AWS VPC endpoints configuration to use Systems Manager to manage private EC2 instances without internet access

Amazon EC2 instances must be registered as managed instances to be managed with AWS Systems Manager. Follow these steps:

1. Verify that SSM Agent is installed on the instance.
2. Create an AWS Identity and Access Management (IAM) instance profile for Systems Manager. You can create a new role, or add the needed permissions to an existing role.
3. Attach the IAM role to your private EC2 instance.
4. Open the Amazon EC2 console, and then select your instance. On the Description tab, note the VPC ID and Subnet ID.
5. Create a VPC endpoint for Systems Manager.
   For Service Name, select com.amazonaws.[region].ssm (for example, com.amazonaws.us-east-1.ssm). For a full list of Region codes, see Available Regions.
   For VPC, choose the VPC ID for your instance.
   For Subnets, choose the Subnet ID for your instance. Be sure to choose subnets from different Availability Zones within the Region.
   Note: If you have more than one subnet in the same Availability Zone, you don't need to create VPC endpoints for the extra subnets. Any other subnets within the same Availability Zone can access and use the interface.
   For Enable DNS name, select Enable for this endpoint. For more information, see Private DNS for interface endpoints.
   For Security group, select an existing security group, or create a new one. If you created a new security group, open the VPC console, choose Security Groups, and then select the new security group. On the Inbound rules tab, choose Edit inbound rules. Add a rule with the following details, and then choose Save rules.
   For Type, choose HTTPS.
   For Source, choose your VPC/Subnet CIDR.
   Note the Security group ID. You'll use this ID with the other endpoints.
   Optional: For advanced setup, create policies for VPC interface endpoints for AWS Systems Manager.
6. Repeat step 5 with the following change:
   For Service Name, select com.amazonaws.[region].ec2messages.
7. Repeat step 5 with the following change:
   For Service Name, select com.amazonaws.[region].ssmmessages. You must do this if you want to use Session Manager.

After the three endpoints are created, your instance appears in Managed Instances, and can be managed using Systems Manager.

 

 Deployment of SpringBoot Services on AWS Elastic Container Services: Part 5  Deploy Service

For the forth part of this thread, please click on Part 4

Deploy the monolith as a service into the cluster.

• Navigate to the Amazon ECS console and select Clusters from the left menu bar.
• Select the cluster select the Services tab then select Create.
  
• On the Configure service page, edit the following parameters (and keep the default values for parameters not listed below): 
  • For the Launch type, select EC2.
  • For the Service name, enter api. 
  • For the Number of tasks, enter 1.
  • Select Next step.
• On the Configure network page, Load balancing section, select Application Load Balancer.
  Additional parameters will apear: Service IAM role and Load balancer name.
  
  • For the Service IAM role, select SprinBootRole.
    
  • For the Load balancer name, verify that the appropriate load balancer is selected.
• In the Container to load balance section, select Add to load balancer.
  Additional information labeled api:3000 is shown.
• In the api:3000 section, do the following:
  • For the Production listener port field, select 80:HTTP.
  • For the Target group name, select your group: api.
• In the Service discovery section, Enable service discovery integration option, clear the checkmark. This option should not be enabled.
  
• Select Next step.
• On the Set Auto Scaling page, leave the default setting and select Next step.
• On the Review page, review the settings then select Create Service.
• After the service has been created, select View Service.

 Deployment of SpringBoot Services on AWS Elastic Container Services: Part 4 Configure Application Load Balancer Target Groups and Application Load Balancer Listener

For the third part of this thread, please click on Part 3

The Application Load Balancer (ALB) lets your service accept incoming traffic. The ALB automatically routes 

traffic to container instances running on your cluster using them as a target group.

Check your VPC Name: If this is not your first time using this AWS account, you may have multiple VPCs. 

It is important to configure your Target Group with the correct VPC.

• Navigate to the Load Balancer section of the EC2 Console.
• Locate the appropriate load balancer.
  
  
• Select the checkbox next to the appropriate load balancer to see the Load Balancer details.
• In the Description tab, locate the VPC attribute (in this format: vpc-xxxxxxxxxxxxxxxxx).Configure the ALB 
• Target Group

A target group tells a load balancer where to direct traffic to : EC2 instances, fixed IP addresses; or AWS Lambda functions, amongst others. When creating a load balancer, you create one or more listeners and configure listener rules to direct the traffic to one target group.

• Navigate to the Target Group section of the EC2 Console.
• Select Create target group.
• Configure the following Target Group parameters (for the parameters not listed below,
•  keep the default values):
  
  • For the Target group name, enter api.
    
  • For the Protocol, select HTTP.
    
  • For the Port, enter 80.
    
  • For the VPC, select the value that matches the one from the Load Balancer description. 
  • This is most likely NOT your default VPC.
    
  • Access the Advanced health check settings and edit the following parameters as needed: 
    • For Healthy threshold, enter 2.
    • For Unhealthy threshold, enter 2.
    • For Timeout, enter 5.
    • For Interval, enter 6.
• Select Create.

The ALB listener checks for incoming connection requests to your ALB.

Add a Listener to the ALB

• Navigate to the Load Balancer section of the EC2 Console.
• Select the checkbox next to the appropriate load balancer to see the Load Balancer details.
• Select the Listeners tab.

