You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Choose AmazonECS_FullAccess as policy and click on Next: Tags
Click on Next: Review
Set a Role Name and click on Create role
Create a VPC
We will create a VPC with public and private subnets.
Official doc
Create secondary public subnet
In order to use an application load balancer in your vpc, you need at least 2 publis subnets.
Official doc
Use a different availability zone !
Create security groups
SG for databse private instance
In this private instance, we will host all our databses tasks. This instance will be only accessible from our apps private instance.
Inbound rules:
Type
Protocol
Port range
Destination
Source
All traffic
All
All
Custom
default security group
All traffic
All
All
Custom
apps private instance security group
SSH
TCP
22
Custom
bastion security group
Outbound rules:
Type
Protocol
Port range
Destination
Source
All traffic
All
All
Custom
0.0.0.0/0
SG for apps private instance
In this private instance, we will host all our apps tasks. This instance is private and only accessible by our load balancer.
Inbound rules:
Type
Protocol
Port range
Destination
Source
All traffic
All
All
Custom
default security group
All traffic
All
All
Custom
load balancer security group
SSH
TCP
22
Custom
bastion security group
Outbound rules:
Type
Protocol
Port range
Destination
Source
All traffic
All
All
Custom
0.0.0.0/0
All traffic
All
All
Custom
load balancer security group
SG for bastion instance
A bastion instance is a public instance which will act as a proxy in order to SHH to private instances.
Inbound rules:
Type
Protocol
Port range
Destination
Source
SSH
TCP
22
Custom
0.0.0.0/0
Outbound rules:
Type
Protocol
Port range
Destination
Source
SSH
TCP
22
Custom
private instance 1 security group
SSH
TCP
22
Custom
private instance 2 security group
SG for Application Load Balancer
We will use an application load balancer in our vpc, so let's create a security group for it:
Inbound rules
Type
Protocol
Port range
Destination
Source
HTTP
TCP
80
Custom
0.0.0.0/0
HTTPS
TCP
443
Custom
0.0.0.0/0
Outbound rules
Type
Protocol
Port range
Destination
Source
All traffic
All
All
Custom
0.0.0.0/0
SG for NAT instance
Inbound rules:
Type
Protocol
Port range
Destination
Source
HTTP
TCP
80
Custom
10.0.1.0/24
HTTPS
TCP
443
Custom
10.0.1.0/24
SSH
TCP
22
Custom
0.0.0.0/0
Outbound rules:
Type
Protocol
Port range
Destination
Source
HTTP
TCP
80
Custom
0.0.0.0/0
HTTPS
TCP
443
Custom
0.0.0.0/0
Use NAT instance instead of NAT Gateways
During VPC creation, aws automatically create a NAT Gateways, so private instance (in private subnet) can do some outbound traffic to the internet, but can't receive inboud traffic from the internet.
NAT Gateways can cost a lot of money, so we will use NAT instance (it can be used as free tier plan).
NAT instance can do the same work ad NAT Gateways with a public instance that act as a bastion host.
Select EC2 Linux + Networking and click on Next Step
Configuration
Set a Cluster Name
Select t2.micro for EC2 instance type
Select the VPC you created during ECS Set up
Select your private Subnet(s)
Select Use subnet setting for Auto assign public IP
Select the Security Group according to your cluster (db security group or app security group)
Select the ECS role you created before for Container instance IAM role
You can change other values (like instances number for example), but default values are good
Click on Create
If you activate CloudWatch Container Insights, be aware that metrics collected are charged as custom metrics, and are not included in free tier usage (see doc and metrics pricing).
For now we will not add HTTPS listener, because we haven't configured the certificate yet.
Set a Name
Select the PVC and your 2 public Subnets
Click on Next: Configure Security Settings
Configure Security Settings
Click on Next: Configure Security Groups (we will add HTPPS after)
Configure Security Groups
Select load balancer security group you created before
Click on Next: Configure Routing
Configure Routing
Select New target group as Target Group
Set a target Name
Click on Next: Register targets
Register targets
Select the apps instance and click on Add to registered
Click on Next: Review
When creating the load balancer, the target group you created (or selected) is the default target group. So it will redirect to it by default. We are able to modify this afterwards. So if you are no service running at this step this is all right.
In Group details tab, under Attributes part, click on Edit
Change Deregistration delay to suit your needs (ex: 30sec)
Click on Save changes
Update Application Load Balancer listeners
For now we use path pattern (ex: domain.com/api) to redirect to appropriate services with the load balancer. To use host pattern (ex: api.domain.com) we have to change listeners.