AWS EC2
Route traffic directly to an AWS EC2 instance.
Before you begin
-
Follow the Get started guide to install kgateway, set up a gateway resource, and deploy the httpbin sample app.
-
Get the external address of the gateway and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESS
kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080
Set up an AWS EC2 instance
-
Follow the AWS documentation to launch an AWS EC2 instance with the following configuration:
- Use an
amazon linux
image. - Configure the EC2 instance’s security group to allow HTTP traffic on port 80.
- Add the following tags:
gateway-id: abcde123
gateway-tag: group1
version: v1.2.3
.
- Use an
-
Use the following script to set up a demo echo app that returns specific HTTP response codes. For example, a request to
http://$INSTANCE_IP/?code=404
returns a 404 HTTP response.wget https://mitch-solo-public.s3.amazonaws.com/echoapp2 chmod +x echoapp2 sudo ./echoapp2 --port 81 &
-
Verify that you can reach the echo app. The following curl request returns the app’s help menu.
curl http://$INSTANCE_IP/
Create AWS credentials
Create AWS credentials for the EC2 instance so that Gloo Gateway can connect to it.
-
Get the AWS access key ID and secret key of the user that you want to use to authenticate with AWS. For more information, see the AWS documentation.
-
Create a Kubernetes secret that holds your AWS access key ID and secret key.
glooctl create secret aws \ --name gateway-tag-group1 \ --namespace default \ --access-key <aws_access_key_ID> \ --secret-key <aws_secret_key>
-
Create an AWS role.
- From the AWS console, navigate to IAM > Roles.
- Click Create Role.
- Select AWS account as the type of trusted entity.
- Enter the 12-digit account ID of the account that has the EC2 instances that you want to route to.
- Assign the required permission. At a minimum, you must be able to describe EC2 instances. The following example shows a sample policy configuration.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:DescribeInstances", "Resource": "*" } ] }
-
Add your AWS user as a trusted entity to your role.
- Open the AWS role that you created.
- Navigate to the Trust relationship tab.
- Edit the Trusted entities to allow your AWS user to assume this role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-ID>:user/<user_ID>" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Set up routing to your EC2 instance
-
Create an Upstream that represents your EC2 instance. Replace the AWS region with the region that your instance is in. Also make sure to add the ARN of the AWS role that you created earlier. If you assigned the permissions directly to your AWS user, the AWS access key ID and secret key are sufficient to authenticate with AWS and access the EC2 instance. In this case, remove the
spec.awsEc2.roleArn
from your Upstream configuration.kubectl apply -f- <<EOF apiVersion: gloo.solo.io/v1 kind: Upstream metadata: annotations: name: my-ec2-upstream namespace: gloo-system spec: awsEc2: filters: - key: gateway-id - kvPair: key: gateway-tag value: group1 - kvPair: key: version value: v1.2.3 region: <region> publicIp: true port: 81 secretRef: name: gateway-tag-group1 namespace: default roleArn: <role-arn> EOF
-
Create an HTTPRoute that routes traffic to the EC2 Upstream.
kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: ec2-route namespace: gloo-system spec: hostnames: - ec2.example parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: http namespace: gloo-system rules: - backendRefs: - group: gloo.solo.io kind: Upstream name: ec2 matches: - path: type: PathPrefix value: / EOF
-
Send a request to your EC2 instance.
curl -vik http://$INGRESS_GW_ADDRESS:8080/\?code\=500 -H "host: ec2.example:8080"
curl localhost:8080/\?code\=500 -H "host: ec2.example"
Example output:
* Mark bundle as not supporting multiuse < HTTP/1.1 500 Internal Server Error HTTP/1.1 500 Internal Server Error < date: Thu, 14 Nov 2024 20:01:57 GMT date: Thu, 14 Nov 2024 20:01:57 GMT < content-length: 0 content-length: 0 < x-envoy-upstream-service-time: 206 x-envoy-upstream-service-time: 206 < server: envoy server: envoy
Cleanup
-
Remove the Upstream and HTTProute.
kubectl delete httproute ec2-route -n gloo-system kubectl delete upstream ec2 -n gloo-system
-
Delete the AWS role or revoke permissions for your user.
-
Delete the AWS EC2 instance.