Microservice is the common trend and deploying it in cloud is the prima factor of most of the projects now a days. One of the important factor is the zero downtime at peak hours and how easily it can scale We will be covering how to dockerize a Spring boot application and deploying it in a ECS cluster in private subnet with an Application Load balancer in public subnet.
- Setting up VPC network
- ECS concepts
- Create ECS cluster with Fargate
- Application Load Balancer
- Auto Scaling in ECS with Apache Benchmark
Setting Up the VPC:
In this article we will discuss about setting up the VPC with 2 private subnets and 2 public subnets in 2 distinct availability zone.
In the above design, the VPC will have a private subnet in 2 availability zones and the public subnets also have to be in the same availability zone . Let’s go with definitions as per the diagram and then we will go on how to set it up.
Amazon VPC: VPC is the Virtual Private cloud which creates a networking layer for any services we spin up in AWS . It logically isolate the systems by creating a virtual network.
Internet Gateway: As the name suggest , it is a gateway to the Internet for all the resources within the VPC . If any resources within VPC wants to call any services or fetch resources from internet, it needs to go via Internet Gateway .
NACL : A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
Subnets: It is a range of IP addresses that is allocated within the VPC network. AWS provides the option of creating public subnet which are accessible from the internet and private subnet which is not accessible from the internet. Any resources within private subnet are secured and not accessible by outside sources. Hence we will be spinning up all the containers and tasks of ECS in private subnet, whereas the Application Loadbalancer will be in the public subnet. We will cover it more in upcoming slides.
Router: Router, also known as Route Table are a set of rules that route traffic from one subnet to another. Each subnet should have one and only one route table that will specify where the traffics are routed.
NAT gateway : Network Address Translation is a gateway for resources launched inside private subnet to be able to invoke services in internet . Basically it is a gateway to internet from private subnets. However the vice versa is not true i.e , from internet you cannot access private subnets .
Bastion Host : Bastion server or Bastion host is created in public subnet so that a proxy can be created to log in to instances in private subnet . This is a secured way of connecting to instances inside private subnets.
Setting up the VPC
- Create a vpc and provide the CIDR range as 10.0.0.0/16
- Create 4 subnets : 2 public(10.0.1.0/16 & 10.0.2.0/16) and 2 private (10.0.3.0/16 & 10.0.4.0/16)
10.0.1.0/16 and 10.0.3.0/16 should be in same availability zone
10.0.2.0/16 and 10.0.4.0/16 should be in same availability zone.
- Create an Internet gateway and attach it to VPC .
- Create a NAT gateway with Elastic IP associated to it.
- Create 2 route table , one for public and one for private and associate NAT gateway to private route table and internet gateway to public route table
- Create 2 Network ACLs, 1 private and 1 public.
Public should have inbound rules like below :
Private should have inbound rules like below:
VPC is all set now. Create a bastion host in public subnet and also associate it with bastion security group. Bastion security group should have ssh option enabled for port 22 and from your own ip. Also create an instance in private subnet and a private security group which will allow only ssh with port 22 and source as the bastion security group . This will make sure that user can ssh to private instance in this private subnet only via bastion server.
In next article we will be deploying the ECS fargate instance in this VPC with an ALB.