-
Notifications
You must be signed in to change notification settings - Fork 254
A load balancer cannot be attached to multiple subnets in the same AvailabilityZone #921
Comments
I don't think we can automatically manage such a deployment, as we can't guess which subnets to attach to. At most, we could detect such a scenario and fail with an informative error message, vs wait for CloudFormation to report error. |
Would it be possible to add a parameter to select subnets in the docker-compose file like you can with the VPC and the load balancer and such? We'd be okay with manually selecting the subnets, the issue is just we can't use this tool at all with our VPC setup. |
Can you please clarify your use-case: why do you have to define multiple subnets per AZ in your VPC, and how do they differ? Maybe we could detect the "right one" load balancer should be attached to. |
We need a private and a public subnet in each AZ so that's why we have two different subnets. Take a look at this documentation here which describes a similar structure to our cloud network: The private subnet is used for our internal database services to interact and the public subnet is for internet facing things like our web application. I asked for some input from our devops who can comment better on this and here's what he said:
|
I assume the LB would then be connected to the public subnets, right ? |
Yeah in our case it would be the public subnets that we'd want the LB to connect to. However, I could see cases though where you might want to use the load balancer on a private subnet if you were doing load balancing on an internal service that doesn't face the internet. AWS refers to load balancers on private subnets as "internal load balancers" in their documentation. I think selecting the public subnets would be a good default but I think it would be nice if this was something that could be configured (like selecting your VPC or existing load balancer is) |
Ability to use private subnets will bring more issues as we would then not be able to pull the required sidecar images from DockerHub. By design, ECS integration for Docker compose do abstract away many implementation "details" to offer an opinionated mapping, and one can't expect to get full flexibility on AWS infrastructure |
Hi there - I'm having the same issue as this ticket although I don't understand why it has been closed; It's very common to have multiple public subnets in a VPC. At a minimum it should just pick the first subnet from the list just to bypass this issue - it's a real roadblock!!! |
i am also running into this issue. 😞😔😔 |
Hi, I am also facing the same issue. Hopefully this cool integration will also covers internal subnet in the future. |
Same issue. What about x-aws-subnets:
- subnet1
- subnet2
- ... |
@spinlud I'm highly reluctant to introduce yet more x-aws-* extensions that don't make any sense in the compose model. I wish there's a reasonable way to guess which subnet a service should be attached to. |
Since you are specifying |
It's a common way to create multiple subnets within a VPC and span them accross the AZs. Without the possibility to specify the subnets, you will always run into issues because of having multiple subnets within one AZ. I like the idea from @spinlud intrducing |
bruh, that ship has sailed when you guys added CF overlays...which AFAIK nobody asked for...which is, like, if i would go to such lengths...I would have stuck with CloudFormation. to me, the purpose of docker-compose is to have a great level of abstraction from AWS deployment (i'm particularly not fond of CloudFormation in general...but that's topic for another day)...and i came to an understanding that there are limitations...but this limitation, just like the inability for Load Balancer to assign it at a service level...well, just unnecessarily cripples the tool's usability. |
x-aws-overlays was introduced to avoid user being blocked by lack of support for x,y,z AWS feature. This let us "buy some time" until we get a correct understanding of adequate mapping to be proposed in the compose spec. Longer term I would expect nobody actually need them but for some highly-specific scenario.
EXACT. And also to offer reasonable portability between local development and AWS deployment. This is why I don't like we introduce even more aws-specific extension to support various AWS networking corner cases. As a compose user, I should not have to know that AWS can define security groups accross subnets in various AZ, I just want my service to run. |
@ndeloof i think we agree on what docker-compose is for, but disagree on how the tool should be extensible. i think this particular feature ask is relatively benign and reasonable...and honestly i'm confused with this pushback given the floodgates were basically opened with overlays. |
My team also uses the common public/private subnet architecture across AZs. The lack of ability to specify subnets is also unfortunately looking like a deal breaker for us with this otherwise awesome tool. Feels like a no-brainer feature given the ability to specify VPC. Would love to see an implementation of one of the suggestions above. |
Hey @ndeloof, would you consider supporting tags on Subnets in a similar way to Kubernetes cloud providers? Kubernetes will only attach ELBs to subnets tagged with Could a similar model be implemented here? That way we are not adding a new |
@ollypom that could be an option, but we need to be more fine-grained: user-facing services will be attached to public subnets, the others will be attached to private onces, you can have multiple private subnets, not to mention "Internal Load Balancer" feature requests... I've proposed a distinct approach here: #1411 |
Yeah, this is an issue and probably should have been thought of a tad better. This is an awesome feature docker-compose can do for sure. It is common to have a 3 tier network stack as well or more so there should be some way to support subnets. |
I ran into this today and it was really difficult to figure out. However, for those reading, a solution is to put this in
I did have to create a dummy target group to be allowed to create the NLB manually, but it worked once I had manually created an NLB and specified it. |
We definitely need this to be able to place ECS tasks on private subnets, otherwise it's a blocked that doesn't allow to use this amazing tool... |
in most cases private subnets have access to internet via NAT or Transit gateway in another vpc, so docker images can be pulled, the only issue still remains handling of the subnets, so we need to somehow specify on which subnet load balancer loads, and in which subnets are the services.. if load balancer is in the public subnet, it also have access to any other private subnets and the services in them |
EDIT: I solved it using the documented overlay method. Now I understand @ndeloof comment. So for any other fellow googlers:
x-aws-cloudformation:
Resources:
YourService:
Properties:
NetworkConfiguration:
AwsvpcConfiguration:
Subnets:
- subnet-xxxxxxxxx
- subnet-yyyyyyyyy
Your2ndService:
Properties:
NetworkConfiguration:
AwsvpcConfiguration:
Subnets:
- subnet-xxxxxxxxx
- subnet-yyyyyyyyy
LoadBalancer:
Properties:
Subnets:
- subnet-xxxxxxxxx
- subnet-yyyyyyyyy
... It's a great solution, but it wasn't obvious to me when reading the issue ticket. I hope I made it clearer for everybody. Cheers! |
hi Guys, I know this is an old post but am I using the x-aws-cloudformation correctly?
Thank you |
Just wanted to mention that it seems impossible to use Compose with ECS unless you manually create your own load balancers. Here's my experience: Deploying with a single-AZ VPC: Deploying with a two-AZ VPC: |
Currently experiencing this. Commenting out the private subnets for the load balancer seems to work... |
Description
Our VPC has multiple subnets in the same AZs. When running docker compose up using this VPC specified it gives this error:
A load balancer cannot be attached to multiple subnets in the same Availability Zone (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest
Steps to reproduce the issue:
Describe the results you received:
Error message (above)
Describe the results you expected:
Should have successfully created the load balancer.
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version
:Output of
docker context show
:You can also run
docker context inspect context-name
to give us more details but don't forget to remove sensitive content.Output of
docker info
:Additional environment details (AWS ECS, Azure ACI, local, etc.):
AWS ECS
The text was updated successfully, but these errors were encountered: