Install BDOT Collector in AWS ECS Fargate
Deploy BDOT Collector on AWS ECS Fargate for scalable, serverless collector deployment with automatic scaling and monitoring.
This guide walks you through deploying BDOT Collector on AWS ECS using Fargate launch type. Fargate provides serverless compute for containers, eliminating the need to manage EC2 instances for your collectors.
Prerequisites
Before starting, ensure you have:
AWS CLI v2.x installed and configured with appropriate permissions
Valid AWS account with permissions to create ECS, VPC, and IAM resources
Bindplane Server running and accessible (self-hosted or cloud)
Collector secret key from your Bindplane Server
Basic understanding of AWS ECS, VPC, and container concepts
Quick Deployment with CloudFormation
For a quick deployment, you can use the provided CloudFormation template that creates all the necessary infrastructure automatically. This is the recommended approach for most users.
CloudFormation Template
The following CloudFormation template creates all the required AWS resources for BDOT Collector on ECS Fargate:
AWSTemplateFormatVersion: '2010-09-09'
Description: 'BDOT Collector on AWS ECS Fargate with VPC and Auto Scaling'
Parameters:
CollectorSecretKey:
Type: String
Description: BDOT Collector secret key from Bindplane Server
NoEcho: true
OpampEndpoint:
Type: String
Description: OpAMP endpoint URL
Default: 'wss://app.bindplane.com/v1/opamp'
AllowedPattern: '^(ws|wss)://.*'
CollectorImage:
Type: String
Description: BDOT Collector Docker image
Default: 'ghcr.io/observiq/bindplane-agent:1.84.0'
Environment:
Type: String
Description: Environment name (used for resource naming)
Default: prod
AllowedValues: [dev, staging, prod]
DesiredCount:
Type: Number
Description: Desired number of Bindplane collector instances
Default: 1
MinValue: 1
MaxValue: 10
Resources:
# VPC and Networking
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
Tags:
- Key: Name
Value: !Sub '${Environment}-bindplane-collector-vpc'
# Internet Gateway
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Sub '${Environment}-bindplane-collector-igw'
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
# Public Subnets
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub '${Environment}-bindplane-collector-public-1a'
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: 10.0.2.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub '${Environment}-bindplane-collector-public-1b'
# Route Tables
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${Environment}-bindplane-collector-public-rt'
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1
PublicSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet2
# Security Groups
CollectorSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for BDOT Collector
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 4317
ToPort: 4317
CidrIp: 0.0.0.0/0
Description: OTLP gRPC
- IpProtocol: tcp
FromPort: 4318
ToPort: 4318
CidrIp: 0.0.0.0/0
Description: OTLP HTTP
- IpProtocol: tcp
FromPort: 13133
ToPort: 13133
CidrIp: 0.0.0.0/0
Description: Health check
- IpProtocol: tcp
FromPort: 55679
ToPort: 55679
CidrIp: 0.0.0.0/0
Description: ZPages debugging
Tags:
- Key: Name
Value: !Sub '${Environment}-bindplane-collector-sg'
# IAM Roles
TaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Tags:
- Key: Name
Value: !Sub '${Environment}-bindplane-collector-execution-role'
TaskRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
Tags:
- Key: Name
Value: !Sub '${Environment}-bindplane-collector-task-role'
# CloudWatch Log Group
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub '/ecs/${Environment}-bindplane-collector'
