To make Weave Net and Weave Scope easier to use with Amazon ECS, a set of Amazon Machine Images (AMIs) are provided. These AMIs are fully compatible with the ECS-Optimized Amazon Linux AMI.

These are the latest supported Weave AMIs for each region:

Region AMI
us-east-1 ami-7b692804
us-east-2 ami-6a0b350f
us-west-1 ami-a4db3fc7
us-west-2 ami-12c98a6a
eu-west-1 ami-b3bab7ca
eu-west-2 ami-47846a20
eu-central-1 ami-7f211294
ap-northeast-1 ami-2a8c4355
ap-southeast-1 ami-b00304cc
ap-southeast-2 ami-c7c41ba5
ca-central-1 ami-41028125

For more information about Weave AMIs and running them see:

What’s in the Weave ECS AMIs?

The latest Weave ECS AMIs are based on Amazon’s ECS-Optimized Amazon Linux AMI, version 2017.03.f and also includes:

Deployment Requirements

Required Open Ports

For Weave Net to function properly, ensure that the Amazon ECS container instances can communicate over these ports: TCP 6783, as well as, UDP 6783 and UDP 6784.

In addition to those open ports, launching Weave Scope in standalone mode, requires that all instances are able to communicate over TCP port 4040. More information about this can be found in How to Run Weave Scope.

See the relevant section of the script from Service Discovery and Load Balancing with Weave on Amazon ECS for an example.

Additional IAM Action Permissions

Besides the customary Amazon ECS API actions required by all container instances (see the AmazonEC2ContainerServiceforEC2Role managed policy), any instances using the Weaveworks ECS AMI must also be allowed to perform the following actions:

  1. ec2:DescribeInstances
  2. ec2:DescribeTags
  3. autoscaling:DescribeAutoScalingInstances
  4. ecs:ListServices
  5. ecs:DescribeTasks
  6. ecs:DescribeServices

These extra actions are needed for discovering instance peers (1,2,3) and creating the ECS views in Weave Scope (4,5,6). weave-ecs-policy.json (from the Weaveworks ECS guide), describes the minimal policy definition.

For more information on IAM policies see IAM Policies for Amazon EC2.

Requirements for Peer Discovery

To form a Weave network, the Amazon ECS container instances must either/or:

Peer Discovery with Weave Net

At boot time, an instance running the ECS Weave AMI will try to join other instances to form a Weave network.

  • If the instance has a tag with key weave:peerGroupName, it will join other instances with the same tag key and value. For instance, if the tag key is weave:peerGroupName and the value is foo it will try to join other instances with tag key weave:peerGroupName and tag value foo. Note that for this to work, the instances need to be tagged at creation-time so that the tag is available by the time Weave is launched.
  • Otherwise it will join all the other instances in the same Auto Scaling Group.

When running Weave Scope in Standalone mode, probes discover apps with the same mechanism.

How to Run Weave Scope

There are two methods for running Weave Scope within the Weave ECS AMIs:

You can prevent Weave Scope from automatically starting at boot time by removing  /etc/init/scope.conf.

This can be done at instance initialization time adding the following line to the User Data of the instance.

rm /etc/init/scope.conf

Running Weave Scope in Standalone Mode

Running Weave Scope in standalone mode is the default mode.

The following occurs on all Amazon ECS container instances:

  1. A Weave Scope probe is launched that collects instance information.
  2. A Weave Scope app runs that enables cluster visualization.

Since all instances run an app and show the same information, you don’t have to worry about placing the app, thereby eliminating a Leader election problem.

However, running the app on all instances impacts performance, resulting in N * N = N^2 connections in the Auto Scaling Group with N instances (i.e. all (N) probes talk to all (N) apps in every instances).

To avoid this problem, it is recommended that you run Weave Scope in Weave Cloud.

The Weave Scope app runs a web-based application, which listens on TCP port 4040 where you can connect with your browser.

Weave Scope probes also forward information to the apps on TCP port 4040. Ensure that your Amazon ECS container instances can talk to each other on that port before running Weave Scope in standalone mode (see Required Open Ports for more details).

Running Weave Scope in Weave Cloud

In Weave Cloud, you can visualize Amazon ECS containers as well as monitor Tasks and Services all from within in Weave Cloud at In this case, Amazon ECS container instances run a Weave Scope probe and reports data from the container instances to Weave Cloud.

To configure your ECS container instances to communicate with Weave Cloud, store the Weave Scope cloud token in the/etc/weave/scope.config file.

Note: The Weave Scope cloud token can be found in your Weave Cloud account at

For example, this command configures the instance to communicate with Weave Cloud using token 3hud3h6ys3jhg9bq66n8xxa4b147dt5z.

echo SERVICE_TOKEN=3hud3h6ys3jhg9bq66n8xxa4b147dt5z >> /etc/weave/scope.config

You can do this at instance-initialization time using User Data, which is similar to how ECS Cluster Mapping is configured.

Upgrading Weave Scope and Weave Net

The AMIs are updated regularly (~monthly) to include the latest versions of Weave Net and Weave Scope. However, it is possible to upgrade Weave Net and Weave Scope in your running EC2 instances without needing to wait for a new AMI release or by rebuilding your cluster.

In order to upgrade Scope to the latest released version, run the following commands in each of your instances:

sudo curl -L -o /usr/local/bin/scope
sudo chmod a+x /usr/local/bin/scope
sudo stop scope
sudo start scope

Upgrade Weave Net to the latest version by running the following commands in each of your instances:

sudo curl -L -o /usr/local/bin/weave
sudo chmod a+x /usr/local/bin/weave
sudo stop weave
sudo start weave

Creating Your Own Customized Weave ECS AMI

Clone the integrations repository and then change to the packer directory.

git clone
cd aws/ecs/packer

Download and install Packer version >=0.9 to build the AMI.

Finally, invoke ./ to build the Weave ECS images for all regions. This step installs (in the image) AWS-CLI, jq, Weave Net, Weave Scope, init scripts for Weave and it also updates the ECS agent to use the Weave Docker API Proxy.

Customize the image by modifying template.json to match your requirements.


(If your account has MFA enabled you should follow this process and also set AWS_SESSION_TOKEN)

If building an AMI for a particular region, set the ONLY_REGION variable to that region when invoking the script:


To make an AMI public:

aws ec2 modify-image-attribute --region=us-east-2 --image-id ami-6a0b350f --launch-permission "{\"Add\": [{\"Group\":\"all\"}]}"

Further Reading

Read the Service Discovery and Load Balancing with Weave on Amazon ECS guide for more information about the AMIs.

See Also