DEV Community

John Preston for AWS Community Builders

Posted on

ECS Anywhere & Traefik Proxy with ECS Compose-X

Original post can be found here along with the technical resources


Using ECS Compose-X, deploy Traefik Proxy on-premise with AWS ECS Anywhere with only a few changes from running on AWS EC2 or AWS Fargate.


Our tools for today's lab

ECS Compose-X is an open-source project that allows you to use docker-compose services definitions, and render CFN templates (just like with AWS CDK, but without having to write code) to deploy your application service stacks.

Traefik Proxy is an open source project that will allow you to define ingress rules for your applications and will automatically route traffic to your backend services based on various rules. It is also capable of doing Service Discovery, and today we are going to look at the ECS & ECS Anywhere discovery providers.

AWS ECS Anywhere is an extension to AWS ECS, which is a managed container orchestration service, that now allows you to run your workloads in your datacenter/on-premise, and really just, anywhere!

The objective

When running on AWS, we have access to services such as AWS Certificates Manager (ACM), AWS Load Balancing (manages ELB, ALB, NLB and more), which can offload a lot of complexity and is very feature rich.

However, coming to on-premise environments, the costs for hardware that would give us the same functionalities (think F5 load-balancers, your expensive licensed VXLAN resources), are only affordable by a few. And typically for a "home-labber" such as myself, way out of my budget.

So I needed an alternative solution that would allow me to use AWS ECS services, route traffic to my services based on service discovery. It should also be able to deal with managing SSL certificates for me. And finally, I must be able to deal with non-persistent storage.

Welcome Traefik Proxy

For years, I have been an NGINX and/or HA Proxy user. They are very lightweight, very popular, great documentation and community support in general.

But, they aren't quite capable of doing Service discovery all by themselves.

I came across Traefik Proxy, and a whole new world of capabilities was now wide open. With service discovery providers, Traefik can scrape your services and based on labels/tags, identify instructions to perform. And AWS ECS is one of such providers.

Just a tiny little problem

When I first tried Traefik a little over a year ago for ECS Anywhere, it wouldn't work. That's because until then, Traefik only considered using Fargate or EC2 instances to run the containers. There was no implementation of discovering AWS ECS Anywhere on-prem instances.

This has been since addressed, and one can specifically enable the ECS Anywhere discovery in Traefik.

Traefik and Let's Encrypt SSL management

When you define routers with Let's Encrypt, you can define whether or not you want Traefik to provision certificates.

With Traefik, you can automatically get new certificates for yourself when you need them. There are different validation methods, my chosen one being with DNS validation.

For validation, given my DNS domain is managed in Route53, I simply indicate to Traefik to use that DNS method / zone for validation.

Why DNS validation works for me?

If I have internally exposed services (not available on the internet), but I still want to have SSL certificates provisioned for them, DNS is the only option for that. It will generally come down to your preference.



You will need

  • An AWS Account
  • Configured a local user with IAM permissions to deploy resources
  • Have an existing ECS Cluster with a registered ECS Instance that runs on-premise.
  • Installed ECS Compose-X (version 0.22 and above). See below.

Compose-X install

You can install it locally for your user

pip install pip -U;
pip install --user ecs-composex
Enter fullscreen mode Exit fullscreen mode

or install it in a python virtual/isolated enviroment

python3 -m venv compose-x
source compose-x/bin/activate
pip install pip -U
pip install ecs-composex
Enter fullscreen mode Exit fullscreen mode

Once you have installed it, run the following command that will ensure we have the necessary settings and resources to get started.

ecs-compose-x init
Enter fullscreen mode Exit fullscreen mode

Clone the labs repo

Clone the repo, and head to the configuration files.

git clone
cd traefik/part_2/
Enter fullscreen mode Exit fullscreen mode

In the current files, you will have to edit to change the domain name in-use.

You can either edit it with your preferred IDE, or simply run

sed -i 's/<your_domain_name.tld>/g'
Enter fullscreen mode Exit fullscreen mode

If your domain is not maintained in AWS Route53, you will need to head over to the Let's Encrypt ACME documentation in order to use a different validation method.

Getting ready to deploy

The deployment to ECS Anywhere is only a command away

CLUSTER_NAME=MyExistingECSCLuster ecs-compose-x up \
-n traefik-anywhere \
-d templates \
-f docker-compose.yaml \
-f ecs-anywhere.yaml
Enter fullscreen mode Exit fullscreen mode

Compose-X will render all of the CFN templates and store them in your local folder (under templates), as well as in AWS S3. It is required to be in S3 for CFN nested stacks.

After a few minutes, you should have running on your ECS Anywhere instances, Traefik.

Adding SSL Certificates backup.

Let's Encrypt "production" endpoint, has a rate limit in place for the number of certificates requested per domain.

So if you are new to this, we recommend to use the Let's Encrypt staging environment, which will allow not to hit the rate limit.

Sadly, it seems that the persistent storage of the file that holds the SSL certificates requested by Traefik to Let's Encrypt is not a feature that we might see coming in any time soon.

So instead, we are going to implement the backup-and restore ourselves.

Using 2 sidecars, one to restore the files prior to traefik starting, and another constantly watching for a change to automatically backup the file to AWS S3, we will ensure that we don't request certificates we already did provision before.

To deploy the solution, we added the backup.yaml file to our deployment command.

Note: the S3 bucket already exists for us, and if you want to use an existing one, you will need to adopt the Lookup Tags in order to use your own/the right bucket.

So now, we deploy our updated definition to AWS

CLUSTER_NAME=MyExistingECSCLuster ecs-compose-x up \
-n traefik-anywhere \
-d templates \
-f docker-compose.yaml \
-f ecs-anywhere.yaml
-f backup.yaml
Enter fullscreen mode Exit fullscreen mode

Hint: the order of the files does matter.

And that's it! You now have successfully deployed Traefik to ECS Anywhere, with automated backup & restore for your certificates.

To add additional services you wish Traefik to route to, simply deploy them with the appropriate labels, just like we used in the demo for the whoami service

Top comments (0)