Deploying on Amazon ECS
Moose can be deployed to Amazon’s Elastic Container Service (ECS). ECS offers a managed container orchestrator at a fraction of the complexity of managing a Kubernetes cluster.
If you’re relatively new to ECS we recommend the following resources:
- Amazon Elastic Container Service (ECS) with a Load Balancer | AWS Tutorial with New ECS Experience
- Tutorial: Deploy NGINX Containers On ECS Fargate with Load Balancer
- How to configure target groups ports with listeners and tasks
The first step is deciding whether you’ll host your Moose container on Docker Hub or Amazon’s Elastic Container Registry (ECR). Amazon ECR is straightforward and is designed to work out of the box with ECS. Using Docker Hub works if your moose container is publicly available; however, if your container is private, you’ll need to do a bit more work to provide ECS with your Docker credentials.
See: Authenticating with Docker Hub for AWS Container Services
Here is an overview of the steps required:
- You’ll first need to create or use an existing ECS cluster.
- Then, you’ll need to create an ECS
Task definition.This is where you’ll specify whether you want to use AWS Fargate or AWS EC2 instances. You’ll also have options for selecting your OS and Architecture. SpecifyLinux/X86-64orLinux/ARM-64. This is important as you’ll also need to specify a matching moose container image, such asmoose-df-deployment-x86_64-unknown-linux-gnu:0.3.175ormoose-df-deployment-aarch64-unknown-linux-gnu:0.3.175 - As with all AWS services, if you’re using secrets to store credentials, you will need to specify an IAM role with an
AmazonECSTaskExecutionRolePolicyandSecretsManagerReadWritepolicy. - Under the Container section, specify the name of your moose deployment and provide the container image name you’re using.
- Next, specify the Container Port as 4000.
Configuring container environment variables
While still in the Amazon ECS Task definition section, you’ll need to provide the environment variables on which your Moose application depends. Scroll down to the Environment variables section and fill in each of the following variables.
Required vs Optional Components
Clickhouse and Redis are required components for Moose. Redpanda and Temporal are optional - configure them only if you’re using these components in your application.
Note: if you prefer, you can provide the environment variables below via an env file hosted on S3 or using AWS Secrets Manager for sensitive values.
Core Configuration
| Key | Description | Example Value |
|---|---|---|
| MOOSE_LOGGER__LEVEL | Log level | Info |
| MOOSE_LOGGER__STDOUT | Enable stdout logging | true |
| MOOSE_LOGGER__FORMAT | Log format | Json |
| RUST_BACKTRACE | Enable backtraces for debugging | 1 |
HTTP Server Configuration
| Key | Description | Example Value |
|---|---|---|
| MOOSE_HTTP_SERVER_CONFIG__HOST | Your moose network binding address | 0.0.0.0 |
| MOOSE_HTTP_SERVER_CONFIG__PORT | The network port your moose server is using | 4000 |
Clickhouse Configuration (Required)
| Key | Description | Example Value |
|---|---|---|
| MOOSE_CLICKHOUSE_CONFIG__DB_NAME | The name of your Clickhouse database | moose_production |
| MOOSE_CLICKHOUSE_CONFIG__USER | The database user name | clickhouse_user |
| MOOSE_CLICKHOUSE_CONFIG__PASSWORD | The password to your Clickhouse database | (use AWS Secrets Manager) |
| MOOSE_CLICKHOUSE_CONFIG__HOST | The hostname for your Clickhouse database | your-clickhouse.cloud.example.com |
| MOOSE_CLICKHOUSE_CONFIG__HOST_PORT | The HTTPS port for your Clickhouse database | 8443 |
| MOOSE_CLICKHOUSE_CONFIG__USE_SSL | Whether your database connection requires SSL | 1 |
| MOOSE_CLICKHOUSE_CONFIG__NATIVE_PORT | The native port for your Clickhouse database | 9440 |
Redis Configuration (Required)
| Key | Description | Example Value |
|---|---|---|
| MOOSE_REDIS_CONFIG__URL | Redis connection URL | redis://user:password@redis.example.com:6379 |
| MOOSE_REDIS_CONFIG__KEY_PREFIX | Prefix for Redis keys to isolate namespaces | moose_production |
