ECS Services In Different Accounts Using Same ALB and Route53 URL alias

0

I have two AWS accounts.

  1. Account A has several ECS services, an ALB with target groups targetting IPs and Ports on those ECS services, and a hosted zone with a Route53 Alias record tying an API URL (ex. api.example.com) to the ALB DNS name.
  2. Now there is a requirement to have another ECS service, but in a separate account (account B) for security reasons. We still need to use the existing "api.example.com".

What options do I have to deploy the new ECS service to the new account B, but have its traffic routed through the ALB of account A so we can still use the same API URL? Is my best option VPC peering, PrivateLink, etc? I'm struggling trying to find a good example of this.

Also, account B does not have any ALB set up right now. Just an ECS service not exposed by any ALB target group. Could I potentially create a separate ALB in account B, add a target group that targets the new ECS service, and then somehow DNS my way into using the API URL configured in account A's hosted zone?

Thank you!

1 個回答
0

What you are looking for is an API management layer.

It goes like this:

ALB -> API Gateway -> ALB ACCOUNT A -> ECS

ALB -> API Gateway -> ALB ACCOUNT B -> ECS

Now, your account A needs properly setup networking and routing tables in your subnets able to resolve to ALB ACCOUNT B IPs.

The API Gateway can be either AWS API Gateway, or Istio, or Kong, or others....

And yes, you need at least 3 ALBs, One in front of each ECS, and one in front of the API gateway.

Hope that helps!

profile picture
已回答 1 年前
  • What exactly is API Gateway doing in this scenario within both the accounts? Is that an API GW in each account or just one?

  • Its just 1 API gateway for both or "n" accounts. To clarify, with an API Gateway or an Ingress Controller layer at that point you can route your traffic to any targets.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南