Running APISIX in AWS with AWS CDK

APISIX is a cloud-native microservices API gateway, delivering the ultimate performance, security, open source and scalable platform for all your APIs and microservices.

Architecture

This reference architecture walks you through building APISIX as a serverless container API Gateway on top of AWS Fargate with AWS CDK.

Apache APISIX Serverless Architecture

Generate an AWS CDK project with projen

  1. $ mkdir apisix-aws
  2. $ cd $_
  3. $ npx projen new awscdk-app-ts

update the .projenrc.js with the following content:

  1. const { AwsCdkTypeScriptApp } = require('projen');
  3. const project = new AwsCdkTypeScriptApp({
  4.   cdkVersion: "1.70.0",
  5.   name: "apisix-aws",
  6.   cdkDependencies: [
  7.     '@aws-cdk/aws-ec2',
  8.     '@aws-cdk/aws-ecs',
  9.     '@aws-cdk/aws-ecs-patterns',
  10.   ]
  11. });
  13. project.synth();

update the project:

  1. $ npx projen

update src/main.ts

  1. import * as cdk from '@aws-cdk/core';
  2. import { Vpc, Port } from '@aws-cdk/aws-ec2';
  3. import { Cluster, ContainerImage, TaskDefinition, Compatibility } from '@aws-cdk/aws-ecs';
  4. import { ApplicationLoadBalancedFargateService, NetworkLoadBalancedFargateService } from '@aws-cdk/aws-ecs-patterns';
  6. export class ApiSixStack extends cdk.Stack {
  7.   constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
  8.     super(scope, id, props);
  10.     const vpc = Vpc.fromLookup(this, 'VPC', {
  11.       isDefault: true
  12.     })
  14.     const cluster = new Cluster(this, 'Cluster', {
  15.       vpc
  16.     })
  18.     /**
  19.      * ApiSix service
  20.      */
  21.     const taskDefinition = new TaskDefinition(this, 'TaskApiSix', {
  22.       compatibility: Compatibility.FARGATE,
  23.       memoryMiB: '512',
  24.       cpu: '256'
  25.     })
  27.     taskDefinition
  28.       .addContainer('apisix', {
  29.         image: ContainerImage.fromRegistry('iresty/apisix'),
  30.       })
  31.       .addPortMappings({
  32.         containerPort: 9080
  33.       })
  35.     taskDefinition
  36.       .addContainer('etcd', {
  37.         image: ContainerImage.fromRegistry('gcr.azk8s.cn/etcd-development/etcd:v3.3.12'),
  38.         // image: ContainerImage.fromRegistry('gcr.io/etcd-development/etcd:v3.3.12'),
  39.       })
  40.       .addPortMappings({
  41.         containerPort: 2379
  42.       })
  44.     const svc = new ApplicationLoadBalancedFargateService(this, 'ApiSixService', {
  45.       cluster,
  46.       taskDefinition,
  47.     })
  49.     svc.targetGroup.setAttribute('deregistration_delay.timeout_seconds', '30')
  50.     svc.targetGroup.configureHealthCheck({
  51.       interval: cdk.Duration.seconds(5),
  52.       healthyHttpCodes: '404',
  53.       healthyThresholdCount: 2,
  54.       unhealthyThresholdCount: 3,
  55.       timeout: cdk.Duration.seconds(4)
  56.     })
  58.     /**
  59.      * PHP service
  60.      */
  61.     const taskDefinitionPHP = new TaskDefinition(this, 'TaskPHP', {
  62.       compatibility: Compatibility.FARGATE,
  63.       memoryMiB: '512',
  64.       cpu: '256'
  65.     })
  67.     taskDefinitionPHP
  68.       .addContainer('php', {
  69.         image: ContainerImage.fromRegistry('abiosoft/caddy:php'),
  70.       })
  71.       .addPortMappings({
  72.         containerPort: 2015
  73.       })
  75.     const svcPHP = new NetworkLoadBalancedFargateService(this, 'PhpService', {
  76.       cluster,
  77.       taskDefinition: taskDefinitionPHP,
  78.       assignPublicIp: true,
  79.     })
  81.     // allow Fargate task behind NLB to accept all traffic
  82.     svcPHP.service.connections.allowFromAnyIpv4(Port.tcp(2015))
  83.     svcPHP.targetGroup.setAttribute('deregistration_delay.timeout_seconds', '30')
  84.     svcPHP.loadBalancer.setAttribute('load_balancing.cross_zone.enabled', 'true')
  86.     new cdk.CfnOutput(this, 'ApiSixDashboardURL', {
  87.       value: `http://${svc.loadBalancer.loadBalancerDnsName}/apisix/dashboard/`
  88.     })
  89.   }
  90. }
  92. const devEnv = {
  93.   account: process.env.CDK_DEFAULT_ACCOUNT,
  94.   region: process.env.CDK_DEFAULT_REGION,
  95. };
  97. const app = new cdk.App();
  99. new ApiSixStack(app, 'apisix-stack-dev', { env: devEnv });
  101. app.synth();

