Deploy on AWS
Get Access to an AWS Account
Firstly you need to either create an AWS account, or you need to have access to an AWS account.
Decide on Domain
Decide on what internet domain the new Endpoints deployment should be reachable at. For example https://endpoints.myservice.com/
.
This can either be a domain such as myservice.com
or a subdomain such as endpoints.myservice.com
. In either case, you must own the main domain you wish to host on (myservice.com
in this example). Purchasing this domain is out-of-scope of this document.
Apply for an HTTPS Certificate via AWS
AWS offers free HTTPS certificates for use with their own services.
In the AWS Management Console (web interface), navigate to the Certificate Manager product.
Click “Request a Certificate”
On the form that is displayed, select “Request a Public Certificate” as this will be a publicly visible service.
Type in the domain name of the certificate; this is the full domain name, from the example above this would be
endpoints.myservice.com
There is no https:// part or trailing slash or dot.Click on the “Review and Request” button, then the “Confirm and Request” button.
This will either send an email to the owner of the domain (containing a link), or it will request that a particular DNS entry is made in the DNS settings for that domain. This is to prove that you own the domain that AWS will create the HTTPS certificate for. Either click on the link in the email or set up the DNS entry. After having set up the DNS entry, a few minutes later the screen on the AWS Management Console will show the certificate has been issued.
Create VPC and Subnets
A VPC is a part of the network managed by AWS. If this AWS account will do nothing more than serve Endpoints, you can use the default VPC. If it is shared with other services, for security we recommended creating a separate VPC for the Endpoints installation. If you decide to use a default VPC, you can skip this section. If you decide to use a separate VPC, follow the following steps to create it:
In the AWS Management Console (web interface), navigate to the VPC product.
Create a new VPC, with the appropriate IP address range, such as 10.100.0.0/16. (Ignore the options about IPv6.) You can use any internal IP address range you like, as long as it doesn't conflict with any other internal IP addresses that the VPC may need to have access to (e.g. if Endpoints needs to be configured to access any databases or services internal to your company). If in doubt, talk to the department which manages IP addresses in your company. If the VPC does not need to access any other internal services, there is no reason not to proceed with the example given here.
Create two Subnets, with IP address schemes like 10.100.10.0/26 and 10.100.10.64/26. Allow “Specify the Availability Zones” explicitly, choose different zones for each Subnet, otherwise they all get created in the same Availability Zones. This allows services to be split across multiple Availability Zones, meaning if one AWS data center encounters issues, then the application will still be available.
Create an “Internet Gateway”. This will allow the VPC to send and receive requests from the internet.
After the "Internet Gateway" has been created, select it, use the "Actions" drop-down to select "Attach to VPC" and select the VPC you created earlier.
Create a “Route Table”, then after its creation:
Click on the “Routes” tab at the bottom half of the screen. Add a rule from Destination 0.0.0.0/0 to the new Internet Gateway created above.
Click on “Subnet Association” tab and associate all the subnets with the routing table.
Create Security Groups
It is a good idea to create all security group in advance. Security groups can also be created when databases and other resources are created, however then they have useless names such as “rds-launch-wizard-2”.
On the AWS Management Console (web interface), navigate to the Security Group feature. The following table specifies which security groups to create. Each have a name and one or more inbound rules. For outbound rules, allow the default which is to be able to send requests on any port to any location.
Load Balancer HTTPS
HTTPS / Source Anywhere IPv4
WebApp
All TCP / Source “Load Balancer HTTPS”
SSH from Internet
SSH / Source Anywhere IPv4
DB
PostgreSQL / Source “WebApp” PostgreSQL / Source “SSH from Internet”
Create "Bastion" VM
For various tasks, it is useful to have a VM to connect to via SSH. This is "behind the firewall" and will allow you to access resources such as the database which are not public.
In the AWS Management Console (web interface), navigate to EC2 product.
If you do not already have an SSH public key then go to the left navigation under "Key Pairs" and create a new Key Pair. If you already have an SSH public key, e.g. created on your computer, you do not need to do this step, you can upload it later.
Navigate to the "Instances" section of the left-hand navigation.
Click “Create New VM”
Select the latest Ubuntu image
Select a very small instance size (to save costs)
Select the VPC created earlier
Set “Auto-assign public IP” to Enable
Set the tag “Name” to e.g. “SSH from Internet”
Select the “SSH from Internet” Security Group created earlier
Select an SSH Key pair that you have access to so that you can log on to the server.
It takes quite a while before a user can log in to a newly created EC2 instance, for example 5 minutes. You might see the error "Permission denied (publickey)" during this time.
To connect to it, use the ssh username ubuntu
together with the key you created or uploaded earlier.
Create PostgreSQL Database
Endpoints uses the database to store various things such as which Endpoints "applications" have been installed.
In the AWS Management Console (web interface), navigate to RDS product. This is the AWS managed database product.
Click “Create a new database”.
Name it something like “Endpoints”.
We currently support PostgreSQL 14 (although other versions will probably work).
Select a random master password.
Select “Create new Subnet Group”
Set “Public Access” to “No”, as this database should not be publicly visible on the internet.
Select the database Security Group that was created earlier.
Database schema creation is not necessary; software does that on startup.
“Point-in-Time Recovery” is activated by default, so no action is required to enable that.
Make sure that “Auto Minor Version Upgrade” is enabled, so that you do not have to take care of manually upgrading the database between minor versions.
