Deploying Kong Mesh with Konnect on AWS ECS
Deploying Kong Mesh on ECS
The focus of this blog is to provide step-by-step instructions for deploying and configuring Kong Mesh with Kong Konnect on an AWS ECS instance so that anyone will be able to get pre-production installation of Kong Mesh standing up on their own.
What is Kong Konnect?
Kong Konnect is an API lifecycle management platform designed from the ground up for the cloud native era and delivered as a service. This platform lets you build modern applications better, faster, and more securely. The management plane is hosted in the cloud by Kong, while you can choose to either host the data plane yourself in your preferred network environments or let Kong manage it for you in the cloud.
Want to check out Kong Konnect? Click here to register for free.
What is Kong Mesh?
Kong Mesh is an enterprise-grade service mesh that runs on both Kubernetes and VMs on any cloud. Built on top of CNCF’s Kuma and Envoy and focused on simplicity, Kong Mesh enables the microservices transformation with: out-of-the-box service connectivity and discovery; zero-trust security; traffic reliability; and global observability across all traffic, including cross-cluster deployments. Konnect extends this functionality by adding a global control plane to manage your various mesh zones and robust RBAC capabilities with SSO integrations.
Service mesh on AWS ECS
The best practice implementation of a service mesh typically involves running inside a Kubernetes cluster, however, for some organizations, that approach simply isn't tenable. In this post, we'll explore deploying Kong Mesh’s solution in Universal mode (meaning non-K8s) utilizing AWS’s Elastic Container Service (ECS).
ECS offers architects a flexible platform for deploying and managing containerized workloads while not having to be mired in Kubernetes configuration. However, this does introduce complexities of its own as there is no inter-container management by default. We will be exploring how to deploy and configure Kong Mesh, providing the necessary service discovery scaffolding that will enable all the functionality expected of an enterprise-grade service mesh.
Configure your environment
Prerequisites:
- aws-cli
- AWS authentication tool (saml2aws)
- Kumactl
- Kong Konnect account (registration is free and includes a 30-day trial)
Set your AWS default profile to “kong” which will configure the session's working profile.
export AWS_DEFAULT_PROFILE=kong
At this point we are ready to begin deploying our demo environment. We’ll use CloudFormation to install a VPC, configure the TLS secrets, deploy a Kong Mesh control plane, ingress, and our demo applications.
First, we need to pull the files for our deployment. They can be found at this repository. Clone or download the kong-mesh-ecs-blog and navigate to the “/deploy” folder in your favorite IDE. We will be working exclusively in this folder. Referencing the vpc, controlplane and ingress yaml files as the core of our AWS CloudFormation deployment.
Deploy the VPC
We are ready to deploy the first component of the Kong Mesh on Kong Konnect platform, the VPC. In your terminal, navigate to the “kong-mesh-ecs-blog” directory. All commands in this blog will be executed from this root directory. With the AWS CLI execute the following command to deploy the VPC.
aws --region cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-vpc \
--template-file deploy/1-vpc.yaml
This process takes about 3–5 minutes to complete. Log in to your AWS Cloud Console and check the CloudFormation section to confirm the creation of the VPC.
![](https://prd-mktg-konghq-com.imgix.net/images/2025/02/67a24b89-image4-3.png?auto=format&fit=max&w=2560)
Create TLS Certificates
Now we need to reference the control planes address to build the TLS certs needed for Kong Mesh. Echo the CP_ADDR variable to verify its creation.
CP_ADDR=$(aws cloudformation describe-stacks --stack-name ecs-demo-vpc \
| jq -r '.Stacks[0].Outputs[] | select(.OutputKey == "ExternalCPAddress") | .OutputValue')
echo $CP_ADDR
Use the kuma-ctl to generate the cert and the AWS Secrets Manager to inject them into secrets to be used in the rest of the cloud formation deployments.
kumactl generate tls-certificate --type=server --hostname ${CP_ADDR} --hostname controlplane.kongmesh
TLS_KEY=$(
aws secretsmanager create-secret \
--name ecs-demo/CPTLSKey \
--description "Secret containing TLS private key for serving control plane traffic" \
--secret-string file://key.pem \
| jq -r .ARN)
TLS_CERT=$(
aws secretsmanager create-secret \
--name ecs-demo/CPTLSCert \
--description "Secret containing TLS certificate for serving control plane traffic" \
--secret-string file://cert.pem \
| jq -r .ARN)
Deploy Konnect Kong Mesh Control Plane and Ingress
Now that we have our VPC and certs, we can deploy the Kong Mesh control plane and ingress. We should always be aware of the version we are deploying, and insure they match each other. Open controlplane.yaml in your favorite IDE and find line 11, verify it has the latest version (2.9.0 as of the writing of this blog).
Image:
Type: String
Default: "docker.io/kong/kuma-cp:2.9.0"
Description: Name of the control plane docker image
ZoneName:
Type: String
Default: "ecs-zone"
Description: Name of the zone control plane setup in Konnect
Notice the ZoneName (line 13) “ecs-zone”. Note this as it will be used in later steps.
