Deploying a Scalable XpoLog Instance on Amazon ECS. NLB with static private IP (ECR)

A complete, step-by-step guide to deploying the entire application manually using the AWS Management Console.

This guide creates the exact same architecture as the final script: a fully private application on Fargate using EFS for storage, with access provided by an internal Network Load Balancer.

Step 1/12: VPC, Subnets, IGW, & Routing

This section builds the foundational network.

1. Create the VPC:

   • Go to the VPC service, click "Your VPCs", then "Create VPC".

   • Select "VPC only".

   • Name tag: xpolog-vpc

   • IPv4 CIDR block: 10.0.0.0/16

   • Click "Create VPC".

   • Navigate to the VPC service in the AWS Console.

   • In the left menu, click on "Your VPCs".

   • Select your VPC (it should be named xpolog-vpc).

   • Click the "Actions" menu at the top right and choose "Edit VPC settings".

   • Check the boxes for both "Enable DNS hostnames" and "Enable DNS resolution".

     6. Click "Save changes".

Open

2. Create Subnets:

   • In the left menu, click "Subnets", then "Create subnet". Create the following four subnets one by one, ensuring you select your xpolog-vpc for each.

   • Public Subnet A:

     • Name: xpolog-vpc-public-1a

     • Availability Zone: eu-north-1a

     • IPv4 CIDR block: 10.0.0.0/20

   • Public Subnet B:

     • Name: xpolog-vpc-public-1b

     • Availability Zone: eu-north-1b

     • IPv4 CIDR block: 10.0.16.0/20

   • Private Subnet A:

     • Name: xpolog-vpc-private-1a

     • Availability Zone: eu-north-1a

     • IPv4 CIDR block: 10.0.128.0/20

   • Private Subnet B:

     • Name: xpolog-vpc-private-1b

     • Availability Zone: eu-north-1b

     • IPv4 CIDR block: 10.0.144.0/20

3. Create and Attach Internet Gateway (IGW):

   • In the left menu, click "Internet Gateways", then "Create internet gateway".

   • Name: xpolog-igw. Click "Create".

   • Select the new IGW, click the "Actions" menu, and choose "Attach to VPC". Select your xpolog-vpc.

Open

4. Configure Routing:

   • In the left menu, click "Route Tables". You'll see one default route table associated with your VPC.

   • Create Public Route Table:

     • Click "Create route table". Name: xpolog-vpc-rtb-public, select xpolog-vpc.

     • Select the new public route table. In the "Routes" tab below, click "Edit routes".

     • Add a route: Destination 0.0.0.0/0, Target Internet Gateway, and select your xpolog-igw. Save changes.

5. Open

   

    

   • Go to the "Subnet associations" tab. Click "Edit subnet associations" and select the two public subnets.

   • Create Private Route Tables:

     • Create a new route table. Name: xpolog-vpc-rtb-private1, select xpolog-vpc. Associate it with the private subnet A (...-private-1a).

     • Create another route table. Name: xpolog-vpc-rtb-private2, select xpolog-vpc. Associate it with the private subnet B (...-private-1b).

Step 2/12: ECR Repository & Image

Here we set up the private container registry.

1. Navigate to the Elastic Container Registry (ECR) service.

2. Click "Create repository".

3. Visibility: Private

4. Repository name: xpolog

5. Click "Create repository".

6. Select the new repository and click "View push commands".

7. Follow the four provided commands on your local machine to pull, tag, and push the image.

   # Command 1: Authenticate aws ecr get-login-password --region eu-north-1 | docker login ... # Command 2: Pull the public image docker pull 1200km/xplg:7.Release-9787 # Command 3 & 4: Tag and push to your new ECR repository docker tag 1200km/xplg:7.Release-9787 <paste-your-repo-uri-here>:7.Release-9787 docker push <paste-your-repo-uri-here>:7.Release-9787

Open

Of course. Here is the fully corrected and complete guide for Step 3, incorporating all the rules we've discussed.

This version sets up both security groups first and then adds all the necessary inbound rules in a clear, organized way.

## Step 3/12: Security Groups 🛡️

These are the firewalls for our application and storage.

1. Navigate to the EC2 service in the AWS Console, then go to "Security Groups" in the left-hand menu.

2. Create the Two Security Groups:

   • First, click "Create security group" and create the group for the tasks:

     • Name: ecs-tasks-xpolog

     • Description: For xpolog ECS tasks

     • VPC: Select your xpolog-vpc from the dropdown.

     • Click "Create security group".

   • Next, click "Create security group" again to create the group for the file system:

     • Name: efs-xpolog

     • Description: Allows ECS tasks to access EFS

     • VPC: Select your xpolog-vpc.

     • Click "Create security group".

3. Configure the EFS Security Group (efs-xpolog):

   • Find the efs-xpolog group in your list, select it, and click on the "Inbound rules" tab below.

   • Click "Edit inbound rules".

   • Click "Add rule" and configure it to allow access from your tasks:

     • Type: NFS

     • Source: Custom, and in the search box, find and select your ecs-tasks-xpolog security group.

   • Click "Save rules".

