Container Architecture Patterns on AWS

Docker containers have become a popular open source standard for developing, packaging, and operating applications at scale. Some of the key benefits to using Docker are:

  • Packaging
  • Portability
  • Efficiency

This post will to help you get started with Docker containers on Amazon ECS and AWS Fargate quickly and easily.

Public Service, Public Network

A public facing service is one of the most common architecture patterns for deploying containers on AWS. It is well suited for:

  • A static HTML website, perhaps hosted by NGINX or Apache
  • A dynamically generated web app, perhaps served by a Node.js process
  • An API service intended for the public to access

Resources are deployed into a public subnet exposed to the internet which are a public facing load balancer (either Elastic or Application) which accepts inbound connections on specific ports and One or more EC2 instances hosting the application container, configured to accept inbound connections from the load balancer on specific ports. An internet gateway is attached to allow resources launched in the VPC to accept connections from the internet, and initiate connections to the internet.

Public Service, Private Network

This is useful when creating a public facing service, but you want stricter control over the networking of the service. It is especially used in the following cases:

  • A service which is public facing but needs an extra layer of security hardening by not even having a public IP address that an attacker could send a request directly to.
  • A service which needs to be massively horizontally scalable while not being constrained by number of IP addresses available.
  • A service which initiates outbound connections but to the public you want those connections to originate from a specific and limited set of IP addresses that can be whitelisted.

Resources are deployed in an Amazon Virtual Private Cloud (VPC) which has two subnets. A Public subnet which has an attached internet gateway to allow resources launched in that subnet to accept connections from the internet, and initiate connections to the internet with public IP addresses assigned to the resources eg. Application Load Balancer. A Private subnet for internal resources. Instances in this subnet have no direct internet access, and only have private IP addresses that are internal to the VPC, not directly accessible by the public.

In addition to a load balancer, a NAT gateway is hosted in the public subnet to allow resources inside the private subnet to initiate outbound communications to the internet, while not allowing inbound connections.

Private Service, Private Network

For internal business applications and services, a private service is used to prevent public access.

Just as in the previous architecture this design has Amazon Virtual Private Cloud (VPC) but with a Public and Private subnet. The Public subnet has an attached internet gateway to allow resources launched in that subnet to accept connections from the internet, and initiate connections to the internet. Resources in this subnet have public IP addresses. In this design there is a public facing service, perhaps an API gateway. End users are able to initiate a blue connection through the internet gateway and public facing load balancer, to the API gateway container.

For internal resources, Instances in the Private subnet have no direct internet access, and only have private IP addresses that are internal to the VPC, not directly accessible by the public. This is where the private service is running. The private tier of the application stack has its own private load balancer which is not accessible to the public. The API gateway service is able to initiate a green connection to the private load balancer in order to reach the private service, but the public can not.

At AltoStack, our mission is to help organisations accelerate their time to value from the cloud by designing, building, and optimising their infrastructures in the public cloud.

We are a team of DevOps fanatics and a core part of our work is helping organisations leverage the cloud to increase the speed and success of cultural transformation.