ECS APP Meshのポートなど

AWS

(略)
  "networkMode": "awsvpc",
  "runtimePlatform": null,
  "cpu": "2048",
  "revision": null,
  "status": "ACTIVE",
  "inferenceAccelerators": null,
  "proxyConfiguration": {
    "type": "APPMESH",
    "containerName": "envoy",
    "properties": [
      {
        "name": "AppPorts",
        "value": "80"
      },
      {
        "name": "EgressIgnoredIPs",
        "value": "169.254.170.2,169.254.169.254"
      },
      {
        "name": "EgressIgnoredPorts",
        "value": "SED_TARGET_EGRESS_IGNORED_PORT_RDS_MYSQL,SED_TARGET_EGRESS_IGNORED_PORT_ELASTICACHE_REDIS"
      },
      {
        "name": "IgnoredUID",
        "value": "1337"
      },
      {
        "name": "IgnoredGID",
        "value": "999"
      },
      {
        "name": "ProxyEgressPort",
        "value": "15001"
      },
      {
        "name": "ProxyIngressPort",
        "value": "15000"
      }
    ]
  },
(略)

説明

https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ProxyConfiguration.html

IgnoredUID – (Required) The user ID (UID) of the proxy container as defined by the user parameter in a container definition. This is used to ensure the proxy ignores its own traffic. If IgnoredGID is specified, this field can be empty.

IgnoredGID – (Required) The group ID (GID) of the proxy container as defined by the user parameter in a container definition. This is used to ensure the proxy ignores its own traffic. If IgnoredUID is specified, this field can be empty.

AppPorts – (Required) The list of ports that the application uses. Network traffic to these ports is forwarded to the ProxyIngressPort and ProxyEgressPort.

ProxyIngressPort – (Required) Specifies the port that incoming traffic to the AppPorts is directed to.

ProxyEgressPort – (Required) Specifies the port that outgoing traffic from the AppPorts is directed to.

EgressIgnoredPorts – (Required) The egress traffic going to the specified ports is ignored and not redirected to the ProxyEgressPort. It can be an empty list.

EgressIgnoredIPs – (Required) The egress traffic going to the specified IP addresses is ignored and not redirected to the ProxyEgressPort. It can be an empty list.

@see
https://repost.aws/questions/QUCpIR36U_TxesI5OFr7zkvw/appmesh-ecs-fargate-when-starting-task-in-ecs-fargate-integrated-with-aws-appmesh-cloudmap-service-discovery-instance-is-not-getting-registered-when-checked-target-group-throws-503-error

    const taskDefinition = new FargateTaskDefinition(
      this,
      `fargate-task`,
      {
        executionRole,
        taskRole,
        cpu: 512,
        memoryLimitMiB: 2048,
        proxyConfiguration: new AppMeshProxyConfiguration({
          containerName: 'envoy',
          properties: {
            appPorts: [containerPort],
            proxyEgressPort: 15001,
            proxyIngressPort: 15000,

            // The App Mesh proxy runs with this user ID, and this keeps its
            // own outbound connections from recursively attempting to infinitely proxy.
            ignoredUID: 1337,

            // This GID is ignored and any outbound traffic originating from containers that
            // use this group ID will be ignored by the proxy. This is primarily utilized by
            // the FireLens extension, so that outbound application logs don't have to go through Envoy
            // and therefore add extra burden to the proxy sidecar. Instead the logs can go directly
            // to CloudWatch
            ignoredGID: 1338,

            egressIgnoredIPs: [
              '169.254.170.2', // Allow services to talk directly to ECS metadata endpoints
              '169.254.169.254', // and EC2 instance endpoint
            ],

            // If there is outbound traffic to specific ports that you want to
            // ignore the proxy those ports can be added here.
            egressIgnoredPorts: [],
          },
        }),
      },
    );