By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to route HTTP traffic from external internet to an AppMesh ECS Fargate service

1

Our traffic is coming from the public internet to WAF then to external ALB then to ECS service in Fargate via a Target Group. This TG IP address target is updated by ECS every time a service is redeployed.

But the new microservice is in AppMesh, and microservice traffic routing is done by Service Discovery rather than ALB. We tried to route traffic from external ALB to ECS Fargate AppMesh service but found literally zero examples of how to do it properly with no downtimes during redeployments.

When AppMesh microservice is deployed it does not update IP address in the above mentioned TG, but only in the Service Discovery.

We can't point our Target Group to an AppMesh service! If we point to an IP address it will change with next deployment.

How to route HTTP traffic from external internet to an AppMesh ECS Fargate service in a maintainable way, so that we can reconfigure or redeploy or reroute our services at will with zero downtime?

Topics
ServerlessContainersNetworking & Content DeliveryMicroservices
Tags
AWS FargateAWS App MeshAmazon Elastic Container ServiceMicroservicesECS Service Discovery
Language
English
Vasyl
asked 2 years ago856 views
2 Answers
1

Hello, I had done just that in the past, haven't used much of AppMesh for a little while, and really wish I had documented it !

But in a nutshell, you can do it in at least 2 ways:

the service(s) that is behind the ALB, have the Listener Rules send the traffic to the containers, regardless of whether they use AppMesh or not. Then for the rest of the traffic between the services, it will work of its own accord, following the Mesh rules (services, routers etc.) that are defined.

Second option could be to use an AppMesh gateway, have the LB send all the traffic to that service, and then again, AppMesh will take over for the rest of the traffic to follow.

I will try to dig out the examples I had. I did all that using x-appmesh in ECS Compose-X but due to very little use-cases / need coming the AppMesh way, I haven't given it much love for a little while.

Just get the traffic from your ALB to your containers, it will work just fine (says he not touching it in a year).

profile picture
JohnPreston
answered 2 years ago
  • Vasyl
    2 years ago

    Hello John. Thanks for the answer!

    way 1) You say "have the Listener Rules send the traffic to the containers". That is easy via TG as IP address. But after service redeploys in AppMesh the IP will change, the TG won't be updated with the new IP, so the traffic won't go any more. Or I didn't understand what you mean.

    way 2) I looked up "AppMesh gateway" and found nothing in the internet. What do you mean exactly? NGINX or something?

  • JohnPreston
    2 years ago

    Hey @Vasyl So, here is what I meant by gateways: https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_gateways.html And for your first comment, I am not too sure to follow. Sure your TG will update the target to send traffic to the container, if you configured your ECS service to automatically use a target group, ECS will take care of updating the TG Targets IP as they go.

  • Vasyl
    2 years ago

    Thank you John! We're digging further both your recommendations.

  • Vasyl
    2 years ago

    I did some digging John. Basically, it was never implemented for AppMesh: https://github.com/aws/aws-cdk/issues/19842

0

Hello again @Vasyl,

I just reworked/re-enabled x-appmesh this weekend and updated my demo apps to test/showcase.

python3 -m venv venv
source venv/bin/activate
pip install pip -U; pip install "ecs-composex>=0.22.0"
git clone https://github.com/compose-x/composex-testing-apps
cd composex-testing-apps
# Optionally use image specific tag
#export IMAGE_TAG=2022-06-13

# Render the templates
 ecs-compose-x render -d templates --format yaml -f docker-compose.yaml -f x-appmesh.yaml  -n demo-appmesh

# Deploy to AWS # will create VPC/DNS/CloudMap/IAM/Services - basically everything it needs
 ecs-compose-x up -d templates --format yaml -f docker-compose.yaml -f x-appmesh.yaml  -n demo-appmesh

The ingress from the "internet" is done via the ALB that will send the traffic to app01 which is our ingress service.

Hope this helps in your ECS + AppMesh journey.

profile picture
JohnPreston
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content