4. Configure the Tasks Security Group (ecs-tasks-xpolog):

   • Find the ecs-tasks-xpolog group in your list, select it, and go to its "Inbound rules" tab.

   • Click "Edit inbound rules".

   • You will now add two separate rules for two different purposes.

   • Rule #1 (For Application Traffic):

     • Click "Add rule".

     • Type: Custom TCP

     • Port Range: 30443

     • Source: 10.0.0.0/16

     • Description (optional): Allow traffic from NLB on app port

   • Rule #2 (For ECR Image Pulls):

     • Click "Add rule" again.

     • Type: HTTPS

     • Port Range: 443

     • Source: Custom. In the search box, find and select the ecs-tasks-xpolog security group itself.

     • Description (optional): Allow task to talk to VPC Endpoints

   • Your final set of inbound rules for ecs-tasks-xpolog should look like this:

   • Click "Save rules".

    

Step 4/12: EFS File System & Access Point

This is the shared, persistent storage.

1. Navigate to the Amazon EFS service.

2. Click "Create file system".

3. Name: xpolog-efs, VPC: xpolog-vpc. Click "Create".

4. Wait for it to become "Available", then click its name.

5. Go to the "Network" tab and click "Manage". In the table, for both the private subnets, remove the default security group and add the efs-xpolog security group. Save.

6. Go to the "Access points" tab and click "Create access point".

   • Name: xpolog-ap

   • POSIX user: User ID 0, Group ID 0

   • Root directory creation permissions: Owner User ID 0, Owner Group ID 0, Permissions 770

   • Click "Create access point".

Step 5/12: CloudWatch Logs Group

This is where all container logs will be sent.

1. Navigate to the CloudWatch service.

2. In the left menu, go to Logs -> Log groups.

3. Click "Create log group".

4. Log group name: /ecs/xpolog.

5. After creation, select the new log group. In the "Actions" menu, choose "Edit retention setting" and set it to 30 Days.

Step 6/12: IAM Roles

Permissions for the ECS service to operate.

1. Navigate to the IAM service -> "Roles".

2. Create the Execution Role:

   • Click "Create role".

   • Trusted entity type: AWS service, Use case: Elastic Container Service Task. Next.

   • Permissions: Add AmazonECSTaskExecutionRolePolicy. Next.

   • Role name: ecsTaskExecutionRole-xpolog. Create.

3. Create the Task Role:

   • Create another role with the same settings.

   • Permissions: Add AmazonElasticFileSystemClientFullAccess, AmazonElasticFileSystemFullAccess.

   • Role name: XpologTaskRole-xpolog. Create.

Step 7/12: Target Group & Internal NLB

This step creates the internal entry point for your application, configured for secure traffic.

1. Navigate to EC2 -> "Target Groups" (under Load Balancing).

   • Click "Create target group".

   • Choose a target type: Select IP addresses.

   • Name: xpolog-tg

   • Protocol / Port: TCP and 30443.

   • VPC: Select your xpolog-vpc.

   • Health check protocol: TCP.

   • Click Next, then "Create target group".

2. Navigate to EC2 -> "Load Balancers".

   • Click "Create Load Balancer".

   • Under Network Load Balancer, click "Create".

   • Name: xpolog-nlb

   • Scheme: Internal

   • VPC: Select your xpolog-vpc.

   • Mappings: Select the two public subnets (e.g., xpolog-vpc-public-1a and xpolog-vpc-public-1b).

3. Configure the Listener and Routing:

   • In the "Listeners and routing" section, configure the listener:

   • Protocol: TLS

   • Port: 30443

   • Default action: Forward to a target group. Select your xpolog-tg.

   • Secure listener settings:

     • Security policy: Leave the default (e.g., ELBSecurityPolicy-2016-08).

     • Default SSL/TLS certificate: Choose From ACM and select the certificate you created for your domain.

4. Review the summary and click "Create load balancer".

Note: The required inbound rule for port 30443 in the ecs-tasks-xpolog security group was already configured in the revised Step 3..

Step 8/12: VPC Endpoints

Creates private connections to AWS services.

1. Navigate to VPC -> "Endpoints".

2. Create Interface Endpoints: Click "Create endpoint" three times. For each, use your xpolog-vpc, select the two private subnets, and attach the ecs-tasks-xpolog security group.

   • Service Name: com.amazonaws.eu-north-1.ecr.api

   • Service Name: com.amazonaws.eu-north-1.ecr.dkr

   • Service Name: com.amazonaws.eu-north-1.logs

3. Create Gateway Endpoint: Click "Create endpoint".

   • Service Name: com.amazonaws.eu-north-1.s3 (This will be Type Gateway).

   • VPC: xpolog-vpc.

   • Route tables: Select the two private route tables (...-private1, ...-private2).

Step 9/12: ECS Cluster

The logical grouping for our service.

1. Navigate to ECS -> "Clusters".

2. Click "Create cluster".

3. Name: xpolog-cluster, select AWS Fargate for infrastructure.

4. Click "Create".

Step 10/12: Task Definition 📝

The multi-container blueprint for the application. This is the most detailed step.

1. Go to ECS -> "Task definitions" -> "Create new task definition".

2. Task definition family: xpolog-task