you can generate it in the Credentials page in the console. For more information review the documentation on Credentials .
After you have generated the secret, it will automatically be copied into step 3 and inserted into the
UPWIND_CLIENT_ID
and UPWIND_CLIENT_SECRET
fields.
Step 2: Choose Installation Method
Select the appropriate installation method for your environment from the available options to continue with the setup.
- Terraform (Recommended)
- AWS CloudFormation
Step 2.1: Connect Terraform
Copy the following Terraform Module, and save it to a file named main.tf
:
provider "aws" {
# For detailed instructions on configuring the AWS provider, please refer to:
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration
region = "{ECS_CLUSTER_REGION}"
}
module "upwind_integration_aws_ecs_cluster" {
source = "https://get.upwind.io/terraform/modules/integrations/aws-ecs-sensor-0.11.0.tar.gz"
upwind_client_id = "{UPWIND_CLIENTID}"
upwind_client_secret = "{UPWIND_CLIENT_SECRET}"
ecs_cluster_name = "{ECS_CLUSTER_NAME}"
vpc_id = "{ECS_CLUSTER_VPC_ID}"
subnets = ["{ECS_CLUSTER_SUBNET_IDS}"]
}
Networking Configuration
Set ECS_CLUSTER_SUBNET_IDS
to the IDs of one or more private subnets with routes to the NAT gateway that can be used to launch ENIs for Cluster Manager service tasks.
If the default security group for the VPC does not allow inbound traffic on ports 8082 and 8444 from one of the security groups applied to the instances in the cluster, create a security group that allows this traffic. Set the ID of the security group (e.g. sg-123456789
) as the security_groups_cluster_manager
parameter of the Terraform module.
Linux Kernel Compatibility
If the cluster EC2 instances are running on Linux kernel version 4 (for example Amazon Linux 2), you must set the image_sensor
module parameter to:
image_sensor = {
registry = "registry.upwind.io"
repository = "images/agent"
tag = "0.93.0-bcc"
}
Step 2.2: Deploy Terraform
To finish the connection, run the following command:
terraform init && terraform apply
Step 2.1: Log in to AWS Console
Open your web browser and navigate to the AWS Management Console . Enter your login credentials to access the desired account.
Step 2.2: Run AWS CloudFormation Template
The CloudFormation template will deploy the Upwind ECS service and set task definitions to support EC2 workloads and tasks on your ECS cluster.
Networking Configuration
To connect a cluster, manually enter the VPC ID and Subnet IDs (one or more private subnets with routes to the NAT gateway).
If the default security group for the VPC does not allow inbound traffic on ports 8082 and 8444 from one of the security groups applied to the instances in the cluster, create a security group that allows this traffic. Set the ID of the security group (e.g. sg-123456789
) as the ClusterManagerSecurityGroup
parameter of the CloudFormation template.
Linux Kernel Compatibility
If the EC2 instances in the cluster are running Linux kernel version 4 (e.g. Amazon Linux 2), set the SensorContainerImage
parameter to:
registry.upwind.io/images/agent:0.93.0-bcc
Test Connectivity
To verify the connectivity of your ECS cluster, run the following command:
aws ecs describe-services \
--cluster [your-cluster-name] \
--services upwind-sensor upwind-cluster-manager \
--query "services[*].{ \
ServiceName:serviceName, \
ServiceStatus:status, \
DesiredCount:desiredCount, \
RunningCount:runningCount, \
DeploymentStatuses:deployments[*].status, \
DeploymentsCount:length(deployments) \
}" \
--output json
Expected output:
[
{
"ServiceName": "upwind-sensor",
"ServiceStatus": "ACTIVE",
"DesiredCount": 1,
"RunningCount": 1,
"DeploymentStatuses": ["PRIMARY"],
"DeploymentsCount": 1
},
{
"ServiceName": "upwind-cluster-manager",
"ServiceStatus": "ACTIVE",
"DesiredCount": 1,
"RunningCount": 1,
"DeploymentStatuses": ["PRIMARY"],
"DeploymentsCount": 1
}
]
- Ensure ServiceStatus is ACTIVE for both services.
- Ensure DesiredCount and RunningCount are equal to instance count for the
upwind-sensor
service due to its daemon strategy. - Ensure DesiredCount and RunningCount are equal, typically set to 1, for the
upwind-cluster-manager
service. - Ensure DeploymentStatuses are PRIMARY for all deployments, and DeploymentCount match.
Troubleshooting
If you encounter any issues during the installation process, please click the chat button for live connection with an expert from Upwind.