Search code examples
amazon-web-servicesdockeraws-api-gatewayamazon-ecsamazon-elb

How can I host an SSL Rest API through AWS using a Docker image?

I've gotten a bit lost in the number of services in AWS and I'm having a difficult time finding the answer to what I think is probably a very simple question.

I have a Docker image that's serving a RestAPI over HTTP on port 80. I am currently hosting this on AWS with ECS. It's using Faregate but I could make an EC2 cluster if need be.

The problems are: 1) I currently get a new IP address whenever I run my task, I want a consistent address to access it from. Doesn't need to be a static IP, it could be routed from DNS. 2) It's not using my hostname which I would like to have api.myhostname.com go to the Docker image while www.myhostname.com currently already goes to my Cloudfront CDN serving the web application. 3) There's no SSL and I would need this to be encrypted.

Which services should I be using to make this happen? I looked into API Gateways and didn't find a way to use an ECS task as a backend. I looked into ELB for ECS but load balancers didn't seem to provide a way to make static IPs out of the Docker images.

Thanks.

Solution

  • I'll suggest a service for each of you requirements:

    1. you want to run a Docker container: ECS using FARGATE is the right solution
    2. you want a consistent address: use the Service Load Balancing which is integrated into ECS. [1] You can also achieve consistent addressing using Service Discovery if the price for running a load balancer is too high in your scenario. [2]
    3. you want SSL: AWS Elastic Load Balancing integrates with AWS Certificate Manager (ACM) which allows you to create HTTPS listeners. [3]
    4. you want to use your hostname: use AWS Route53 and an Application Load Balancer. The load balancer receives a hostname by aws automatically and you can then point your custom dns at that entry. [4]

    So my advice is:

    • Create an ECS service which starts your docker container as FARGATE task.
    • Create a certificate for your HTTPS listener in AWS Certificate Manager. ACM manages your certificates and sends you an email if they are expiring soon. [5]
    • Use Service Load Balancing with an Application Load Balancer to automatically register any newly created ECS tasks to a target group. Configure the load balancer to listen for incoming traffic on an HTTPS listener and routes it to the target group which has your ECS tasks registered as targets.

    References

    [1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html
    [2] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-service-discovery.html
    [3] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
    [4] https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-domain-names-with-elb.html
    [5] https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html