6

Okay so this is going to be a long one, but I want to make sure I explain. I am trying to do a proof of concept that we can deploy micro services via ECS that are exposed using API Gateway so we can leverage the lambda authorisers and cognito.

To achieve this I have been following this guide on Medium

However once I deploy my gateway I am faced with the following error:

Cannot GET /node-demo

Let me go through the basics, I have a basic express application like so:

const express = require('express')

const PORT = process.env.PORT || 3000

const app = express()

app.get('/', (request, response) => {
  return response.json({
    data: {
      message: `API is functional`,
    },
  })
})

app.listen(PORT, () => console.log(`App running on port ${PORT}`))

Dockerfile looks like this:

FROM mhart/alpine-node:10.16.3

WORKDIR /app

COPY package*.json ./

RUN npm ci

COPY index.js .

CMD ["npm", "start"]

This docker image has been pushed to ECR, I have created a Task Definition with an environment variable PORT => 80

Created a service on my cluster which is working fine. Then created an ALB with a target group that points to my containers, these come back healthy!

Healthy ALB targets

And I route to these targets with the following:

Routing

My NLB then points to the ALB and I have allowed the correct IPs on the ALB so we can get to it through the security group. Both IPs in the NLB target group are healthy

Created a VPC link in API Gateway and then created a resource like the below:

API

I then deploy hit the URL with /node-demo at the end and get the initial error above. Either the guide has a mistake or I've done something fundamentally wrong.

Lewis Smith
  • 1,271
  • 1
  • 14
  • 39
  • 1
    Add suggest making a few tests to isolate the problem. Can you make a direct call to the ECS internal IP? If it succeeds then the issue is with routing. Also, check your security groups and make sure the ports and IPs/subnets are whitelisted. – sashoalm Dec 17 '20 at 12:19
  • Problem with hitting the internal IP is where do I do that form? – Lewis Smith Dec 17 '20 at 12:31
  • 1
    Why do you have both ALB and NLB? Woudn't it be better to have API Gateway -> NLB -> ECS service? – Marcin Dec 17 '20 at 12:36
  • I'm only going from that guide, I'll give that a go! – Lewis Smith Dec 17 '20 at 12:51
  • Ah I remember why, the ALB means I can have multiple target groups that I can then route under different urls i.e. /test /demo etc – Lewis Smith Dec 17 '20 at 14:11
  • Please expand on this: "I have allowed the correct IPs on the ALB so we can get to it through the security group". What IPs have you allowed exactly? The NLB will pass through the caller's IP address. The ALB won't see the traffic as coming from the NLB's IP, I believe it will see it as coming from some API Gateway server's IP. You will most likely need to open up the ALB to all IPs. – Mark B Dec 17 '20 at 14:38
  • I'm not sure how to explain, but if you look at the medium article and search "Setup the Integration between NLB and ALB" That section is what your referring too – Lewis Smith Dec 17 '20 at 15:04

1 Answers1

0

Good and bad news,

Good news, I've solved the problem.

Bad news, it's super simple

Just needed to add a route to the express application,

/node-demo

Lewis Smith
  • 1,271
  • 1
  • 14
  • 39