RetentionInDays: 30
# ECS Cluster
ECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Sub '${Environment}-bindplane-collector-cluster'
CapacityProviders:
- FARGATE
DefaultCapacityProviderStrategy:
- CapacityProvider: FARGATE
Weight: 1
# ECS Task Definition
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Sub '${Environment}-bindplane-collector'
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
Cpu: 512
Memory: 1024
ExecutionRoleArn: !Ref TaskExecutionRole
TaskRoleArn: !Ref TaskRole
ContainerDefinitions:
- Name: bdot-collector
Image: !Ref CollectorImage
PortMappings:
- ContainerPort: 4317
Protocol: tcp
- ContainerPort: 4318
Protocol: tcp
- ContainerPort: 13133
Protocol: tcp
- ContainerPort: 55679
Protocol: tcp
Environment:
- Name: OPAMP_ENDPOINT
Value: !Ref OpampEndpoint
- Name: OPAMP_SECRET_KEY
Value: !Ref CollectorSecretKey
- Name: OPAMP_LABELS
Value: !Sub 'environment=${Environment},platform=aws-ecs-fargate'
- Name: MANAGER_YAML_PATH
Value: /etc/otel/storage/manager.yaml
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref LogGroup
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: ecs
# ECS Service
ECSService:
Type: AWS::ECS::Service
Properties:
ServiceName: !Sub '${Environment}-bindplane-collector-service'
Cluster: !Ref ECSCluster
TaskDefinition: !Ref TaskDefinition
DesiredCount: !Ref DesiredCount
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
Subnets:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
SecurityGroups:
- !Ref CollectorSecurityGroup
AssignPublicIp: ENABLED
Outputs:
VPCId:
Description: VPC ID
Value: !Ref VPC
Export:
Name: !Sub '${Environment}-bindplane-collector-vpc-id'
ECSClusterName:
Description: ECS Cluster Name
Value: !Ref ECSCluster
Export:
Name: !Sub '${Environment}-bindplane-collector-cluster-name'
ServiceName:
Description: ECS Service Name
Value: !Ref ECSService
Export:
Name: !Sub '${Environment}-bindplane-collector-service-name'
TaskDefinitionArn:
Description: ECS Task Definition ARN
Value: !Ref TaskDefinition
Export:
Name: !Sub '${Environment}-bindplane-collector-task-definition-arn'Deploy with CloudFormation
Save the template above as bindplane-collector-ecs-fargate.yaml and deploy it:
aws cloudformation create-stack \
--stack-name bindplane-collector-ecs-fargate \
--template-body file://bindplane-collector-ecs-fargate.yaml \
--parameters \
ParameterKey=CollectorSecretKey,ParameterValue=YOUR_SECRET_KEY \
ParameterKey=OpampEndpoint,ParameterValue=wss://app.bindplane.com/v1/opamp \
ParameterKey=CollectorImage,ParameterValue=ghcr.io/observiq/bindplane-agent:1.84.0 \
ParameterKey=Environment,ParameterValue=prod \
ParameterKey=DesiredCount,ParameterValue=1 \
--capabilities CAPABILITY_IAMArchitecture Overview
The deployment includes:
ECS Fargate Cluster: Serverless compute for BDOT Collector
VPC with Public Subnets: Network isolation with internet access
Security Groups: Controlled access to collector ports
CloudWatch: Monitoring and logging
Auto Scaling: Configurable number of collector instances
Container Architecture
The ECS task runs a single container:
BDOT Collector (ghcr.io/observiq/bindplane-agent:1.84.0)
OpenTelemetry collector on ports 4317 (gRPC), 4318 (HTTP), 13133 (health), 55679 (ZPages)
Connects to Bindplane Server via OpAMP protocol
Automatically receives configurations from Bindplane Server
Persistent storage for manager.yaml configuration
Manual Deployment Steps
If you prefer to understand each component or need custom configurations, you can follow the manual deployment steps below.
Step 1: Set Up AWS Infrastructure
Important: Follow these steps in order, as later steps depend on resources created in earlier steps.
