--- title: AWS Elastic Container Service (ECS) setup summary: null url: >- https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/kubernetes/aws-ecs --- You can deploy the Next-Gen WAF as a sidecar into AWS Elastic Container Service (ECS). This deployment option is compatible with both Fargate and EC2 launch types. ## Prerequisites [Copy the agent keys](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/accessing-agent-keys) for your site (also known as workspace). You will use these keys when setting up the Next-Gen WAF as a sidecar for AWS ECS. ## Setting up AWS ECS To set up the Next-Gen WAF as a sidecar for AWS ECS, consult Amazon's [ECS tutorial](https://docs.aws.amazon.com/codedeploy/latest/userguide/tutorial-ecs-deployment.html) and [sidecar documentation](https://aws.github.io/copilot-cli/docs/developing/sidecars/). Be sure to: - set the storage volume type for the task definition to **Bind Mount**. - add a dedicated container for the Next-Gen WAF agent, being sure to set: - the **Name** field to `sigsci-agent`. - the **Image URI\*** field to `signalsciences:sigsci-agent:`. You will need to replace `` with a [specific agent version](https://www.fastly.com/documentation/reference/changes/ngwaf-agent/). If you set the variable to `latest`, AWS may upgrade the Next-Gen WAF agent at inconvenient times. - set resource limits (`ulimits`) for the Next-Gen WAF agent container. The `nofile` soft and hard limits should be `65335`. Setting these limits too low (the default is `1024`) will cause more harm than if you set them too high. - create an environment variable for the Agent Secret Key, being sure to set: - the **Key** field to `SIGSCI_SECRETACCESSKEY`. - the **Value** field to the `secretaccesskey` value that you copied while completing the installation [prerequisites](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/kubernetes/aws-ecs#prerequisites). - create an environment variable for the Agent Access Key, being sure to set: - the **Key** field to `SIGSCI_ACCESSKEYID`. - the **Value** field to the `accesskeyid` value that you copied while completing the installation [prerequisites](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/kubernetes/aws-ecs#prerequisites). - set the mount point path for the Next-Gen WAF agent container to `/var/run`. This is the default path for the Next-Gen WAF agent, but you can configure an alternative path. ## Example JSON configuration > **HINT:** You will need to replace all instances of `REPLACEME` in this example JSON. ```json { "ipcMode": null, "executionRoleArn": "arn:aws:iam::REPLACEME:role/ecsTaskExecutionRole", "containerDefinitions": [ { "dnsSearchDomains": null, "logConfiguration": { "logDriver": "awslogs", "secretOptions": null, "options": { "awslogs-group": "/ecs/sigsci-example", "awslogs-region": "us-west-1", "awslogs-stream-prefix": "ecs" } }, "entryPoint": null, "portMappings": [ { "hostPort": 8080, "protocol": "tcp", "containerPort": 8080 } ], "command": null, "linuxParameters": null, "cpu": 0, "environment": [ { "name": "apache_port", "value": "8080" }, { "name": "sigsci_rpc", "value": "/var/run/sigsci.sock" } ], "dnsServers": null, "mountPoints": [ { "readOnly": null, "containerPath": "/var/run", "sourceVolume": "run" } ], "workingDirectory": null, "secrets": null, "dockerSecurityOptions": null, "memory": null, "memoryReservation": null, "volumesFrom": [], "stopTimeout": null, "image": "signalsciences/sigsci-agent:latest", "startTimeout": null, "firelensConfiguration": null, "dependsOn": null, "disableNetworking": null, "interactive": null, "healthCheck": null, "essential": true, "links": null, "hostname": null, "extraHosts": null, "pseudoTerminal": null, "user": null, "readonlyRootFilesystem": null, "dockerLabels": null, "systemControls": null, "privileged": null, "name": "apache" }, { "dnsSearchDomains": null, "logConfiguration": { "logDriver": "awslogs", "secretOptions": null, "options": { "awslogs-group": "/ecs/sigsci-example", "awslogs-region": "us-west-1", "awslogs-stream-prefix": "ecs" } }, "entryPoint": null, "portMappings": [], "command": null, "linuxParameters": null, "cpu": 0, "environment": [ { "name": "SIGSCI_ACCESSKEYID", "value": "REPLACEME" }, { "name": "SIGSCI_SECRETACCESSKEY", "value": "REPLACEME" } ], "ulimits": [ { "name": "nofile", "softLimit": 65335, "hardLimit": 65335 } ], "dnsServers": null, "mountPoints": [ { "readOnly": null, "containerPath": "/var/run", "sourceVolume": "run" } ], "workingDirectory": null, "secrets": null, "dockerSecurityOptions": null, "memory": null, "memoryReservation": null, "volumesFrom": [], "stopTimeout": null, "image": "signalsciences/sigsci-agent:latest", "startTimeout": null, "firelensConfiguration": null, "dependsOn": null, "disableNetworking": null, "interactive": null, "healthCheck": null, "essential": true, "links": null, "hostname": null, "extraHosts": null, "pseudoTerminal": null, "user": null, "readonlyRootFilesystem": null, "dockerLabels": null, "systemControls": null, "privileged": null, "name": "agent" } ], "memory": "4096", "taskRoleArn": "arn:aws:iam::REPLACEME:role/EcsServiceRole2", "family": "sigsci-example", "pidMode": null, "requiresCompatibilities": [ "FARGATE" ], "networkMode": "host", "cpu": "2048", "inferenceAccelerators": null, "proxyConfiguration": null, "volumes": [ { "efsVolumeConfiguration": null, "name": "run", "host": { "sourcePath": null }, "dockerVolumeConfiguration": null } ], "tags": [] } ``` ## Related content - [Kubernetes installation overview](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/kubernetes/kubernetes-intro) - [Accessing agent keys](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/accessing-agent-keys)