Redpanda Configuration (Optional)
| Key | Description | Example Value |
|---|---|---|
| MOOSE_REDPANDA_CONFIG__BROKER | The hostname for your Redpanda instance | seed-5fbcae97.example.redpanda.com:9092 |
| MOOSE_REDPANDA_CONFIG__NAMESPACE | Namespace for isolation | moose_production |
| MOOSE_REDPANDA_CONFIG__MESSAGE_TIMEOUT_MS | The message timeout delay in milliseconds | 10043 |
| MOOSE_REDPANDA_CONFIG__SASL_USERNAME | Your Redpanda user name | redpanda_user |
| MOOSE_REDPANDA_CONFIG__SASL_PASSWORD | Your Redpanda password | (use AWS Secrets Manager) |
| MOOSE_REDPANDA_CONFIG__SASL_MECHANISM | SASL mechanism | SCRAM-SHA-256 |
| MOOSE_REDPANDA_CONFIG__SECURITY_PROTOCOL | The Redpanda security protocol | SASL_SSL |
| MOOSE_REDPANDA_CONFIG__REPLICATION_FACTOR | Topic replication factor | 3 |
Temporal Configuration (Optional)
| Key | Description | Example Value |
|---|---|---|
| MOOSE_TEMPORAL_CONFIG__CA_CERT | Path to CA certificate | /etc/ssl/certs/ca-certificates.crt |
| MOOSE_TEMPORAL_CONFIG__API_KEY | Temporal Cloud API key | (use AWS Secrets Manager) |
| MOOSE_TEMPORAL_CONFIG__TEMPORAL_HOST | Temporal Cloud namespace host | your-namespace.tmprl.cloud |
Consider using a value of greater than 1000ms (1 second) for the Redpanda message timeout delay if you’re using a hosted Redpanda cloud service.
Review other options on the Task Creation page and press the Create button when ready.
Using AWS Secrets Manager
For sensitive information like passwords and API keys, we recommend using AWS Secrets Manager. To configure a secret:
- Go to AWS Secrets Manager and create a new secret
- Choose “Other type of secret” and add key-value pairs for your secrets
- Name your secret appropriately (e.g.,
moose/production/credentials) - In your ECS task definition, reference the secret:
- For environment variables, select “ValueFrom” and enter the ARN of your secret with the key name
- Example:
arn:aws:secretsmanager:region:account:secret:moose/production/credentials:MOOSE_CLICKHOUSE_CONFIG__PASSWORD::
Building an ECS Service
Once you’ve completed creating an ECS Task, you’re ready to create an ECS Service. An ECS Service is a definition that allows you to specify how your cluster will be managed.
Navigate to your cluster’s Service page and press the Create button to create your new Moose service.
The section we’re interested in is the Deployment configuration section. There, you’ll specify the Task Definition you created earlier. You can also specify the name
of your service—perhaps something creative like moose-service—and the number of tasks to launch.
Launch a Single Instance
Note at this time, we recommend that you only launch a single instance of Moose in your cluster. We’re currently developing for multi-instance concurrent usage.
The remaining sections on the create service page allow you to specify networking considerations and whether you’ll use a load balancer.
You can press the Create button to launch an instance of your new ECS Moose service.
Setting up health checks
Your generated Moose containers include a health check endpoint at /health that should be configured in your ECS service. We recommend configuring the following health check settings:
Container-level Health Check
In your task definition’s container configuration:
healthCheck:
command: ["CMD-SHELL", "curl -f http://localhost:4000/health || exit 1"]
interval: 30
timeout: 5
retries: 3
startPeriod: 60Load Balancer Health Check
If you’re using an Application Load Balancer:
- Create a target group for your service
- Set the health check path to
/health - Configure appropriate health check settings:
- Health check protocol: HTTP
- Health check port: 4000
- Health check path: /health
- Healthy threshold: 2
- Unhealthy threshold: 2
- Timeout: 5 seconds
- Interval: 15 seconds
- Success codes: 200
These health check configurations ensure that your Moose service is properly monitored and that traffic is only routed to healthy containers.