1.1 Create VPC and Networking
# Create VPC
VPC_ID=$(aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=bindplane-collector-vpc}]' \
--query 'Vpc.VpcId' --output text)
# Enable DNS hostnames
aws ec2 modify-vpc-attribute --vpc-id $VPC_ID --enable-dns-hostnames
# Create Internet Gateway
IGW_ID=$(aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=bindplane-collector-igw}]' \
--query 'InternetGateway.InternetGatewayId' --output text)
# Attach Internet Gateway to VPC
aws ec2 attach-internet-gateway --vpc-id $VPC_ID --internet-gateway-id $IGW_ID
# Get Availability Zones
AZ1=$(aws ec2 describe-availability-zones --query 'AvailabilityZones[0].ZoneName' --output text)
AZ2=$(aws ec2 describe-availability-zones --query 'AvailabilityZones[1].ZoneName' --output text)
# Create Public Subnets
PUBLIC_SUBNET_1=$(aws ec2 create-subnet \
--vpc-id $VPC_ID \
--availability-zone $AZ1 \
--cidr-block 10.0.1.0/24 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=bindplane-collector-public-1a}]' \
--query 'Subnet.SubnetId' --output text)
PUBLIC_SUBNET_2=$(aws ec2 create-subnet \
--vpc-id $VPC_ID \
--availability-zone $AZ2 \
--cidr-block 10.0.2.0/24 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=bindplane-collector-public-1b}]' \
--query 'Subnet.SubnetId' --output text)
# Enable auto-assign public IP
aws ec2 modify-subnet-attribute --subnet-id $PUBLIC_SUBNET_1 --map-public-ip-on-launch
aws ec2 modify-subnet-attribute --subnet-id $PUBLIC_SUBNET_2 --map-public-ip-on-launch
# Create Route Table
ROUTE_TABLE_ID=$(aws ec2 create-route-table \
--vpc-id $VPC_ID \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=bindplane-collector-public-rt}]' \
--query 'RouteTable.RouteTableId' --output text)
# Create default route
aws ec2 create-route \
--route-table-id $ROUTE_TABLE_ID \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id $IGW_ID
# Associate subnets with route table
aws ec2 associate-route-table --subnet-id $PUBLIC_SUBNET_1 --route-table-id $ROUTE_TABLE_ID
aws ec2 associate-route-table --subnet-id $PUBLIC_SUBNET_2 --route-table-id $ROUTE_TABLE_ID1.2 Create Security Group
# Create Security Group
SECURITY_GROUP_ID=$(aws ec2 create-security-group \
--group-name bindplane-collector-sg \
--description "Security group for BDOT Collector" \
--vpc-id $VPC_ID \
--query 'GroupId' --output text)
# Allow OTLP gRPC (4317)
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 4317 \
--cidr 0.0.0.0/0
# Allow OTLP HTTP (4318)
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 4318 \
--cidr 0.0.0.0/0
# Allow Health Check (13133)
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 13133 \
--cidr 0.0.0.0/0
# Allow ZPages (55679)
aws ec2 authorize-security-group-ingress \
--group-id $SECURITY_GROUP_ID \
--protocol tcp \
--port 55679 \
--cidr 0.0.0.0/0Step 2: Create ECS Resources
2.1 Create IAM Roles
# Create Task Execution Role
cat > task-execution-role-trust-policy.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
TASK_EXECUTION_ROLE_ARN=$(aws iam create-role \
--role-name bindplane-collector-execution-role \
--assume-role-policy-document file://task-execution-role-trust-policy.json \
--query 'Role.Arn' --output text)
# Attach managed policy
aws iam attach-role-policy \
--role-name bindplane-collector-execution-role \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
# Create Task Role
cat > task-role-trust-policy.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
TASK_ROLE_ARN=$(aws iam create-role \
--role-name bindplane-collector-task-role \
--assume-role-policy-document file://task-role-trust-policy.json \
--query 'Role.Arn' --output text)2.2 Create CloudWatch Log Group
# Create Log Group
aws logs create-log-group --log-group-name /ecs/bindplane-collector2.3 Create ECS Cluster
