ECS Services In Different Accounts Using Same ALB and Route53 URL alias

Question

I have two AWS accounts.

1. Account A has several ECS services, an ALB with target groups targetting IPs and Ports on those ECS services, and a hosted zone with a Route53 Alias record tying an API URL (ex. api.example.com) to the ALB DNS name.
2. Now there is a requirement to have another ECS service, but in a separate account (account B) for security reasons. We still need to use the existing "api.example.com".

What options do I have to deploy the new ECS service to the new account B, but have its traffic routed through the ALB of account A so we can still use the same API URL? Is my best option VPC peering, PrivateLink, etc? I'm struggling trying to find a good example of this.

Also, account B does not have any ALB set up right now. Just an ECS service not exposed by any ALB target group. Could I potentially create a separate ALB in account B, add a target group that targets the new ECS service, and then somehow DNS my way into using the API URL configured in account A's hosted zone?

Thank you!

Answer

What you are looking for is an API management layer.

It goes like this:

ALB -> API Gateway -> ALB ACCOUNT A -> ECS

ALB -> API Gateway -> ALB ACCOUNT B -> ECS

Now, your account A needs properly setup networking and routing tables in your subnets able to resolve to ALB ACCOUNT B IPs.

The API Gateway can be either AWS API Gateway, or Istio, or Kong, or others....

And yes, you need at least 3 ALBs, One in front of each ECS, and one in front of the API gateway.

Hope that helps!

ECS Services In Different Accounts Using Same ALB and Route53 URL alias

Relevant content