Satellite on AWS ECS
Prerequisites
Before installing the Levo Satellite on AWS ECS, ensure you have:
- Access to AWS ECS
- Levo Authorization Token (refer to Generating CLI Authorization Keys)
- Organization ID (refer to Accessing Organization IDs)
- An AWS Role with the necessary policies to assign to the task
1. Create a Task Definition
- AWS Console
- Terraform
-
Open the AWS ECS console and navigate to Task Definitions
-
Click Create New Task Definition in the top right, then select Create New Task Definition with JSON
NOTE: Ensure you are in the correct AWS region where you want to deploy your service
- Use the following task definition:
{
"family": "levoai-satellite",
"containerDefinitions": [
{
"name": "levoai-satellite",
"image": "levoai/satellite",
"cpu": 0,
"portMappings": [
{
"name": "levoai-satellite-9999-tcp",
"containerPort": 9999,
"hostPort": 9999,
"protocol": "tcp",
"appProtocol": "http"
}
],
"essential": true,
"command": [
"-w",
"1",
"-b",
"0.0.0.0:9999",
"--worker-class",
"gevent",
"--worker-connections",
"30",
"levoai_e7s.satellite.satellite:create_server()"
],
"environment": [
{
"name": "LEVOAI_DEBUG_SERVER_HOST",
"value": "host.docker.internal"
},
{
"name": "LEVOAI_ORG_ID",
"value": "899590a5-0cca-47f3-915d-31e8a0d2386a"
},
{
"name": "LEVOAI_MODE",
"value": "docker-compose"
},
{
"name": "LEVOAI_CONF_OVERRIDES",
"value": "{\"onprem-api\": {\"url\": \"${LEVOAI_BASE_URL}\", \"refresh-token\": \"${LEVOAI_AUTH_KEY}\", \"org-id\": \"${LEVOAI_ORG_ID:-}\", \"org-prefix\": \"${LEVOAI_ORG_PREFIX:-}\"},\"traces_queue\": {\"type\": \"sqs\"},\"spans_queue\": {\"type\": \"sqs\"},\"findings_queue\": {\"type\": \"sqs\"} }"
},
{
"name": "LEVOAI_DEBUG_ENABLED",
"value": "false"
},
{
"name": "LEVOAI_AUTH_KEY",
"value": "INSERT YOUR LEVO.AI AUTH KEY HERE"
},
{
"name": "LEVOAI_BASE_URL",
"value": "<ApiUrl />"
},
{
"name": "LEVOAI_LOG_LEVEL",
"value": "INFO"
},
{
"name": "LEVOAI_DEBUG_PORT",
"value": "12345"
}
],
"mountPoints": [],
"volumesFrom": [],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-create-group": "true",
"awslogs-group": "/ecs/satellite",
"awslogs-region": "< INSERT YOUR AWS REGION HERE >",
"awslogs-stream-prefix": "ecs"
}
}
},
{
"name": "levoai-tagger",
"image": "levoai/satellite",
"cpu": 0,
"portMappings": [],
"essential": true,
"entryPoint": [
"python",
"-OO"
],
"command": [
"/opt/levoai/e7s/src/python/levoai_e7s/tag_server.py"
],
"environment": [
{
"name": "LEVOAI_DEBUG_SERVER_HOST",
"value": "host.docker.internal"
},
{
"name": "LEVOAI_ORG_ID",
"value": "INSERT YOUR AWS REGION HERE"
},
{
"name": "LEVOAI_MODE",
"value": "docker-compose"
},
{
"name": "LEVOAI_CONF_OVERRIDES",
"value": "{\"onprem-api\":{\"url\": \"${LEVOAI_BASE_URL}\",\"refresh-token\":\"${LEVOAI_AUTH_KEY}\",\"org-id\": \"${LEVOAI_ORG_ID}\",\"org-prefix\": \"${LEVOAI_ORG_PREFIX}\"},\"dynamic_url_threshold_factor\": 0.5,\"cookie_auth_keys\": \"${LEVOAI_COOKIE_AUTH_KEYS:-}\",\"api_rule_evaluation\":{\"enabled\": true},\"ion\":{\"url\": \"http://levoai-ion:8000\"},\"enable_ssl_cert_checks\": true,\"traces_queue\":{\"type\": \"sqs\"},\"spans_queue\":{\"type\": \"sqs\"},\"findings_queue\":{\"type\": \"sqs\"} }"
},
{
"name": "PI_DETECTOR_DATA_DIR",
"value": "/opt/levoai/datasets/"
},
{
"name": "LEVOAI_DEBUG_ENABLED",
"value": "false"
},
{
"name": "LEVOAI_AUTH_KEY",
"value": "INSERT YOUR LEVO.AI AUTH KEY HERE"
},
{
"name": "LEVOAI_BASE_URL",
"value": "<ApiUrl />"
},
{
"name": "LEVOAI_LOG_LEVEL",
"value": "INFO"
},
{
"name": "LEVOAI_DEBUG_PORT",
"value": "1234"
}
],
"mountPoints": [],
"volumesFrom": [],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-create-group": "true",