# Create ECS Cluster
CLUSTER_NAME="bindplane-collector-cluster"
aws ecs create-cluster \
--cluster-name $CLUSTER_NAME \
--capacity-providers FARGATE \
--default-capacity-provider-strategy capacityProvider=FARGATE,weight=1Step 3: Create Task Definition
# Create Task Definition
cat > task-definition.json << EOF
{
"family": "bindplane-collector",
"networkMode": "awsvpc",
"requiresCompatibilities": ["FARGATE"],
"cpu": "512",
"memory": "1024",
"executionRoleArn": "$TASK_EXECUTION_ROLE_ARN",
"taskRoleArn": "$TASK_ROLE_ARN",
"containerDefinitions": [
{
"name": "bdot-collector",
"image": "ghcr.io/observiq/bindplane-agent:1.84.0",
"portMappings": [
{
"containerPort": 4317,
"protocol": "tcp"
},
{
"containerPort": 4318,
"protocol": "tcp"
},
{
"containerPort": 13133,
"protocol": "tcp"
},
{
"containerPort": 55679,
"protocol": "tcp"
}
],
"environment": [
{
"name": "OPAMP_ENDPOINT",
"value": "wss://app.bindplane.com/v1/opamp"
},
{
"name": "OPAMP_SECRET_KEY",
"value": "YOUR_SECRET_KEY"
},
{
"name": "OPAMP_LABELS",
"value": "environment=prod,platform=aws-ecs-fargate"
},
{
"name": "MANAGER_YAML_PATH",
"value": "/etc/otel/storage/manager.yaml"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/bindplane-collector",
"awslogs-region": "$(aws configure get region)",
"awslogs-stream-prefix": "ecs"
}
},
"healthCheck": {
"command": [
"CMD-SHELL",
"curl -f http://localhost:13133/ || exit 1"
],
"interval": 30,
"timeout": 5,
"retries": 3,
"startPeriod": 60
}
}
]
}
EOF
TASK_DEFINITION_ARN=$(aws ecs register-task-definition \
--cli-input-json file://task-definition.json \
--query 'taskDefinition.taskDefinitionArn' --output text)Step 4: Create ECS Service
# Create ECS Service
aws ecs create-service \
--cluster $CLUSTER_NAME \
--service-name bindplane-collector-service \
--task-definition $TASK_DEFINITION_ARN \
--desired-count 1 \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[$PUBLIC_SUBNET_1,$PUBLIC_SUBNET_2],securityGroups=[$SECURITY_GROUP_ID],assignPublicIp=ENABLED}"Configuration and Management
Connecting to Bindplane Server
Get your collector secret key from your Bindplane Server:
Navigate to Agents → Install Agent
Choose Linux platform
Copy the
secret-key
Update the OpAMP endpoint in your task definition:
For Bindplane Cloud:
wss://app.bindplane.com/v1/opampFor self-hosted:
ws://your-server:3001/v1/opamp(orwss://with TLS)
Update the task definition with your secret key:
# Update the environment variable in task-definition.json # Replace "YOUR_SECRET_KEY" with your actual secret key
Scaling Collectors
Manual Scaling
# Update desired count
aws ecs update-service \
--cluster $CLUSTER_NAME \
--service bindplane-collector-service \
--desired-count 3Auto Scaling with Application Auto Scaling
# Register scalable target
aws application-autoscaling register-scalable-target \
--service-namespace ecs \
--resource-id service/$CLUSTER_NAME/bindplane-collector-service \
--scalable-dimension ecs:service:DesiredCount \
--min-capacity 1 \
--max-capacity 10
# Create scaling policy
aws application-autoscaling put-scaling-policy \
--service-namespace ecs \
--resource-id service/$CLUSTER_NAME/bindplane-collector-service \
--scalable-dimension ecs:service:DesiredCount \
--policy-name collector-cpu-scaling \
--policy-type TargetTrackingScaling \
--target-tracking-scaling-policy-configuration '{
"TargetValue": 70.0,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "ECSServiceAverageCPUUtilization"
}
}'Monitoring and Logging
CloudWatch Logs
# View logs
aws logs tail /ecs/bindplane-collector --follow
# Filter logs by container
aws logs filter-log-events \
--log-group-name /ecs/bindplane-collector \
--log-stream-name-prefix ecs/bdot-collectorCloudWatch Metrics
The ECS service automatically sends metrics to CloudWatch:
