Routing to AWS EC2 Instances

Gloo allows you to create upstreams from groups of EC2 instances.

Before jumping into the tutorial, let’s become familiar with the EC2 upstream specification.

Sample EC2 Upstream Config

The upstream config below creates an upstream that load balances to all EC2 instances that both match the filter criteria and are available to a user with the credentials provided by the secret.

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  annotations:
  name: my-ec2-upstream
  namespace: gloo-system
spec:
  awsEc2:
    filters:
    - key: some-key
    - kvPair:
        key: some-other-key
        value: some-value
    region: us-east-1
    publicIp: true
    secretRef:
      name: my-aws-secret
      namespace: default
    roleArn: arn:aws:iam::123456789012:role/describe-ec2-demo

Key points

Tutorial: Basic Configuration of EC2 Upstreams

Prepare sample resources in AWS

Note, if you already have an EC2 instance you would like to route to and the necessary credentials configured, you can skip to the next section.

Configure an EC2 instance

wget https://mitch-solo-public.s3.amazonaws.com/echoapp2
chmod +x echoapp2
sudo ./echoapp2 --port 80 &
curl http://<instance-public-ip>/

Create a secret with AWS credentials

glooctl create secret aws \
  --name gloo-tag-group1 \
  --namespace default \
  --access-key [aws_secret_key_id] \
  --secret-key [aws_secret_access_key]

Create a role for Gloo to assume on behalf of your upstreams

Create a role
  1. First create a role. In the AWS console:
    • Navigate to IAM > Roles, choose “Create Role”
    • Follow the interactive guide to create a role
    • Choose “AWS account” as the type of trusted entity and provide the 12 digit account id of the account which holds the EC2 instances you want to route to.
  2. Choose or create a policy for the role

Example of a Policy that allows the role to describe EC2 instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}
Allow your upstream’s user account to list EC2 instances

An example of Trust Relationship follows (many other variants are possible). Add the ARNs of each of the user accounts that you want to allow to assume this role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::[account_id]:user/[user_id]"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create an EC2 Upstream

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  annotations:
  name: ec2-demo-upstream
  namespace: gloo-system
spec:
  awsEc2:
    filters:
    - key: gloo-id
    - kvPair:
        key: gloo-tag
        value: group1
    - kvPair:
        key: version
        value: v1.2.3
    region: us-east-1
    publicIp: true
    secretRef:
      name: gloo-tag-group1
      namespace: default
    roleArn: "<arn-for-the-role-you-created>"

Save the spec to `ec2-demo-upstream.yaml and use kubectl to create the upstream in Kubernetes.

kubectl apply -f ec2-demo-upstream.yaml

Create a route to your upstream

Now that you have created an upstream, you can route to it as you would with any other upstream.

glooctl add route  \
  --path-exact /echoapp  \
  --dest-name ec2-demo-upstream \
  --prefix-rewrite /

Verify that the route works

export URL=`glooctl proxy url`
curl $URL/echoapp

You should see the same output as when you queried the EC2 instance directly.

Summary

In this tutorial, we created an upstream that allows us to route traffic from our gateway to a set of EC2 instances. We created a single upstream and associaed it with a single instance. You can of course create an arbitrary number of upstreams and associate them with an arbitrary number of instances. We reviewed how to prepare your AWS account with a sample instance, role, and policy so as to demonstrate the information Gloo needs to implement a routable EC2 upstream.