"awslogs-group": "/ecs/satellite",
"awslogs-region": "INSERT YOUR AWS REGION HERE",
"awslogs-stream-prefix": "ecs"
}
}
},
{
"name": "levoai-collector",
"image": "levoai/collector",
"cpu": 0,
"portMappings": [
{
"name": "levoai-collector-4317-tcp",
"containerPort": 4317,
"hostPort": 4317,
"protocol": "tcp",
"appProtocol": "http"
}
],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-create-group": "true",
"awslogs-group": "/ecs/satellite",
"awslogs-region": "INSERT YOUR AWS REGION HERE",
"awslogs-stream-prefix": "ecs"
}
}
},
{
"name": "levoai-ion",
"image": "levoai/ion",
"cpu": 0,
"portMappings": [
{
"name": "levoai-ion-8000-tcp",
"containerPort": 8000,
"hostPort": 8000,
"protocol": "tcp",
"appProtocol": "http"
}
],
"essential": false,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-create-group": "true",
"awslogs-group": "/ecs/satellite",
"awslogs-region": "INSERT YOUR AWS REGION HERE",
"awslogs-stream-prefix": "ecs"
}
}
},
{
"name": "levoai-haproxy"
"image": "levoai/haproxy"
"essential": "true"
"portMappings": [
{
"name": "levoai-haproxy-80-tcp",
"containerPort": 8080,
"hostPort": 80,
"protocol": "tcp",
"appProtocol": "http"
}
],
"environment": [
{
"name": "LEVOAI_SATELLITE_AUTHN_ENABLED",
"value": "false"
},
{
"name": "LEVOAI_CONF_OVERRIDES",
"value": "{\"org-id\": \"${LEVOAI_ORG_ID}\"}"
}
],
}
],
"taskRoleArn": "INSERT THE ARN OF THE ROLE YOU WANT TO ASSIGN TO THIS TASK HERE",
"executionRoleArn": "INSERT THE ARN OF THE ROLE YOU WANT TO ASSIGN TO THIS TASK HERE",
"networkMode": "awsvpc",
"requiresCompatibilities": [
"FARGATE"
],
"cpu": "4096",
"memory": "8192",
"runtimePlatform": {
"cpuArchitecture": "X86_64",
"operatingSystemFamily": "LINUX"
}
}
Depending on the region you are installing in, you may need to set a different Levo base URL for the satellite.
For example, if the satellite will be used with app.india-1.levo.ai, set the LEVOAI_BASE_URL environment variable as
{
"name": "LEVOAI_BASE_URL",
"value": "https://api.india-1.levo.ai"
},
Download the
Initialize the Terraform configuration files by running:
terraform init
Run the following commands in the same directory -
terraform apply
NOTE: Enter the Authorization Token, Organization ID, and AWS Region when prompted. Choose the Levo SaaS region your account is based in (US/India) to create the task definition in your AWS account.
2. Run the Satellite
Now that the task definition is created, deploy the Satellite as a service in an ECS cluster:
- Open the levo-satellite task definition and select the latest revision
- Navigate to Deploy and select Create Service
- Choose the cluster where you want to deploy the Satellite
- Under Compute Options, select Launch Type
- Add a Service name in the Deployment configuration
- Leave other configurations at their default settings and start the service
3. Retrieve the Satellite IP and Port
The Satellite is accessible over the internet. To find its IP address:
Head over to the cluster you earlier used to run the satellite on.
Click on Tasks and select the particular satellite task.
Under the Container details for levoai-haproxy go to Network bindings. It should look something like this
Network bindings
Host port Container port Protocol External link
80 8080 tcp 52.32.232.165:80
The Satellite can now be reached by Sensors over the internet using <external-link>:80.
NOTE: If you're unable to reach the Satellite, add the necessary inbound rules to the security group used by this task.
Record this information—you'll need it to configure the Sensor.
Please proceed to install traffic capture sensors.