Skip to main content

Configuration

Proxy Configuration

The cluster manager respect the HTTP_PROXY family of environment variables.
Depending on the installation method, Terraform or CloudFormation you can set the URL to the proxy.

Set the proxy_configuration variable so that proxy settings will be applied.

  1. First the proxy should be enabled.
  2. Then set httpProxy variable to the URL of the proxy.

httpsProxy will also be set to the same value if omitted.

proxy_configuration = {
  enabled = true
  httpProxy = "http://proxy.service:1234"
}

Multi Cluster Mode

In some Fargate environments its quite common to run a single cluster for a workload given that there is no overhead to creating clusters since they don't have to provision any resources.

In order to support this mode the onboarding modules have a configuration option to enable this feature.

info

Workloads communicating with the cluster manager will have to belong to the same VPC.

Set the multi_cluster variable to true

multi_cluster = true

In order to configure the upwind-tracer to communicate with the cluster manager the UPWIND_TRACER_API_HOST variable will need to be explicitly set for each workload with the fully qualified domain name of the cluster manager including the port 8082.

Example: Given a cluster name fargate-utility the UPWIND_TRACER_API_HOST variable will need to be set to

 "environment": [
  {
    "name": "UPWIND_TRACER_API_HOST",
    "value": "upwind-cluster-manager.upwind-fargate-utility.private:8082"
  }
]

API Security

API security is enabled for the tracer after version 0.6.2 by setting the UPWIND_TRACER_EXTENDED_SYSCALLS and UPWIND_TRACER_REPORT_API_CATALOG to true.

Required Dependency

This feature depends on the cluster manager at version v0.57.0 or later. This is required for the tracer to get the configured sensitive data patterns to match and filter on.

Example: Enabling API security.

 "environment": [
  {
    "name": "UPWIND_TRACER_EXTENDED_SYSCALLS",
    "value": "true"
  },
  {
    "name": "UPWIND_TRACER_REPORT_API_CATALOG",
    "value": "true"
  }
]
important

This feature requires traffic to be decrypted.

warning

Enabling this feature adds processing that increases the latency of application workloads.

Automated Task Definition Patching

For Infrastructure as Code workflows, you can use the upwindctl ECS command to automatically patch your task definitions and inject the Upwind Tracer. This tool is particularly useful when managing task definitions with Terraform or CloudFormation.