Since we are leveraging Konnect as our backing license controller, we need to include some Konnect IDs into our deployment script. Follow the screenshots below to create your Konnect Mesh Manger Control Plane and generate a Konnect Personal Access Token (spat). Name your Global Control Plane whatever suits you, the zone name in the following prompt should use the zone name we saved from the previous step, “ecs-zone”.
![](https://prd-mktg-konghq-com.imgix.net/images/2025/02/67a24ba1-image8.jpg?auto=format&fit=max&w=2560)
Make sure to select Universal environment as ECS does not support Kubernetes-based deployments. Inside the “Connect Zone” you’ll find the spat and control plane id, make sure to copy these to a secure location, we will use them in the following section.
![](https://prd-mktg-konghq-com.imgix.net/images/2025/02/67a24bb6-image3-4.png?auto=format&fit=max&w=2560)
Keep the UI window open while we wait for the zone to be connected. Run the following command, be sure to replace <KONNECT_SPAT> and <KONNECT_CP_ID> with the values from the previous step.
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-kong-mesh-cp \
--parameter-overrides VPCStackName=ecs-demo-vpc \
ServerKeySecret=${TLS_KEY} \
ServerCertSecret=${TLS_CERT} \
KonnectSPAT=<KONNECT_SPAT> \
KonnectCPID=<KONNECT_CP_ID> \
--template-file deploy/2-controlplane.yaml
After about 5 minutes the control plane should be CREATE_COMPLETE and we are ready to deploy the ingress. Before we do that, let's capture the internal IP address of the control plane for our demo apps that we will deploy later on.
We need to get the cluster arn to get the task list of our control plane. First list the clusters and then list the tasks of that cluster.
aws ecs list-clusters
{
"clusterArns": [
"arn:aws:ecs:us-west-1:162225303348:cluster/ecs-demo-vpc-ECSCluster-swfrzSqeH7zd"
]
}
aws ecs list-tasks --cluster <CLUSTER_ANR>
{
"taskArns": [
"arn:aws:ecs:us-west-1:162225303348:task/ecs-demo-vpc-ECSCluster-swfrzSqeH7zd/83070866933a41b8bd62b8201df00337"
]
}
Now that we have the cluster and task arn, we can extract the internal IP address of our control plane.
aws ecs describe-tasks --cluster <CLUSTER_ARN> --tasks <TASK_ARN> --query 'tasks[].attachments[].details[?name==`privateDnsName`].value'
[
[
"ip-10-0-0-234.us-west-1.compute.internal"
]
]
Make sure to store this address for when we deploy the demo apps.
Now we can deploy the ingress and finalize our Konnect Kong Mesh deployment:
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-ingress \
--parameter-overrides VPCStackName=ecs-demo-vpc CPStackName=ecs-demo-kong-mesh-cp \
--template-file deploy/3-ingress.yaml
At this point we should have the ecs-demo-vpc, the ecs-demo-kong-mesh-cp and the ecs-demo-ingress created successfully, and our deployment of Kong Mesh backed by Konnect is complete. However, we don’t have any applications to use our mesh.
Deploy the Counter App
The last two commands we need to run deploy the Counter app and its redis cache. First deploy the redis and then the demo-app. Remember that control plane address we saved a few steps ago? That gets used here:
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-redis \
--parameter-overrides VPCStackName=ecs-demo-vpc CPStackName=ecs-demo-kong-mesh-cp ZoneCpAddress=INTERNAL_CP_ADDRESS \
--template-file deploy/4-redis.yaml
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-demo-app \
--parameter-overrides VPCStackName=ecs-demo-vpc CPStackName=ecs-demo-kong-mesh-cp ZoneCpAddress=INTERNAL_CP_ADDRESS \
--template-file deploy/5-demo-app.yaml
Once those two deploy successfully, you can navigate to the external control plan address we stored in the very beginning, the CP_ADDR, and you will see our Kuma Counter Demo. You can click increment and the number will rise until you reset.
![](https://prd-mktg-konghq-com.imgix.net/images/2025/02/67a24be2-image2-7.png?auto=format&fit=max&w=2560)
![](https://prd-mktg-konghq-com.imgix.net/images/2025/02/67a24bf0-image1-6.png?auto=format&fit=max&w=2560)
Wrap up
You have now successfully deployed Kong Mesh into your ECS environment with a running sample demo application. The next steps will be to explore your ecs-zone in Konnect and add policies to re-enforce your microservices:
![](https://prd-mktg-konghq-com.imgix.net/images/2025/02/67a24c0d-image6-2.png?auto=format&fit=max&w=2560)
We’ll save that for another blog. Thanks for your time, happy helming meshing!
Supporting documentation
- Kong Konnect Documentation: https://docs.konghq.com/konnect/
- Kong Mesh Documentation: https://docs.konghq.com/mesh/latest/
- Kong Mesh on ECS: https://docs.konghq.com/mesh/latest/installation/ecs/
- Kuma Policies: https://kuma.io/docs/2.9.x/policies/introduction/
- Kong Mesh ECS Blog GitHub: https://github.com/Kong/kong-mesh-ecs-blog/tree/main
Mesh your services together effortlessly with Kong
![](https://prd-mktg-konghq-com.imgix.net/images/2023/12/657b80e8-image-container2.png?auto=format&fit=max&w=2560)