Hi! I’m also self hosting Orion in a K8s cluster, and running most of our flows as K8sJobs with success. However, we have some flows that need to be run on Fargate as ECSTasks due to some circumstances. The agents spins up the ECSTask just fine, but on startup of prefect inside the ecstask prefect tries to contact prefect-orion, which inevitably fails because it attempts a kube-dns hostname. (the orion instance also isn’t exposed to the outside) I was under the assumption that it only needed a channel to the agent, but thinking about it does make sense that it needs Orion as well. Is this correctly assessed? Any workarounds to this? We would at the very least need to make it target a proper host instead of the kube-dns name. Then perhaps the two can safely be allowed to connect. Self-hosted Orion doesnt have auth, so exposing it to 0.0.0.0/0 might not be an option.

Hi Kristian! Your flows shouldn't need to be able to channel back to the agent; instead, after the agent starts running a task, it will pull what it needs from the flow runner (for example, console output, if you have enabled output streaming). The flow runs do need to be able to contact Orion so they can send logging output along with task and flow run states. If you can open an endpoint that only your ECSTask containers are allowed to contact, you can provide the URL to your containers by setting the

PREFECT_API_URL

environment variable on your ECSTask block. I believe other users have done this successfully using API Gateway and IAM roles. So, for example, if you make your Orion instance available at

<https://my-internal-orion-hostname>

, you would set

PREFECT_API_URL

to

<https://my-internal-orion-hostname/api>

in your ECSTask block.

Understood. Thanks for answering 🙂

You're welcome! Feel free to post again in this thread if you need any more information.