CPU and Memory utilization
Task count and health
Network I/O
Health Checks
The collector includes health checks on port 13133:
Health endpoint:
http://localhost:13133/ZPages debugging:
http://localhost:55679/
TLS Configuration
For Self-Hosted Bindplane with TLS
If your Bindplane Server uses TLS with a custom CA:
# Create a secret for the CA certificate
aws secretsmanager create-secret \
--name collector-ca-cert \
--secret-string file://ca.crt
# Update task role to access the secret
cat > task-role-policy.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:collector-ca-cert*"
}
]
}
EOF
aws iam put-role-policy \
--role-name collector-task-role \
--policy-name SecretsManagerAccess \
--policy-document file://task-role-policy.jsonThen update your task definition to include:
{
"name": "OPAMP_TLS_CA",
"value": "/etc/otel/certs/ca.crt"
}Troubleshooting
Common Issues
Collector Not Appearing in Bindplane
Check OpAMP endpoint: Ensure the endpoint URL is correct
Verify secret key: Make sure the secret key matches your Bindplane Server
Check network connectivity: Ensure the collector can reach the Bindplane Server
Review logs: Check CloudWatch logs for connection errors
# Check service status
aws ecs describe-services \
--cluster $CLUSTER_NAME \
--services bindplane-collector-service
# Check task logs
aws logs tail /ecs/bindplane-collector --followHigh CPU/Memory Usage
Scale up resources: Increase CPU/memory in task definition
Scale out: Add more collector instances
Optimize configuration: Review collector configuration for efficiency
Network Issues
Check security groups: Ensure all required ports are open
Verify VPC configuration: Ensure subnets have internet access
Test connectivity: Use VPC endpoints if needed
Best Practices
Resource Sizing: Start with 512 CPU / 1024 Memory, adjust based on load
Scaling: Use Application Auto Scaling for automatic scaling
Monitoring: Set up CloudWatch alarms for key metrics
Security: Use IAM roles with minimal required permissions
Logging: Enable detailed logging for troubleshooting
Updates: Regularly update collector image versions
Cleanup
To remove all resources created by this guide:
# Delete ECS Service
aws ecs update-service \
--cluster $CLUSTER_NAME \
--service bindplane-collector-service \
--desired-count 0
aws ecs delete-service \
--cluster $CLUSTER_NAME \
--service bindplane-collector-service
# Delete Task Definition
aws ecs deregister-task-definition \
--task-definition $TASK_DEFINITION_ARN
# Delete ECS Cluster
aws ecs delete-cluster --cluster $CLUSTER_NAME
# Delete CloudWatch Log Group
aws logs delete-log-group --log-group-name /ecs/bindplane-collector
# Delete IAM Roles
aws iam detach-role-policy \
--role-name bindplane-collector-execution-role \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
aws iam delete-role --role-name bindplane-collector-execution-role
aws iam delete-role --role-name bindplane-collector-task-role
# Delete Security Group
aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID
# Delete Subnets
aws ec2 delete-subnet --subnet-id $PUBLIC_SUBNET_1
aws ec2 delete-subnet --subnet-id $PUBLIC_SUBNET_2
# Delete Route Table
aws ec2 delete-route-table --route-table-id $ROUTE_TABLE_ID
# Detach and Delete Internet Gateway
aws ec2 detach-internet-gateway --vpc-id $VPC_ID --internet-gateway-id $IGW_ID
aws ec2 delete-internet-gateway --internet-gateway-id $IGW_ID
# Delete VPC
aws ec2 delete-vpc --vpc-id $VPC_IDNext Steps
After successfully deploying your BDOT Collector:
Verify connection in your Bindplane Server UI
Create configurations for your collectors
Set up monitoring and alerting
Configure auto-scaling based on your needs
Review security settings and access controls
Last updated
Was this helpful?