The focus of this blog is to provide step-by-step instructions for deploying and configuring Kong Mesh with Kong Konnect on an AWS ECS instance so that anyone will be able to get pre-production installation of Kong Mesh standing up on their own.
Kong Konnect is an API lifecycle management platform designed from the ground up for the cloud native era and delivered as a service. This platform lets you build modern applications better, faster, and more securely. The management plane is hosted in the cloud by Kong, while you can choose to either host the data plane yourself in your preferred network environments or let Kong manage it for you in the cloud.
Want to check out Kong Konnect? Click [here](https://cloud.konghq.com/register)here to register for free.
[Kong Mesh](https://konghq.com/products/kong-mesh)Kong Mesh is an enterprise-grade service mesh that runs on both Kubernetes and VMs on any cloud. Built on top of CNCF’s [Kuma](https://kuma.io/)Kuma and Envoy and focused on simplicity, Kong Mesh enables the microservices transformation with: out-of-the-box service connectivity and discovery; zero-trust security; traffic reliability; and global observability across all traffic, including cross-cluster deployments. Konnect extends this functionality by adding a global control plane to manage your various mesh zones and robust RBAC capabilities with SSO integrations.
The best practice implementation of a service mesh typically involves running inside a Kubernetes cluster, however, for some organizations, that approach simply isn't tenable. In this post, we'll explore deploying Kong Mesh’s solution in Universal mode (meaning non-K8s) utilizing AWS’s Elastic Container Service (ECS).
ECS offers architects a flexible platform for deploying and managing containerized workloads while not having to be mired in Kubernetes configuration. However, this does introduce complexities of its own as there is no inter-container management by default. We will be exploring how to deploy and configure Kong Mesh, providing the necessary service discovery scaffolding that will enable all the functionality expected of an enterprise-grade service mesh.
Prerequisites:
Set your AWS default profile to “kong” which will configure the session's working profile.
export AWS_DEFAULT_PROFILE=kongAt this point we are ready to begin deploying our demo environment. We’ll use CloudFormation to install a VPC, configure the TLS secrets, deploy a Kong Mesh control plane, ingress, and our demo applications.
First, we need to pull the files for our deployment. They can be found at this [repository](https://github.com/Kong/kong-mesh-ecs-blog)repository. Clone or download the kong-mesh-ecs-blog and navigate to the “/deploy” folder in your favorite IDE. We will be working exclusively in this folder. Referencing the vpc, controlplane and ingress yaml files as the core of our AWS CloudFormation deployment.
We are ready to deploy the first component of the Kong Mesh on Kong Konnect platform, the VPC. In your terminal, navigate to the “**kong-mesh-ecs-blog**” directory. All commands in this blog will be executed from this root directory. With the AWS CLI execute the following command to deploy the VPC.
aws --region cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-vpc \
--template-file deploy/1-vpc.yamlThis process takes about 3–5 minutes to complete. Log in to your AWS Cloud Console and check the CloudFormation section to confirm the creation of the VPC.
Now we need to reference the control planes address to build the TLS certs needed for Kong Mesh. Echo the CP_ADDR variable to verify its creation.
CP_ADDR=$(aws cloudformation describe-stacks --stack-name ecs-demo-vpc \
| jq -r '.Stacks[0].Outputs[] | select(.OutputKey == "ExternalCPAddress") | .OutputValue')
echo $CP_ADDRUse the kuma-ctl to generate the cert and the AWS Secrets Manager to inject them into secrets to be used in the rest of the cloud formation deployments.
kumactl generate tls-certificate --type=server --hostname ${CP_ADDR} --hostname controlplane.kongmesh
TLS_KEY=$(
aws secretsmanager create-secret \
--name ecs-demo/CPTLSKey \
--description "Secret containing TLS private key for serving control plane traffic" \
--secret-string file://key.pem \
| jq -r .ARN)
TLS_CERT=$(
aws secretsmanager create-secret \
--name ecs-demo/CPTLSCert \
--description "Secret containing TLS certificate for serving control plane traffic" \
--secret-string file://cert.pem \
| jq -r .ARN)Now that we have our VPC and certs, we can deploy the Kong Mesh control plane and ingress. We should always be aware of the version we are deploying, and insure they match each other. Open controlplane.yaml in your favorite IDE and find line 11, verify it has the latest version (2.9.0 as of the writing of this blog).
Image:
Type: String
Default: "docker.io/kong/kuma-cp:2.9.0"
Description: Name of the control plane docker image
ZoneName:
Type: String
Default: "ecs-zone"
Description: Name of the zone control plane setup in KonnectNotice the ZoneName (line 13) “**ecs-zone**”. Note this as it will be used in later steps.
Since we are leveraging Konnect as our backing license controller, we need to include some Konnect IDs into our deployment script. Follow the screenshots below to create your Konnect Mesh Manger Control Plane and generate a Konnect Personal Access Token (spat). Name your Global Control Plane whatever suits you, the zone name in the following prompt should use the zone name we saved from the previous step, **“ecs-zone**”.
Make sure to select **Universal** environment as ECS does not support Kubernetes-based deployments. Inside the “Connect Zone” you’ll find the **spat** and **control plane id,** make sure to copy these to a secure location, we will use them in the following section.
Keep the UI window open while we wait for the zone to be connected. Run the following command, be sure to replace <KONNECT_SPAT> and <KONNECT_CP_ID> with the values from the previous step.
