AppMesh and ECS with Imported ACM certificates on Envoy Sidecar through EFS
1245 words -
6 min read
Summary
This guide showcases the ability to use imported certificates from a third party provider (e.g. Venafi) in ACM, mount them in EFS and use them as trusted sources on Envoy sidecars with applications running in ECS. AppMesh is used as a passthrough with TLS termination occurring on the application container layer.
Prerequisites and limitations
Prerequisites
A certificate that contains the chain of domains required for the fronted service and micro-services needed.
What we will produce:
ACM containing an Imported Certificate.
EFS volume.
Route53 record.
Network Load Balancer, with associated Target Group.
ECS cluster, with Tasks managed by a Service. A Task Definition to compound the mapping criteria.
AppMesh Virtual Gateway, Virtual Service and Virtual Node pointing back to the ECS task containers.
CloudMap to integrate ECS and AppMesh configurations with automation.
Certificates are imported from Venafi (third party provider):
Drilling into this information, the domains listed contain sufficient subdomains to address the micro-services oriented architecture.
EFS
AppMesh does not support ACM PCM Certificates directly, so they are loaded onto an EFS volume that will be mounted on the Envoy sidecar containers.
Route53
A hosted zone is setup in Route53 to be able to route traffic from our primary domain to a Network Load Balancer.
LoadBalancer
This Network Load Balancer is setup as internal to allow for controlled internal traffic only.
There is a single listener open on port 443:
Target Group
The Target Group routes traffic to the application port on two ECS tasks behind our ECS service.
The health check confirms access on the defined traffic port, which is the application container port for ECS.
ECS
Each service fronts it’s own microservice application, which consists of an application container and an envoy sidecar.
The service contains multiple tasks to distribute load.
Multiple containers reside within each task definition.
Network bindings are setup to allow traffic through the application ports that were setup previously in the target groups.
Setting up Envoy to be able to validate the certificates for application TLS termination is important. To do this, an envoy task definition may look something like this:
CloudMap provides service discovery for our resources, we start with a namespace which can be used for API calls and DNS queries within the VPC.
We have created a namespace to house our collective resources.
Here we can see the Service Instances that ECS tasks are reporting back to us.
If we look at one of them, we can see the information that will inform AppMesh:
Confirming traffic flow
Running the following connection tests through a Bastion allows us to stay within the same internal network for all tests.
Now we trigger the service directly on ECS to see the certificate is accepted:
sh-4.4$ curl -I https://om-vas-service-nlb-be13b4dccxxxxxx.elb.af-south-1.amazonaws.com/swagger-ui/
curl: (51) SSL: no alternative certificate subject name matches target host name 'om-vas-service-nlb-be13b4dccxxxxx.elb.af-south-1.amazonaws.com'
sh-4.4$