AWS ECS with AWS API Gateway
This document will describe how to set up MTE Relay on AWS Elastic Container Service (ECS), and how to connect it to an AWS API Gateway in order to protect your application data.
Watch the video tutorial here (11m).
MTE Relay Server on ECS Setup
Create a new ECS Task Definition for MTE Relay Server
- Navigate to your AWS ECS management page.
- From the menu on the left, select "Task Definitions"
- In the top right, click "Create new task definition"
- Give your new task definitions and name
- Allow it to run on AWS Fargate
- Adjust CPU and memory if you like, or leave the defaults
- Edit the task role to be "ecsTaskExecutionRole"
- Scroll down to the container section, and give you container the name "MTE Relay Server"
- Provide the image URI
- This will be provided to you when you subscribe to MTE Relay Server.
- Edit the port to run on port 8080.
- To accept connection on port 80/443, set up an Elastic Load Balancer (ELB) and map traffic from the ELB to your ECS task or service.
- Add the following environment variables:
- UPSTREAM - This should point to your AWS API Gateway default endpoint. Example:
https://n3993zhw30.execute-api.us-east-1.amazonaws.com - CORS_ORIGINS - A coma-separated listed of CORs domains you want to accept traffic from.
- CLIENT_ID_SECRET - A server-secret used to sign cookies sent to the client library. Generate a random 32+ characters string to use for this value.
- UPSTREAM - This should point to your AWS API Gateway default endpoint. Example:
- Leave the default cloud watch logs on.
- Save the Task Definition.
Launch the MTE Relay Server as a Task
- From the task definition, click "Deploy" in the top right, and select "Run Task."
- Scroll down to the networking section, and select the VPC you want to run it in.
- Select at least 1 public subnet within the VPC.
- Select or create a security group that allows http traffic on port 8080 to this container.
- If you're not using an ELB, then enable a public IP for this task definition.
- Click the "Create" button to create and start the task.
Confirm MTE Relay Server is running
- Once your Task Definition is running, click on it and navigate to the logs.
- Logs should show "Listening on port 8080"
- Navigate to the Networking tab and copy the IP address of your server.
- Open a new tab and navigate to http://[IP_ADDRESS]/api/mte-echo
Get the Client Library from MTE Relay Server
- Open a new tab and navigate to http://[IP_ADDRESS]/public/mte-relay-browser.js
- See documentation for additional Javascript module formats.
- Create a new file in your project called
mte-relay-browser.jsand copy/paste the code from your browser into this file.
Integrate the Client Library into your Client Application
- Import
mteFetchfrom the newly createdmte-relay-browser.jsfile, and use it anywhere you normally use the nativefetchfunction. - Update your request to go to the MTE Relay Server instead of your backend API.
- Test your application by using the UI to send the request.