Access container applications privately on Amazon ECS by using AWS PrivateLink and a Network Load Balancer
Created by Kirankumar Chandrashekar (AWS)
Environment: Production | Technologies: Containers & microservices; Networking; Security, identity, compliance; Web & mobile apps | Workload: All other workloads |
AWS services: Amazon EC2; Amazon EC2 Auto Scaling; Amazon EC2 Container Registry; Amazon EFS; Amazon RDS; Amazon VPC; Amazon ECS; Elastic Load Balancing (ELB); AWS Lambda |
Summary
This pattern describes how to privately host a Docker container application on Amazon Elastic Container Service (Amazon ECS) behind a Network Load Balancer, and access the application by using AWS PrivateLink. You can then use a private network to securely access services on the Amazon Web Services (AWS) Cloud. Amazon Relational Database Service (Amazon RDS) hosts the relational database for the application running on Amazon ECS with high availability (HA). Amazon Elastic File System (Amazon EFS) is used if the application requires persistent storage.
The Amazon ECS service running the Docker applications, with a Network Load Balancer at the front end, can be associated with a virtual private cloud (VPC) endpoint for access through AWS PrivateLink. This VPC endpoint service can then be shared with other VPCs by using their VPC endpoints.
You can also use AWS Fargate instead of an Amazon EC2 Auto Scaling group. For more information, see Access container applications privately on Amazon ECS by using AWS Fargate, AWS PrivateLink, and a Network Load Balancer.
Prerequisites and limitations
Prerequisites
An active AWS account
AWS Command Line Interface (AWS CLI) version 2, installed and configured on Linux, macOS, or Windows
Docker
, installed and configured on Linux, macOS, or Windows An application running on Docker
Architecture
Technology stack
Amazon CloudWatch
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon EC2 Auto Scaling
Amazon Elastic Container Registry (Amazon ECR)
Amazon ECS
Amazon RDS
Amazon Simple Storage Service (Amazon S3)
AWS Lambda
AWS PrivateLink
AWS Secrets Manager
Application Load Balancer
Network Load Balancer
VPC
Automation and scale
You can use AWS CloudFormation to create this pattern by using Infrastructure as Code.
Tools
Amazon EC2 – Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the AWS Cloud.
Amazon EC2 Auto Scaling – Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application.
Amazon ECS – Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage containers on a cluster.
Amazon ECR – Amazon Elastic Container Registry (Amazon ECR) is a managed AWS container image registry service that is secure, scalable, and reliable.
Amazon EFS – Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources.
AWS Lambda – Lambda is a compute service for running code without provisioning or managing servers.
Amazon RDS – Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud.
Amazon S3 – Amazon Simple Storage Service (Amazon S3) is storage for the internet. It is designed to make web-scale computing easier for developers.
AWS Secrets Manager – Secrets Manager helps you replace hardcoded credentials in your code, including passwords, by providing an API call to Secrets Manager to retrieve the secret programmatically.
Amazon VPC – Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources into a virtual network that you've defined.
Elastic Load Balancing – Elastic Load Balancing distributes incoming application or network traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses, in multiple Availability Zones.
Docker
– Docker helps developers to pack, ship, and run any application as a lightweight, portable, and self-sufficient container.
Epics
Task | Description | Skills required |
---|---|---|
Create a VPC. |
| Cloud administrator |
Task | Description | Skills required |
---|---|---|
Create a Network Load Balancer. |
| Cloud administrator |
Create an Application Load Balancer. |
| Cloud administrator |
Task | Description | Skills required |
---|---|---|
Create an Amazon EFS file system. |
| Cloud administrator |
Mount targets for the subnets. |
| Cloud administrator |
Verify that the subnets are mounted as targets. |
| Cloud administrator |
Task | Description | Skills required |
---|---|---|
Create an S3 bucket. | Open the Amazon S3 console and create an S3 bucket to store your application’s static assets, if required. | Cloud administrator |
Task | Description | Skills required |
---|---|---|
Create an AWS KMS key to encrypt the Secrets Manager secret. | Open the AWS Key Management Service (AWS KMS) console and create a KMS key. | Cloud administrator |
Create a Secrets Manager secret to store the Amazon RDS password. |
| Cloud Administrator |
Task | Description | Skills required |
---|---|---|
Create a DB subnet group. |
| Cloud administrator |
Create an Amazon RDS instance. | Create and configure an Amazon RDS instance within the private subnets. Make sure that Multi-AZ is turned on for HA. | Cloud administrator |
Load data to the Amazon RDS instance. | Load the relational data required by your application into your Amazon RDS instance. This process will vary depending on your application's needs, as well as how your database schema is defined and designed. | Cloud administrator, DBA |
Task | Description | Skills required |
---|---|---|
Create an ECS cluster. |
| Cloud administrator |
Create the Docker images. | Create the Docker images by following the instructions in the Related resources section. | Cloud administrator |
Create Amazon ECR repositories. |
| Cloud administrator, DevOps engineer |
Authenticate your Docker client for the Amazon ECR repository. | To authenticate your Docker client for the Amazon ECR repository, run the “ | Cloud administrator |
Push the Docker images to the Amazon ECR repository. |
| Cloud administrator |
Create an Amazon ECS task definition. | A task definition is required to run Docker containers in Amazon ECS.
For help with setting up your task definition, see “Creating a task definition” in the Related resources section. Important: Make sure you provide the Docker images that you pushed to Amazon ECR. | Cloud administrator |
Create an Amazon ECS service. | Create an Amazon ECS service by using the ECS cluster you created earlier. Make sure you choose Amazon EC2 as the launch type, and choose the task definition created in the previous step, as well as the target group of the Application Load Balancer. | Cloud administrator |
Task | Description | Skills required |
---|---|---|
Create a launch configuration. | Open the Amazon EC2 console, and create a launch configuration. Make sure that the user data has the code to allow the EC2 instances to join the desired ECS cluster. For an example of the code required, see the Related resources section. | Cloud administrator |
Create an Amazon EC2 Auto Scaling group. | Return to the Amazon EC2 console and under Auto Scaling, choose Auto Scaling groups. Set up an Amazon EC2 Auto Scaling group. Make sure you choose the private subnets and launch configuration that you created earlier. | Cloud administrator |
Task | Description | Skills required |
---|---|---|
Set up the AWS PrivateLink endpoint. |
For more information, see the Related resources section. | Cloud administrator |
Task | Description | Skills required |
---|---|---|
Create a VPC endpoint. | Create a VPC endpoint for the AWS PrivateLink endpoint that you created earlier. The VPC endpoint Fully Qualified Domain Name (FQDN) will point to the AWS PrivateLink endpoint FQDN. This creates an elastic network interface to the VPC endpoint service that the DNS endpoints can access. | Cloud administrator |
Task | Description | Skills required |
---|---|---|
Create the Lambda function. | On the AWS Lambda console, create a Lambda function to update the Application Load Balancer IP addresses as targets for the Network Load Balancer. For more information on this, see the "Using static IP addresses for Application Load Balancers" blog post in the Related resources section. | App developer |
Related resources
Create the load balancers:
Create an Amazon EFS file system:
Create an S3 bucket:
Create a Secrets Manager secret:
Create an Amazon RDS instance:
Create the Amazon ECS components:
Create an Amazon EC2 Auto Scaling group:
Set up AWS PrivateLink:
Create a VPC endpoint:
Create the Lambda function:
Other resources: