Configure AWS for a Multi-Container Docker Application

Configure AWS for a Multi-Container Docker Application

by John Vincent


Posted on June 6, 2021


Let's discuss configuring AWS for a Multi-Container Docker Application.

This is part of a series of discussions regarding Deploying TaskMuncher, a React and Node application, to a Multi-Container Docker Environment at AWS using Dockerhub and Travis CI

For more details, please see Overview of Create Multi-Container Docker TaskMuncher Application at AWS

Please review AWS Production Architecture.

Configure AWS

Login to AWS

Note that Elastic Beanstalk allows running of only 1 Docker container.

Elastic Beanstalk doesn't know how to run containers and so it hands it off to Amazon Elastic Container Service (ECS).

ECS uses a task definition to run each container. See Create Dockerrun.aws.json file for AWS.

VPC

Verify you have a default VPC.

  • Login to AWS
  • Search for VPC in "Find Services"
  • Select: VPCs

If it does not exist (I sometimes delete the default VPC), you will need to create a new default VPC.

To create default VPC

  • Actions
    • Create default VPC

Created default VPC vpc-0dc1a7ee0c7bec811

Elastic Beanstalk (EBS) Application Creation

  • Login to AWS
  • Search for Elastic Beanstalk in "Find Services"
  • Click the "Create Application" button
  • Enter "taskmuncher-docker" for the Application Name

Platform

  • Platform: Docker
  • Platform Branch: Multi-Container Docker running on 64bit Amazon Linux
  • Application code: Sample Application
  • Click Create Application
  • You may need to refresh, but eventually, you should see a green check mark underneath Health.

Creates environment Taskmuncherdocker-env

Change from Micro to Small instance type:

Note that a t2.small is outside of the free tier. t2.micro has been known to timeout and fail during the build process.

  1. In the left sidebar under Taskmuncherdocker-env click "Configuration"

  2. Find "Capacity" and click "Edit"

  3. Scroll down to find the "Instance Type" and change from t2.micro to t2.small

  4. Click "Apply"

  5. The message might say "No Data" or "Severe" in Health Overview before changing to "Ok"

Test AWS Application

From Elastic Beanstalk, select Taskmuncherdocker-env

Notice that the environment is being updated.

When update complete, test the app

http://taskmuncherdocker-env.eba-mv2hwnxx.us-east-1.elasticbeanstalk.com/

This is just the default app as the real app has not yet been deployed.

Verify S3 bucket folder

A default S3 bucket is created for each region.

Notice the folder taskmuncher-docker does not exist as application has not been deployed to AWS.

Note the bucket name: elasticbeanstalk-us-east-1-971716655829

Overview of AWS VPCs and Security Groups

When an Elastic Beanstalk instance is created, it is created in a very specific region. In each of the regions, you automatically get a Virtual Private Cloud (VPC) which is a private network and thus is not shared with other accounts. The VPC is used to implement security rules and a lot of ways in which it is possible to connect together the various services setup in Elastic Beanstalk.

When we created an Elastic Beanstalk instance, it was automatically assigned to the default VPC.

  • Login to AWS
  • Go to AWS Management Console and use Find Services to search for VPC

Custom Security Group

To get the various services to talk to each other, we need to create a security group. A security group is another word for firewall rule.

Creating a Custom Security Group

Create a security group that will allow all of the services to talk to each other.

  • Go to AWS Management Console and use Find Services to search for VPC
  • Find the Security section in the left sidebar and click Security Groups

Notice the VPC of the default security group name.

  • Click Create Security Group button
  • Set Security group name: taskmuncher
  • Set Description: Traffic for services in taskmuncher app
  • Make sure VPC is set to default VPC
  • Click Create security group button

Notice the security group id. (sg-0c799a52c3a5068af)

  • Select the security group just created taskmuncher
  • Scroll down and click Inbound Rules
  • Click Edit Rules button
  • Click Add Rule
  • Type: Custom TCP
  • Protocol: TCP
  • Set Port Range: 27017-27020 (MongoDB uses 27017)
  • Click in the box next to Source and start typing sg into the box.
    • Select the Security Group you just created, which is taskmuncher|sg-0c799a52c3a5068af
  • Click Save

Applying Security Groups to Elastic Beanstalk

  • Go to AWS Management Console and use Find Services to search for Elastic Beanstalk
  • Click Environments in the left sidebar.
  • Click Taskmuncherdocker-env
  • Click Configuration
  • In the Instances row, click the Edit button.
  • Scroll down to EC2 Security Groups and tick box next to taskmuncher
  • Click Apply and Click Confirm
  • After all the instances restart and go from No Data to Severe, you should see a green check mark under Health.

Applying Security Groups to other Services

Usually there are other services. They will also require the Security Group applied to each of them.

For the moment, there is only the one service.

Setting Environment Variables

  • Go to AWS Management Console and use Find Services to search for Elastic Beanstalk
  • Click Environments in the left sidebar.
  • Click Taskmuncherdocker-env
  • Click Configuration
  • In the Software row, click the Edit button
  • Scroll down to Environment properties

Add any environment variables as required. Note that all environment variables will be made available to all docker services.

IAM Keys for Deployment

You can use the same IAM User's access and secret keys from the single container app we created earlier or add a new user.

which goes to the IAM Dashboard

  • From IAM dashboard

  • Users

  • Add user taskmuncher-deployer

  • Access type; Programmatic access

  • Next: Permissions

  • Attach existing policies directly

  • Search: beanstalk

Select:

  • AdministratorAccess-AWSElasticBeanstalk

  • Next: Tags

  • Next: Review

  • Create User

User created:

  • User: taskmuncher-deployer

Store the Access key id and Secret access key somewhere safe and private.

Add permissions to the default instance profile

If your application accesses AWS APIs or resources that have not been granted permissions in the default instance profile, add policies that grant permissions in the IAM console.

To add policies to the role attached to the default instance profile

which goes to the IAM Dashboard.

  • From IAM dashboard
  • Roles
  • Select aws-elasticbeanstalk-ec2-role
  • Select Permissions tab
    • Select Attach Policies
    • Select AmazonS3FullAccessor
    • Select Attach policy


Taskmuncher