I have a ECS cluster inside the VPC. ECS have to read from a SQS. So, do I need to create SQS in the same VPC for that to communicate? Also, if say, I wanted to communicate outside VPC, how can I do that?
Asked
Active
Viewed 6,810 times
2 Answers
8
SQS queues do not belong to a specific VPC. There is no networking involved when creating/configuring a queue.
Access to SQS queues is entirely managed with IAM permissions.
With ECS, you will have to configure your task execution role properly. As an example, a policy like the following allows to send, receive and delete messages from a specific queue:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:<region>:<account>:<queue name>"
}
]
}
jogold
- 6,667
- 23
- 41
8
While SQS is AWS Managed Service can be accessed via public internet endpoint directly without any VPC restrictions, from the perspective of ECS application interacting with SQS, I would advise to create VPC PrivateLink Endpoint to SQS which is going to save you from doing additional hop trip via Internet Gateway.
If you don't create VPC Endpoint, the traffic is routed in below fashion.
AWS ECS App ----> NAT Gateway(If ECS is in private subnet of VPC otherwise this is not needed) ----> Internet Gateway ----> AWS SQS.
If you do create VPC Endpoint to SQS, then the traffic will be something like below which removes hop of going through internet.
AWS ECS App ----> AWS SQS(Over PrivateLink)
Here is some documentation on how VPC endpoints work and some guide for creating VPC endpoint for SQS.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-vpc-endpoints.html
Imran
- 5,542
- 3
- 23
- 46