I'm new to Amazon services and I have a scenario to deploy microservice architecture. I just searched for many keywords but I've got nothing.
I have services A, B, C, D and I want to deploy them in a VPC cluster that has the Fargate launch type. I want to access each service by APIGateway Restful but I don't want to assign public IP to my services and I just want them to be accessed through API Gateway.
How could I do this by CloudFormation ?
To create API gateway you can use API Gatway resources from CloudFormatinon.
For load balancer you can use ElasticLoadBalancingV2.
And for ECS you will need to use resources from here.
All these resources have examples, which should help you get started.
Related
I have an AWS EKS cluster running in a custom VPC with 2 public and 2 private subnets. The node groups (for my backend) run in the 2 private subnets so they can't be accessed directly.
I would like to create an API Gateway which exposes the microservices in the node group so my front-end and third party software can communicate with them. I eventually also like to add authorization to the API Gateway for secutiry. The problem is that I cannot find a good documentation how to do this (Expose the microservices through an API Gateway). Does anyone now khow to do this or where I can find information on how to do this?
The situation would look something like this:
You need to use API Gateway private integrations to expose services running in EKS using NLB. Please check the below article for overall solution .
https://aws.amazon.com/blogs/containers/integrate-amazon-api-gateway-with-amazon-eks/
I can't figure out how to make them talk using API calls. Previously I used API Gateways which would trigger lambdas and that lambdas would interact with dynamodb and other services and send me back json response. Now I want to shift to EC2 instances and totally skip API gateway usage. And let a server I run in ec2 do the computation for me. Do I need to deploy a web service(DJango RESTFUL) in EC2 instance and then use it to call in my frontend? If yes I need little guidance how
And Suppose I want to access s3 storage from my DJango restufl in EC2. Can I do it without having to enter the access key and ID and use roles instead just like how I would access s3 from the ec2 instance without access key and ID. Traditionally with SDK we have to use access key and secret keys to even get authorized to use services in SDK so I was wondering if there was a way to get over this since the program will be running in EC2 instance itself. One really inefficient way will be to run a batch command that makes the EC2 interact with services I need without SDK and with roles instead but It is really inefficient and too much work as far as I can see.
As you are familiar with API Gateway, you can use the same to connect to your EC2 instance, its private integration, with the use of VPC Links.
You can create an API Gateway API with private integration to provide your customers access to HTTP/HTTPS resources within your Amazon Virtual Private Cloud (Amazon VPC). Such VPC resources are HTTP/HTTPS endpoints on an EC2 instance behind a Network Load Balancer in the VPC.
You can go though this document for step by step integration.
If you do not want to use API gateway any more, then you can simply use Route53 to route traffic to EC2 instance, all you need is the IP address of the EC2 instance and a hosted zone created using Route53.
Here is a tutorial for your reference.
We have 2 internal service in a single VPC that is open to internet via
APIgateway(Regional)
Vpc link.
For green blue deployment APIGateway is only fix point for us.
Now one of the service have to talk to other service, and we do that via hitting APIgateway, and because the other service is within a VPC we have to use proxy to connect to that APIgateway(Regional). But we still need a Regional APIgateway as we have other service outside the VPC.
Service A -> Proxy -> Regional API Gateway of Service B
Now the question is can we have a Private APIgateway also Regional APIgateway working in parallel and hit the same ECS service?
In this case we will not have to go via proxy at all.
A VPCLink can be reused across numerous API Gateway endpoints, this will work as long as the API Gateway and Network Load Balancer are within the same account.
The Network Load Balancer and API must be owned by the same AWS account.
I have a problem configuring my AWS API Gateway:
I have an API deployed in an EKS cluster, and it has a public load balancer, so right now, this API is accessible from everywhere. I want to allow access to this API only from AWS API Gateway, so if anyone wants to use the API, it has to be through AWS API Gateway.
The problem is that I don't know how to allow traffic to the API only from API Gateway. I tried using a security group, but AWS API Gateway IP changes all the time. I tried also using an internal load balancer in my Kubernetes deployment, but AWS API Gateway can't reach that loadbalancer!
Thanks in advance with the help!
You can do this by using a Network Load Balancer.
Create an internal network load balancer and have your containers be added to its target group.
Then in API Gateway create a VPCLink to your Network Load Balancer. Then use the VPCLink within your API Gateway setup.
More instructions available here.
You might be able to accomplish this by setting up an API Gateway private integration. This makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC.
Also, have a look at Amazon EKS cluster endpoint access control in order to understand how you can enable endpoint private access for your cluster.
I followed A Practical Guide to Deploying Microservices on AWS to deploy an internal API in AWS ECS. However the guide fails to mention how to access the API via internet.
There are examples (Access Private applications on AWS Fargate using Amazon API Gateway PrivateLink | AWS Compute Blog) on how to do this, if the app is behind a NLB, however this one is an ALB. Is there any such examples on how to access this internal api?