AWS: Expose ECS Service via API Gateway- Part 1
Today, let's see how to expose ECS Service via API Gateway. If you are looking for a simpler solution to expose your service via HTTPS Authorized endpoint, please read Integrate Spring Boot Resource Server with Cognito Identity Provider.
This will be two-part series, where I will talk about
- Setting up the AWS ECS Services with NLB
- Using Open API spec to publish API-Gateway and more.
Without further ado, let's dive in.
Pre-Requisite:
This is written under an assumption, that you have some experience in AWS services like ECS, CFT, VPC, API-Gateway, Cognito etc.
Spring Boot Service:
Health Check
- Ensure that you have added health check dependency to your spring-boot service.
2. Your spring boot health check endpoint would look like
http://localhost:8080/{server.servlet.context-path}/actuator/health
Swagger (Open API 2)
Ideally, it is recommended to go with the API first approach. But for simplicity, we will be using Swagger dependency to create Open API for us.
You can get the OAS2 document from the below endpoint
NOTE: As of today 23–06–2020, springfox-swagger maven dependency supports only Open API 2.
Swagger (Open API 3)
To generate Open API 3 Spec from the spring boot service, you can use the below dependency:
Get the OAS3 from the below endpoint.
NOTE: V3 signifies Open API version
Reference: Documenting a Spring REST API Using OpenAPI 3.0
VPC:
- Create a VPC with Public & Private subnet for the ECS cluster.
You can run the CFT from this article: Creating a VPC for your Amazon EKS cluster
2. You just need to provide the CIDR ranges, and it should create a proper VPC, with the public and private subnets.
3. You can use this Subnet Calculator for determining the IP range etc.
ECS:
- While creating the ECS Cluster, ensure that you have EC2 created in private subnets.
2. Ensure that you have the EC2 instances registered under the cluster. If it is not registered, it could be because of some networking configuration issue.
3. Troubleshooting: Sometimes changing the EC2 AMI also helps
Task Defenition
- Ensure that you have added port mapping to the Container Defenition inside the Task Defenition.
Target Group:
- Create an Instance Target Group for the ECS service.
NOTE:
- Provide the port number, which is exposed as Host Port mapping in Task Defenition.
- Provide the correct health check path.
NLB:
- Create an Internal NLB in Private Subnet.
2. Select the already created Target Group in the Configure Routing screen.
You can also create a new Target Group in here, and later modify the health check path.
3. Finally, create the NLB.
4. If everything went well after deploying the ECS service, you will find tasks registered under the Target Group.
NOTE: If we add internal NLB for the internal API Service Communication (ie, A → NLB → B), it will work only with Network Mode: aws-vpc
, or Fargate (essentially awsvpc
network mode) or with ALB for inter-service communication. With normal network mode, there is a chance that it will route to the same internal IP and the request will timeout. Read the following section: Connections time out for requests from a target to its load balancer.
ECS Service:
- Create ECS Service for your Task Defenition.
- When creating the service, provide the NLB configuration.
3. When you click on Add to Load Balancer, you can select the target group.
4. Once you are done creating the service, you will able to see tasks under the service. Also, you will be seeing task registered under the target group.
Hurray!!! You have now exposed your service internally via NLB. In the next part, you will see, how to expose the service to the public via API-Gateway.
Found it Interesting?
Please show your support by 👏.