This project is in the process of being donated to the CNCF and is not affiliated with the Kubernetes project.

AWS EC2

Route traffic directly to an AWS EC2 instance.

Before you begin

  1. Follow the Get started guide to install kgateway, set up a gateway resource, and deploy the httpbin sample app.

  2. Get the external address of the gateway and save it in an environment variable.

    export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
    echo $INGRESS_GW_ADDRESS  
    kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080

Set up an AWS EC2 instance

  1. Follow the AWS documentation to launch an AWS EC2 instance with the following configuration:

    • Use an amazon linux image.
    • Configure the EC2 instance’s security group to allow HTTP traffic on port 80.
    • Add the following tags:
      • gateway-id: abcde123
      • gateway-tag: group1
      • version: v1.2.3.
  2. Connect to your EC2 instance.

  3. Use the following script to set up a demo echo app that returns specific HTTP response codes. For example, a request to http://$INSTANCE_IP/?code=404 returns a 404 HTTP response.

    wget https://mitch-solo-public.s3.amazonaws.com/echoapp2
    chmod +x echoapp2
    sudo ./echoapp2 --port 81 &
  4. Verify that you can reach the echo app. The following curl request returns the app’s help menu.

    curl http://$INSTANCE_IP/

Create AWS credentials

Create AWS credentials for the EC2 instance so that Gloo Gateway can connect to it.

ℹ️
The following example shows how to use a user’s AWS access key ID and secret key to authenticate with AWS, and an AWS role to authorize access to the EC2 instance. This approach is recommended. However, you can also assign the required permissions to your AWS user directly and only use an AWS access key ID and secret key.
  1. Get the AWS access key ID and secret key of the user that you want to use to authenticate with AWS. For more information, see the AWS documentation.

  2. Create a Kubernetes secret that holds your AWS access key ID and secret key.

    glooctl create secret aws \
     --name gateway-tag-group1 \
     --namespace default \
     --access-key <aws_access_key_ID> \
     --secret-key <aws_secret_key>
  3. Create an AWS role.

    1. From the AWS console, navigate to IAM > Roles.
    2. Click Create Role.
    3. Select AWS account as the type of trusted entity.
    4. Enter the 12-digit account ID of the account that has the EC2 instances that you want to route to.
    5. Assign the required permission. At a minimum, you must be able to describe EC2 instances. The following example shows a sample policy configuration.
      {
        "Version": "2012-10-17",
        "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": "ec2:DescribeInstances",
               "Resource": "*"
           }
        ]
      }
  4. Add your AWS user as a trusted entity to your role.

    1. Open the AWS role that you created.
    2. Navigate to the Trust relationship tab.
    3. Edit the Trusted entities to allow your AWS user to assume this role.
      {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::<account-ID>:user/<user_ID>"
               },
               "Action": "sts:AssumeRole",
               "Condition": {}
           }
       ]
      }

Set up routing to your EC2 instance

  1. Create an Upstream that represents your EC2 instance. Replace the AWS region with the region that your instance is in. Also make sure to add the ARN of the AWS role that you created earlier. If you assigned the permissions directly to your AWS user, the AWS access key ID and secret key are sufficient to authenticate with AWS and access the EC2 instance. In this case, remove the spec.awsEc2.roleArn from your Upstream configuration.

    kubectl apply -f- <<EOF              
    apiVersion: gloo.solo.io/v1
    kind: Upstream
    metadata:
      annotations:
      name: my-ec2-upstream
      namespace: gloo-system
    spec:
      awsEc2:
        filters:
        - key: gateway-id
        - kvPair:
            key: gateway-tag
            value: group1
        - kvPair:
            key: version
            value: v1.2.3
        region: <region>
        publicIp: true
        port: 81
        secretRef:
          name: gateway-tag-group1
          namespace: default
        roleArn: <role-arn>
    EOF
  2. Create an HTTPRoute that routes traffic to the EC2 Upstream.

    kubectl apply -f- <<EOF   
    apiVersion: gateway.networking.k8s.io/v1
    kind: HTTPRoute
    metadata:
      name: ec2-route
      namespace: gloo-system
    spec:
      hostnames:
      - ec2.example
      parentRefs:
      - group: gateway.networking.k8s.io
        kind: Gateway
        name: http
        namespace: gloo-system
      rules:
      - backendRefs:
        - group: gloo.solo.io
          kind: Upstream
          name: ec2
        matches:
        - path:
            type: PathPrefix
            value: /
    EOF
  3. Send a request to your EC2 instance.

    curl -vik http://$INGRESS_GW_ADDRESS:8080/\?code\=500 -H "host: ec2.example:8080"
    curl localhost:8080/\?code\=500 -H "host: ec2.example"

    Example output:

    * Mark bundle as not supporting multiuse
    < HTTP/1.1 500 Internal Server Error
    HTTP/1.1 500 Internal Server Error
    < date: Thu, 14 Nov 2024 20:01:57 GMT
    date: Thu, 14 Nov 2024 20:01:57 GMT
    < content-length: 0
    content-length: 0
    < x-envoy-upstream-service-time: 206
    x-envoy-upstream-service-time: 206
    < server: envoy
    server: envoy

Cleanup

  1. Remove the Upstream and HTTProute.

    kubectl delete httproute ec2-route -n gloo-system
    kubectl delete upstream ec2 -n gloo-system
  2. Delete the AWS role or revoke permissions for your user.

  3. Delete the AWS EC2 instance.