Search code examples
mongodbamazon-web-servicesamazon-ec2amazon-ecsaws-fargate

AWS ECS Fargate cannot connect MongoDB from EC2

I've created Fargate cluster on ECS. But when I run my instance, I've encountered following error message:

Error: The hook orm is taking too long to load. Make sure it is triggering its initialize() callback, or else set `sails.config.orm._hookTimeout to a higher value (currently 20000) at Timeout.tooLong as _onTimeout

But in mongoDB EC2 instance, I've already configured bindIp like this

# network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0

But when I try this docker instance from my local, I have not found that error message and when I deploy that source code in EC2, no error as well. Please let me know how to solve that issue. Thanks.

Here is my sample diagram enter image description here

Solution

  • You're not specifying if mongodb that you run and connect to from your local docker instance is also local or whether it's the same MongoDB instance in AWS (which presumably you would either use VPN or ssh tunneling to connect to).

    So why the docker instance works locally and not in AWS is going to be a bit hard to explain. I'd suggest that it's network connectivity related.

    We run ECS Fargate to an EC2 instance that runs mongodb. The key to this is make sure to establish the security group relationship as well.

    This could for instance look like below from a Cloudformation example. You have the Fargate rAppFargateSecurityGroup security group (exposing app via 8080) attached to your Fargate Service. And you have the mongodb rMongoDbEc2SecurityGroup security group attached to the mongodb EC2 instance (exposing mongodb via port 27017).

    You will notice that the glue here is "SourceSecurityGroupId: !Ref rAppFargateSecurityGroup", which allows fargate to connect to mongodb.

      rAppFargateSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub '${pAppName}-${pEnvironment} ECS Security Group'
      VpcId: !Ref pVpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 8080
          ToPort: 8080
          SourceSecurityGroupId: !Ref rAppAlbSecurityGroup

  rMongoDbEc2SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub '${pAppName}-${pEnvironment} MongoDb Security Group'
      VpcId: !Ref pVpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 27017
          ToPort: 27017
          SourceSecurityGroupId: !Ref rAppFargateSecurityGroup

    You would have the Fargate Service configured along the ways of:

      rFargateService:
    Type: AWS::ECS::Service
    Properties:
      ...
      NetworkConfiguration:
        AwsvpcConfiguration:
          SecurityGroups:
            - !Ref pAppFargateSecurityGroup
          Subnets:
            - !Ref pPrivateSubnetA
            - !Ref pPrivateSubnetB
            - !Ref pPrivateSubnetC

    The Fargate Service subnets would (need to) be configured in the same VPC as your mongodb host if you're not using e.g. VPC peering or Private Link.

    I should also add that other things that could trip you up are NACLs. And of course local host firewalls (like iptables).