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-kong-mesh-cp \
--parameter-overrides VPCStackName=ecs-demo-vpc \
ServerKeySecret=${TLS_KEY} \
ServerCertSecret=${TLS_CERT} \
KonnectSPAT=<KONNECT_SPAT> \
KonnectCPID=<KONNECT_CP_ID> \
--template-file deploy/2-controlplane.yamlAfter about 5 minutes the control plane should be **CREATE_COMPLETE **and we are ready to deploy the ingress. Before we do that, let's capture the internal IP address of the control plane for our demo apps that we will deploy later on.
We need to get the cluster arn to get the task list of our control plane. First list the clusters and then list the tasks of that cluster.
aws ecs list-clusters
{
"clusterArns": [
"arn:aws:ecs:us-west-1:162225303348:cluster/ecs-demo-vpc-ECSCluster-swfrzSqeH7zd"
]
}
aws ecs list-tasks --cluster <CLUSTER_ANR>
{
"taskArns": [
"arn:aws:ecs:us-west-1:162225303348:task/ecs-demo-vpc-ECSCluster-swfrzSqeH7zd/83070866933a41b8bd62b8201df00337"
]
}Now that we have the cluster and task arn, we can extract the internal IP address of our control plane.
aws ecs describe-tasks --cluster <CLUSTER_ARN> --tasks <TASK_ARN> --query 'tasks[].attachments[].details[?name==`privateDnsName`].value'
[
[
"ip-10-0-0-234.us-west-1.compute.internal"
]
]Make sure to store this address for when we deploy the demo apps.
Now we can deploy the ingress and finalize our Konnect Kong Mesh deployment:
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-ingress \
--parameter-overrides VPCStackName=ecs-demo-vpc CPStackName=ecs-demo-kong-mesh-cp \
--template-file deploy/3-ingress.yamlAt this point we should have the ecs-demo-vpc, the ecs-demo-kong-mesh-cp and the ecs-demo-ingress created successfully, and our deployment of Kong Mesh backed by Konnect is complete. However, we don’t have any applications to use our mesh.
The last two commands we need to run deploy the Counter app and its redis cache. First deploy the redis and then the demo-app. Remember that control plane address we saved a few steps ago? That gets used here:
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-redis \
--parameter-overrides VPCStackName=ecs-demo-vpc CPStackName=ecs-demo-kong-mesh-cp ZoneCpAddress=INTERNAL_CP_ADDRESS \
--template-file deploy/4-redis.yaml
aws cloudformation deploy \
--capabilities CAPABILITY_IAM \
--stack-name ecs-demo-demo-app \
--parameter-overrides VPCStackName=ecs-demo-vpc CPStackName=ecs-demo-kong-mesh-cp ZoneCpAddress=INTERNAL_CP_ADDRESS \
--template-file deploy/5-demo-app.yamlOnce those two deploy successfully, you can navigate to the external control plan address we stored in the very beginning, the CP_ADDR, and you will see our Kuma Counter Demo. You can click increment and the number will rise until you reset.
You have now successfully deployed Kong Mesh into your ECS environment with a running sample demo application. The next steps will be to explore your ecs-zone in Konnect and add [policies](https://kuma.io/docs/2.9.x/policies/introduction/)policies to re-enforce your microservices:
We’ll save that for another blog. Thanks for your time, happy helming meshing!
What Is Terraform? Terraform is an infrastructure-as-code (IaC) tool developed by HashiCorp. It allows users to define and provision data center infrastructure using a declarative configuration language known as HashiCorp Configuration Language (HCL
[](https://konghq.com/blog/product-releases/mesh-manager-support-in-konnect-terraform-provider)
We’re at it again, bringing more incremental improvements to Kong Mesh! Built on top of Kuma, Kong Mesh brings much-needed simplicity and production-grade tooling. Kong Mesh is built for smooth operations with platform teams in mind, providing secu
[](https://konghq.com/blog/product-releases/kong-mesh-2-11)
Managed Redis cache is a turnkey "Shared State" add-on for Kong Dedicated Cloud Gateways. It is designed to combine the performance of an in-memory data store with the simplicity of a SaaS product. When you spin up a Dedicated Cloud Gateway in Kong
[](https://konghq.com/blog/product-releases/multicloud-cloud-gateways-managed-redis-cache)
Using Konnect Advanced Analytics for a faster real-time measurement of what your users are experiencing Earlier this year the Kong Konnect Analytics team was looking to leverage the stability and flexibility of our own Kong Gateway to handle the e
[](https://konghq.com/blog/engineering/konnect-advanced-analytics-faster-than-statsd)
Many organizations struggle with managing API gateways across multiple cloud environments. In this blog post, we'll explore how Kong Mesh can solve these challenges and enable seamless cross-cloud connectivity. The challenge of multi-cloud API gatew
[](https://konghq.com/blog/engineering/service-mesh-api-gateways-cross-cloud-connectivity)
Two of the main tenets of Zero Trust are encryption between services and managing the connections each service is allowed to use. Achieving this generally falls to running a service mesh in a Kubernetes cluster. Refactoring applications to run prope
[](https://konghq.com/blog/engineering/zero-trust-on-vms-with-universal-mesh)
The service mesh architecture pattern has become a de facto standard for microservices-based projects. In fact, from the mesh standpoint, not just microservices but all components of an application should be under its control, including databases,
[](https://konghq.com/blog/engineering/service-mesh-reference-architecture-openshift-istio-kong)