• Select Add listener and edit the following parameters as needed:
  
• For Protocol:port, select HTTP and enter 80.
• For Default action(s), select Forward to and in the Target group field, enter api.
• Select Save.

Deployment of SpringBoot Services on AWS Elastic Container Services: Part 3 Create Task Definitions

Deployment of SpringBoot Services on AWS Elastic Container Services: Part 3 Create Task Definitions

For the second part of this thread, please click on Part 2

Task definitions specify how Amazon ECS deploys the application containers across the cluster.

• From the Amazon ECS left navigation menu, select Task Definitions.
• Select Create new Task Definition.

• On the Select launch type compatibility page, select the EC2 option then select Next step.

• On the Configure task and container definitions page, do the following:
  • In the Task Definition Name field, enter api.
  • Scroll down to Container Definitions and select Add container.
  • In the Add container window:
    • Parameters that are not defined can be either left blank or with the default settings.
    • In the Container name field, enter api.
    • In the Image field, enter [account-ID].dkr.ecr.[region].amazonaws.com/api:v1
      Replace [account-ID] and [region] with your specific information. Ensure the tag v1 matches the value you used in Module 1 to tag and push the image. This is the URL of your ECR repository image that was created in the previous module.
    • In the Memory Limits field, verify Hard limit is selected and enter 256 as the value.
    • Under Port mappings, Host port = 0 and Container port = 3000.
    • Scroll to ENVIRONMENT, CPU units = 256.
• Select Add.
  You will return to the Configure task and container definitions page.
• Scroll to the bottom of the page and select Create.

Your Task Definition is listed in the console.

The Task Definition looks like as follows:

Deployment of SpringBoot Services on AWS Elastic Container Services: Part 2 Create AWS ECS (Amazon Elastic Container Services) Cluster with Cloud Formation Template provided.

 Deployment of SpringBoot Services on AWS Elastic Container Services:  Part 2 Create AWS ECS (Amazon Elastic Container Services) Cluster with Cloud Formation Template provided.

To deploy the Docker Images, please refer to this link, Part 1 of this thread

Create an Amazon ECS cluster deployed behind an Application Load Balancer.

1. Navigate to the AWS CloudFormation console.
2. Select Create stack.
3. Select Upload a template file and choose the ecs.yml 
4. For the stack name, enter BreakTheMonolith-Demo. Verify that the other parameters have the following values:
   
   1. Desired Capacity = 2
      
   2. InstanceType = t2.micro
      
   3. MaxSize = 2
      
5. Select Next.
   
6. On the Configure stack options page, keep the default options and scroll down and select Next.

Ensure the cluster is running

• Navigate to the Amazon ECS console. Your cluster should appear in the list.
  

• Select the ECS Instances tab to verify there are two Amazon EC2 instances created by the AWS CloudFormation template.
   

Deployment of SpringBoot Services on AWS Elastic Container Services: Part 1 AWS ECR (Amazon Elastic Container Registry (ECR)

Deployment of SpringBoot Services on AWS Elastic Container Services:  Part 1 AWS ECR (Amazon Elastic Container Registry (ECR) 

Amazon Elastic Container Registry (ECR) is a fully managed container registry that makes it easy to store, manage, share, and deploy your container images and artifacts anywhere. Amazon ECR eliminates the need to operate your own container repositories or worry about scaling the underlying infrastructure. Amazon ECR hosts your images in a highly available and high-performance architecture, allowing you to reliably deploy images for your container applications.

This thread, Part 1 discusses the provisioning of AWS ECR:

Create the repository:

• Navigate to the Amazon ECR console.
• On the Repositories page, select Create Repository.
• On the Create repository page, enter the following name for your repository: api.
  ⚐ Note: Under Tag immutability, leave the default settings.
• Select Create repository.

After the repository is created, you receive a confirmation message and the repository address is listed under URI. The repository address is in the following format: [account-ID].dkr.ecr.[region].amazonaws.com/[repo-name]. The [account-ID], [region], and [repo-name] will be specific to your setup.

ECR

Build and Push Docker Image to ECR

Using AWS Client Login, Log into the repository.

Use the terminal to authenticate Docker log in:

1. Run one of the following commands, depending on which version of AWS CLI you have (To identify the version, run aws --version. If needed, configure your credentials.):
   
• If you have AWS CLI version 1.x, then run:
  $(aws ecr get-login --no-include-email --region [your-region])
  Replace [your-region], for example: $(aws ecr get-login --no-include-email --region us-west-2)
  
• If you have AWS CLI version 2.x, then run:
  aws ecr get-login-password --region [your-region] | docker login --username AWS --password-stdin [your-AWS-account-ID].dkr.ecr.[your-region].amazonaws.com
  Replace [your-region] and [your-AWS-account-ID], for example: aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-west-2.amazonaws.com
  If authentication is successful, you will receive the confirmation message: Login Succeeded.

• To build the image, run the following command in the terminal: 

docker build -t api .

• After the build completes, tag the image so you can push it to the repository: 

docker tag api:latest [account-ID].dkr.ecr.[region].amazonaws.com/api:v1 

• Push the image to Amazon ECR by running: 

docker push [account-id].dkr.ecr.[region].amazonaws.com/api:v1

If you navigate to your Amazon ECR repository, you should see your image tagged v1.