AWS EC2 Instances

Gloo Edge allows you to create Upstreams from groups of EC2 instances.

Before jumping into the guide, let’s become familiar with the EC2 Upstream specification.


Sample EC2 Upstream Config

The Upstream config below creates an Upstream that load balances to all EC2 instances that both match the filter criteria and are available to a user with the credentials provided by the secret.

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  annotations:
  name: my-ec2-upstream
  namespace: gloo-system
spec:
  awsEc2:
    filters:
    - key: some-key
    - kvPair:
        key: some-other-key
        value: some-value
    region: us-east-1
    publicIp: true
    secretRef:
      name: my-aws-secret
      namespace: default
    roleArn: arn:aws:iam::123456789012:role/describe-ec2-demo

Key points


Setup

The steps below will take you through the process of using the EC2 plugin to create routes to EC2 instances. You will need to have the follow prerequisites complete:


Prepare sample resources in AWS

Note, if you already have an EC2 instance you would like to route to and the necessary credentials configured, you can skip to the next section.

Configure an EC2 instance

wget https://mitch-solo-public.s3.amazonaws.com/echoapp2
chmod +x echoapp2
sudo ./echoapp2 --port 80 &
curl http://<instance-public-ip>/

Create a secret with AWS credentials

glooctl create secret aws \
  --name gloo-tag-group1 \
  --namespace default \
  --access-key [aws_secret_key_id] \
  --secret-key [aws_secret_access_key]

Create a role for Gloo Edge to assume on behalf of your Upstreams

Create a role

  1. First create a role. In the AWS console:
  1. Choose or create a policy for the role

Example of a Policy that allows the role to describe EC2 instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}

Allow your Upstream’s user account to list EC2 instances

An example of Trust Relationship follows (many other variants are possible). Add the ARNs of each of the user accounts that you want to allow to assume this role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::[account_id]:user/[user_id]"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create an EC2 Upstream

Finally, make an Upstream that points to the resources that you want to route to:

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  annotations:
  name: ec2-demo-upstream
  namespace: gloo-system
spec:
  awsEc2:
    filters:
    - key: gloo-id
    - kvPair:
        key: gloo-tag
        value: group1
    - kvPair:
        key: version
        value: v1.2.3
    region: us-east-1
    publicIp: true
    secretRef:
      name: gloo-tag-group1
      namespace: default
    roleArn: "<arn-for-the-role-you-created>"

Save the spec to ``ec2-demo-upstream.yamland usekubectl` to create the upstream in Kubernetes.

kubectl apply -f ec2-demo-upstream.yaml

Create a route to your Upstream

Now that you have created an Upstream, you can route to it as you would with any other Upstream.

glooctl add route  \
  --path-exact /echoapp  \
  --dest-name ec2-demo-upstream \
  --prefix-rewrite /

Verify that the route works:

export URL=`glooctl proxy url`
curl $URL/echoapp

You should see the same output as when you queried the EC2 instance directly.


Summary

In this tutorial, we created an Upstream that allows us to route traffic from our gateway to a set of EC2 instances. We created a single Upstream and associated it with a single instance. You can of course create an arbitrary number of Upstreams and associate them with an arbitrary number of instances. We reviewed how to prepare your AWS account with a sample instance, role, and policy so as to demonstrate the information Gloo Edge needs to implement a routable EC2 Upstream.

Next Steps

Gloo Edge can also use AWS Lambda as an Upstream target. You can learn more in the AWS Lambda guide.