How to route HTTP traffic from external internet to an AppMesh ECS Fargate service
Our traffic is coming from the public internet to WAF then to external ALB then to ECS service in Fargate via a Target Group. This TG IP address target is updated by ECS every time a service is redeployed.
But the new microservice is in AppMesh, and microservice traffic routing is done by Service Discovery rather than ALB. We tried to route traffic from external ALB to ECS Fargate AppMesh service but found literally zero examples of how to do it properly with no downtimes during redeployments.
When AppMesh microservice is deployed it does not update IP address in the above mentioned TG, but only in the Service Discovery.
We can't point our Target Group to an AppMesh service! If we point to an IP address it will change with next deployment.
How to route HTTP traffic from external internet to an AppMesh ECS Fargate service in a maintainable way, so that we can reconfigure or redeploy or reroute our services at will with zero downtime?
Hello, I had done just that in the past, haven't used much of AppMesh for a little while, and really wish I had documented it !
But in a nutshell, you can do it in at least 2 ways:
the service(s) that is behind the ALB, have the Listener Rules send the traffic to the containers, regardless of whether they use AppMesh or not. Then for the rest of the traffic between the services, it will work of its own accord, following the Mesh rules (services, routers etc.) that are defined.
Second option could be to use an AppMesh gateway, have the LB send all the traffic to that service, and then again, AppMesh will take over for the rest of the traffic to follow.
I will try to dig out the examples I had. I did all that using x-appmesh in ECS Compose-X but due to very little use-cases / need coming the AppMesh way, I haven't given it much love for a little while.
Just get the traffic from your ALB to your containers, it will work just fine (says he not touching it in a year).
Hey @Vasyl So, here is what I meant by gateways: https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html And for your first comment, I am not too sure to follow. Sure your TG will update the target to send traffic to the container, if you configured your ECS service to automatically use a target group, ECS will take care of updating the TG Targets IP as they go.
Thank you John! We're digging further both your recommendations.
I did some digging John. Basically, it was never implemented for AppMesh: https://github.com/aws/aws-cdk/issues/19842
Hello again @Vasyl,
I just reworked/re-enabled x-appmesh this weekend and updated my demo apps to test/showcase.
python3 -m venv venv source venv/bin/activate pip install pip -U; pip install "ecs-composex>=0.22.0" git clone https://github.com/compose-x/composex-testing-apps cd composex-testing-apps # Optionally use image specific tag #export IMAGE_TAG=2022-06-13 # Render the templates ecs-compose-x render -d templates --format yaml -f docker-compose.yaml -f x-appmesh.yaml -n demo-appmesh # Deploy to AWS # will create VPC/DNS/CloudMap/IAM/Services - basically everything it needs ecs-compose-x up -d templates --format yaml -f docker-compose.yaml -f x-appmesh.yaml -n demo-appmesh
The ingress from the "internet" is done via the ALB that will send the traffic to app01 which is our ingress service.
Hope this helps in your ECS + AppMesh journey.
Relevant questions
Moving to ECS-Fargate from EC2
asked 5 months agoNLB doesn't send traffic to new healthy Fargate tasks
asked 7 months agoHow to establish connection between AWS Fargate task to an external SFTP server?
asked a month agoHow to set the Load balancer service to route a certain host to a fargate task?
Accepted Answerasked 9 days agoFailed to expose AWS ECS Fargate Service via ALB
asked 2 months agoECS Fargate + Service Discovery + ALB
Accepted Answerasked 4 years agoHow to route HTTP traffic from external internet to an AppMesh ECS Fargate service
asked 24 days agoHow to configure subnets for an ECS cluster so it can access a database in the same VPC?
asked 3 months agoECS: Unable to start task from within a private subnet without enabling public IP
asked 21 days agoECS fargate service with ALB deployed using CDK
asked 20 days ago
Hello John. Thanks for the answer!
way 1) You say "have the Listener Rules send the traffic to the containers". That is easy via TG as IP address. But after service redeploys in AppMesh the IP will change, the TG won't be updated with the new IP, so the traffic won't go any more. Or I didn't understand what you mean.
way 2) I looked up "AppMesh gateway" and found nothing in the internet. What do you mean exactly? NGINX or something?