Day 21: Challenge — gRPC Service on ECS

Phase 5 · Sep 1, 2026

Challenge Overview

Deploy a gRPC task management service to ECS Fargate with:

• Cloud Map service discovery
• ALB with gRPC protocol support
• Task role with least-privilege DynamoDB access
• Health check on gRPC reflection endpoint

Architecture

Internet → ALB (HTTPS :443, GRPC protocol)
              └── Target Group (protocol-version: GRPC, health: /grpc.health.v1.Health/Check)
                    └── ECS Service (2 tasks, awsvpc, private subnet)
                          ├── Task A: 10.0.1.5:50051 → Cloud Map: tasks.task-svc.local
                          └── Task B: 10.0.1.6:50051 → Cloud Map: tasks.task-svc.local

Task role → DynamoDB:GetItem, PutItem, UpdateItem, Query (tasks table only)
Execution role → ECR pull, CloudWatch logs

Task Definition Highlights

{
  "family": "task-svc",
  "cpu": "512", "memory": "1024",
  "networkMode": "awsvpc",
  "containerDefinitions": [{
    "name": "task-svc",
    "image": "ECR_URI/task-svc:latest",
    "portMappings": [{ "containerPort": 50051, "protocol": "tcp" }],
    "healthCheck": {
      "command": ["CMD", "grpc_health_probe", "-addr=:50051"],
      "interval": 15, "timeout": 5, "retries": 3, "startPeriod": 30
    }
  }],
  "taskRoleArn": "arn:aws:iam::ACCOUNT:role/task-svc-task-role",
  "executionRoleArn": "arn:aws:iam::ACCOUNT:role/ecsTaskExecutionRole"
}

Deployment Checklist

• [ ] ECR repository created; image pushed with task-svc:latest tag
• [ ] ECS cluster with Fargate capacity provider
• [ ] Task definition registered with above JSON
• [ ] Cloud Map private namespace task-svc.local; service tasks with DNS TTL 30s
• [ ] ECS service created with --service-registries pointing to Cloud Map
• [ ] ALB listener rule: /tasks.TaskService/* → GRPC target group
• [ ] grpc_health_probe binary baked into Docker image
• [ ] Verify: grpcurl -proto tasks.proto ALB_DNS:443 tasks.TaskService/ListTasks

Phase 5 Recap

Next phase: Observability — distributed tracing, metrics, and log aggregation.