Construct private ECS using Internal ALB.

Wed, 21 Nov 2018 10:00:00


Prerequisites

Before considering the infrastructure composition, I gathered the prerequisites that I got in advance. The conditions are roughly divided into the following four.

1. The domain is managed by a system outside the AWS, but an unused subdomain is allocated to the new system
2. AWS environment connect to the on-premise environment with DirectConnect
3. I want to avoid situations where the system is open to the Internet, Because use DirectConnect
4. Since I am using Docker for the development environment, I want to use ECS so that I can use Docker also in production environment

1. The domain is managed by a system outside the AWS, but an unused subdomain is allocated to the new system

In constructing the system using the AWS service, It is desirable to manage entire domain with Route53. But, This time seems to be difficult because necessary to transfer the entire domain,

So, with reference to here, let's manage only the newly allocated subdomain with Route 53.


2. DirectConnect connects the AWS environment to the on-premise environment

There is nothing special to mention here. In other words, you will use ALB, so politically so that the AWS side can allocate a subnet of reasonable size Let's demonstrate our power.


3. Since I use DirectConnect, I want to avoid situations where the system is open to the Internet

This time, It is only need to deploy the system on the private subnet, but it is need to download various things from the Internet.

I use NAT gateway to solve problem easily.

However, access from the Internet will be completely blocked, so either create a bastion server for management or Session Manager.


4. Since I am using Docker for the development environment, I want to use ECS so that I can use Docker also in production environment

It became late, but this is the main theme of this article. Using ECS ​​for the WEB system almost certainly uses ALB.

When using ALB normally, ALB straddle the public subnets. But this time we can not construct the system on the public subnets. However, the ALB has a type for internal VPC called internal ALB. And internal ALB can build an ALB that spans a private subnet and we can use ECS even in private environments.

Also, ECS requires Internet connection to pull container images from ECR, but no problem because we have NAT gateway.

After that, by setting the domain of ALB to the ALIAS record of Route 53, it becomes possible to solve private IP assigned to ALB from on-line environment.


Final configuration drawing

It will look like this if you bring up the design to illustration.

image


Finally

This time, I tried to consider the AWS configuration with the condition of Building a system in VPC connected with DirectConnect. It was found that can't to take advantage of AWS, without to be conscious things that do not usually conscious.

Aside from that, if the on-premise PC is not connected to the Internet, ALB's name resolution should not be possible in this configuration, so it seems necessary to take a step further step forward.