Deploy the APISIX Stack with AWS CDK

  1. $ cdk diff
  2. $ cdk deploy

On deployment complete, some outputs will be returned:

  1. Outputs:
  2. apiSix.PhpServiceLoadBalancerDNS5E5BAB1B = apiSi-PhpSe-FOL2MM4TW7G8-09029e095ab36fcc.elb.us-west-2.amazonaws.com
  3. apiSix.ApiSixDashboardURL = http://apiSi-ApiSi-1TM103DN35GRY-1477666967.us-west-2.elb.amazonaws.com/apisix/dashboard/
  4. apiSix.ApiSixServiceLoadBalancerDNSD4E5B8CB = apiSi-ApiSi-1TM103DN35GRY-1477666967.us-west-2.elb.amazonaws.com
  5. apiSix.ApiSixServiceServiceURLF6EC7872 = http://apiSi-ApiSi-1TM103DN35GRY-1477666967.us-west-2.elb.amazonaws.com

Open the apiSix.ApiSixDashboardURL from your browser and you will see the login prompt.

Configure the upstream nodes

All upstream nodes are running as AWS Fargate tasks and registered to the NLB(Network Load Balancer) exposing multiple static IP addresses. We can query the IP addresses by nslookup the apiSix.PhpServiceLoadBalancerDNS5E5BAB1B like this:

  1. $ nslookup apiSi-PhpSe-FOL2MM4TW7G8-09029e095ab36fcc.elb.us-west-2.amazonaws.com
  2. Server:         192.168.31.1
  3. Address:        192.168.31.1#53
  5. Non-authoritative answer:
  6. Name:   apiSi-PhpSe-FOL2MM4TW7G8-09029e095ab36fcc.elb.us-west-2.amazonaws.com
  7. Address: 44.224.124.213
  8. Name:   apiSi-PhpSe-FOL2MM4TW7G8-09029e095ab36fcc.elb.us-west-2.amazonaws.com
  9. Address: 18.236.43.167
  10. Name:   apiSi-PhpSe-FOL2MM4TW7G8-09029e095ab36fcc.elb.us-west-2.amazonaws.com
  11. Address: 35.164.164.178
  12. Name:   apiSi-PhpSe-FOL2MM4TW7G8-09029e095ab36fcc.elb.us-west-2.amazonaws.com
  13. Address: 44.226.102.63

Configure the IP addresses returned as your upstream nodes in your APISIX dashboard followed by the Services and Routes configuration. Let’s say we have a /index.php as the URI for the first route for our first Service from the Upstream IP addresses.

upstream with AWS NLB IP addresses

service with created upstream

define route with service and uri

Validation

OK. Let’s test the /index.php on {apiSix.ApiSixServiceServiceURL}/index.php

Testing Apache APISIX on AWS Fargate

Now we have been successfully running APISIX in AWS Fargate as serverless container API Gateway service.

Clean up

  1. $ cdk destroy

Running APISIX in AWS China Regions

update src/main.ts

  1.   taskDefinition
  2.     .addContainer('etcd', {
  3.       image: ContainerImage.fromRegistry('gcr.azk8s.cn/etcd-development/etcd:v3.3.12'),
  4.       // image: ContainerImage.fromRegistry('gcr.io/etcd-development/etcd:v3.3.12'),
  5.     })
  6.     .addPortMappings({
  7.       containerPort: 2379
  8.     })

(read here for more reference)

Run cdk deploy and specify your preferred AWS region in China.

  1. # let's say we have another AWS_PROFILE for China regions called 'cn'
  2. # make sure you have aws configure --profile=cn properly.
  3. #
  4. # deploy to NingXia region
  5. $ cdk deploy --profile cn -c region=cn-northwest-1
  6. # deploy to Beijing region
  7. $ cdk deploy --profile cn -c region=cn-north-1

In the following case, we got the Outputs returned for AWS Ningxia region(cn-northwest-1):

  1. Outputs:
  2. apiSix.PhpServiceLoadBalancerDNS5E5BAB1B = apiSi-PhpSe-1760FFS3K7TXH-562fa1f7f642ec24.elb.cn-northwest-1.amazonaws.com.cn
  3. apiSix.ApiSixDashboardURL = http://apiSi-ApiSi-123HOROQKWZKA-1268325233.cn-northwest-1.elb.amazonaws.com.cn/apisix/dashboard/
  4. apiSix.ApiSixServiceLoadBalancerDNSD4E5B8CB = apiSi-ApiSi-123HOROQKWZKA-1268325233.cn-northwest-1.elb.amazonaws.com.cn
  5. apiSix.ApiSixServiceServiceURLF6EC7872 = http://apiSi-ApiSi-123HOROQKWZKA-1268325233.cn-northwest-1.elb.amazonaws.com.cn

Open the apiSix.ApiSixDashboardURL URL and log in to configure your APISIX in AWS China region.

TBD

Decouple APISIX and etcd3 on AWS

For high availability and state consistency consideration, you might be interested to decouple the etcd3 as a separate cluster from APISIX not only for performance but also high availability and fault tolerance yet with highly reliable state consistency.

TBD