I’m exploring the possibility of using Ziti Edge Tunnel as a sidecar container in AWS ECS Fargate and had a few questions around feasibility and best practices:
Has anyone on the NetFoundry / OpenZiti community or support implemented the Ziti Edge Tunnel as a sidecar within AWS ECS Fargate tasks?
If so, are there any reference examples, patterns, or architectural guidance (Docker/ECS task definition configs, IAM networking considerations, etc.) available?
Are there known limitations or recommended approaches for running the Edge Tunnel in a sidecar container on a serverless container platform like Fargate?
Any insights, experiences, or links to documentation/examples would be greatly appreciated.
@qrkourier do you have any suggestions?
I think your goal is to publish a Ziti service for consumption by a Fargate task, not the inverse: publish a Fargate task as a Ziti service. Can you confirm?
I don't think Fargate allows privileged containers, so you wouldn't be able to create a Fargate sidecar based on the Kubernetes sidecar example to create a transparent proxy for your Fargate task (Kubernetes Sidecar Proxy | NetFoundry Documentation).
ziti-edge-tunnel run (a privileged, system-wide transparent proxy that cannot be restricted to a container) is not applicable to Fargate (or most any container/cloud environment) for the same reason: Fargate does not allow you to create a privileged task because they reserve administrative privilege on the container runtime's host.
If I understood correctly that you wish your Fargate task to call a Ziti service, and if you are running a newer, prerelease version of Ziti (1.7+), then you could run a separate Fargate task or a Fargate sidecar based on the Kubernetes sidecar example (same container image, volume, env vars) with command/arg args: ["proxy"] (instead of "tproxy"). This is a "dynamic proxy" run mode that makes the Ziti tunnel act as a TCP/UDP reverse proxy for any dialable services you attach a Ziti config of type proxy.v1 to. The end result is that this Fargate task will listen on the TCP/UDP port specified in your proxy.v1 config (spec), forwarding packet data to the Ziti service's terminator.
You can do something similar if you're running latest stable Ziti (1.6), which does not have the new proxy.v1 config type, and so you must supply the list of <service name>:<TCP proxy port> pairs on which to listen on the Fargate task's IP. See ziti tunnel proxy --help for usage hints.