Container Routing based on Traefik
What is Traefik?
Traefik is the leading open-source Edge Router that we use to publish your ECS (Elastic Container Service) services in a transparent way. It receives requests on behalf of your services and routes them to the responsible container instances.
I already have an ECS setup can I migrate to Traefik?
If you currently use our old Nginx proxy setup with ECS, you can migrate to Traefik. In that case please get in touch with us and we will discuss the specific conditions of your project with you.
How does Traefik work?
Traefik automatically discovers your ECS services and routes requests to them using predefined patterns. Those patterns (such as by matching with http host headers) have to be configured by root360 as you can not alter them yourself.
Lets assume we have an admin
and a frontend
service in our ECS cluster and both should be available via public connections. In addition to this we run an api
service that is not available to the public and therefore only accepts requests from internal IPs.
We need the following information from you to setup the routing:
Service Name | Domain | Path | Connection Port / Protocol | Service Port / Protocol | Service Access |
---|---|---|---|---|---|
| api.eu-central-1.root360 | /api/ | 80 (http) & 443 (https) | 80 (http) & 443 (https) | internal |
| *.root360.cloud | * | 443 (https) | 80 (http) | external |
| admin.root360.cloud | * | 443 (https) | 443 (https) | external |
With this we have defined that api
is accepting only requests via a given domain and path and is both forwarding port 80 and 443 directly to the service but only accepts internal connections.
The admin
service is reachable via the subdomain “admin.root360.cloud” and only accepts https connections on port 443 which are directly forwarded to the service.
The frontend
service is accepting all other external requests from any subdomain of root360.cloud on any path and like admin
only via port 443/https. Traefik is offloading these connections to http to the service so that the service does not need to handle SSL.
Traefik supports additional routing patterns. For that please see the official documentation: https://doc.traefik.io/traefik/routing/routers/#rule
Can I see my current routing rules?
Traefik is attached to two AWS Application Loadbalancers by default. One external and one internal. The internal loadbalancer is providing the Traefik dashboard where you can check your routing configuration.
In order to connect to the dashboard you need to retrieve the internal endpoint first, which can easily be done via Orbiter:
With this endpoint you need to create an SSH tunnel and then access your forwarded port on localhost.
Once your tunnel is set up you can access the dashboard with your browser and check your routing.
Traefik status overview
This dashboard shows you the health status of all connected services and routing configurations.
Active routing rules
In this perspective we can see all currently active routing rules with some additional information like TLS state.
Service details
In this perspective we can see details for one specific service. This Includes the registered docker containers in this service with their respective IP addresses.
Routing details
This dashboard shows all information for the selected routing rule.
Related tutorials
Related Components
intermediate
Related questions
root360 Knowledge Base - This portal is hosted by Atlassian (atlassian.com | Privacy Policy)