Create the Task Definition
A Task Definition is a blueprint of how AWS will install and run the Endpoints software.
In the AWS Management Console (web interface), navigate to the ECS product. ECS is the service AWS offers to manage Docker installations.
Create a new Task Definition
Select type "Fargate". This means that AWS itself will automatically allocate compute resources, as opposed to having to do it manually.
Name the Task Definition with a name like "Endpoints"
Select the RAM and CPU. We recommend at least 500MB RAM.
Add one container within the Task Definition. Give it a name like "endpoints".
The URL to the public Docker image of Endpoints is
public.ecr.aws/x1t6d0t7/endpoints-he
Set a hard memory limit e.g. 450MB RAM.
Add a single port mapping to the container. Container port is 8080.
Add environment variables. This is just the minimal set to start working, there are more options, see Docker Environment Variables for more details for more details.
ENDPOINTS_JDBC_URL
is likejdbc:postgresql://xxxxx/postgres?user=postgres&password=postgres
where xxxx is the host value of the RDS databaseENDPOINTS_BASE_URL
is the URL of the service e.g.https://endpoints.myservice.com/
with a trailing slashENDPOINTS_SERVICE_PORTAL_ENVIRONMENT_DISPLAY_NAME
For example “live environment”. This is just text which is displayed on the Service Portal login page. In case you have multiple Endpoints installations, it is convenient to differentiate them with text on the login page.
Create an ECS Cluster
A "Cluster" is a set of compute resources, managed by AWS, where Endpoints will run.
In the AWS Management Console (web interface), navigate to the ECS product
Create the ECS cluster (not Kubernetes Cluster)
Select “Networking only” type.
Don’t select creation of a new VPC
Create a Load Balancer (ELB)
The Load Balancer is responsible for taking the user's HTTPS requests, and forwarding them on to the Endpoints software running on a managed ECS cluster created above.
In the AWS Management Console (web interface), navigate to the ECS product
Go to the “Load Balancers” section.
Click “Create Load Balancer”.
Select the default “Application Load Balancer” from the two options.
Change the listener to be HTTPS only.
Select the correct VPC, which was created above.
Select all subnets.
Select the HTTPS certificate that has been previously created.
Select the HTTPS security group previously created.
Go to the "Load balancer target group".
Create a new Target Group. However, its settings are not important, later it will be deleted, as each time a Docker instance is registered with it, it will create a new Target Group.
Do not register any targets to the newly created Target Group (as it will be deleted later)
Connect the Domain to the Load Balancer
This is necessary so that when someone navigates to your domain, their requests are sent to the AWS Load Balancer created above, and thus the request can be served by Endpoints.
In the AWS Management Console (web interface), go to the EC2 product.
In the Load Balancer section, click on the Load Balancer created above. You will see it has a DNS name such as
Endpoints-HTTPS-66055465.eu-central-1.elb.amazonaws.com
(A Record).In the tool where you administer the domain, create a CNAME DNS record, from the domain or subdomain chosen for this installation, to the domain name you can read off in the last step.
Add Services to the Cluster
This step takes the Task Definition you have created earlier (which is a blueprint for running the software) and installs it on the Cluster created earlier (a set of compute resources).
In the AWS Management Console (web interface), go to the ECS product.
Navigate to ECS “Clusters” (not Kubernetes Clusters)
Select the newly created “Cluster”.
Create an service called “Endpoints”
Type is Fargate
select the Task Definition created above
Select the VPC created above
Add all subnets
Select the “webapp” security group, created above
In the Load Balancing section:
Select “Application Load Balancer”
Select the load balancer previously created in the drop-down
Click the “Add to load balancer” button
Select the target group name
Select the existing “production listener”
The URL is
/*
i.e. slash followed by a starHealth check is
/health-check
Set the application as "sticky" in the load balancer: (This is required for the Service Portal inc case more than one instance is running as the "state" of the web application is stored in the server memory)
Navigate to the EC2 Product in the Management Interface.
Go to the Target Group section in the left navigation
Select the previously-created Target Group
Navigate to the "Attributes" tab
Click "Edit"
Enable the "Stickiness" checkbox
Select the "Load balancer generated cookie" option.
Create Monitoring Alarms
It is possible, but not necessary, to use CloudWatch to create monitoring alerts for the health of various components such as the database. To create an alarm:
In the AWS Management Console (web interface), go to the CloudWatch product.
Click “Create Alarm”.
Set up the alarm, as described below
On the last screen, select that the action should be to send an email to the appropriate person.
Perform the above steps for each of the following alarms:
CPU: ECS -> CPUUtilization, > 70 (percentage) for 1 period (= 5 minutes)
Memory: ECS -> MemoryUtilization > 70 (percentage) for 1 period (= 5 minutes)
Up: ApplicationELB > Per AppELB, per TG Metrics -> UnHealthyHostCount, > 0 for 1 period (= 5 minutes)
DB Disk: RDB -> Per-Database Metrics -> FreeStorageSpace for digitalservices < 5 (percentage) for 1 datapoint
Use Application
The application is now available under your URL e.g. https://endpoints.myservice.com/
If the application is configured in multi-application mode then the Service Portal is available under https://endpoints.myservice.com/service-portal
with username admin/admin.
Troubleshooting
Go to the ECS Cluster, go to the Service, click on the “Events” tab to see what’s going on, e.g. health check is failing
Go to CloudWatch, Log Groups, see that there is a new log group which has been created, go into the log file and see if there are any errors.
Last updated