diff --git a/cloudformation/nakama/load_balancing.yaml b/cloudformation/nakama/load_balancing.yaml new file mode 100644 index 0000000..4b34e8a --- /dev/null +++ b/cloudformation/nakama/load_balancing.yaml @@ -0,0 +1,240 @@ + +AWSTemplateFormatVersion: "2010-09-09" +Description: Nakama load balancing stack +Parameters: + environment: + Type: String + Description: Name of the environment + Default: production + release: + Type: String + Description: Name of the release name of the stack version to use. + Default: production + AllowedValues: ['develop', 'production'] + ConstraintDescription: "Must be a possible release version." + PublicSubnets: + Description: The public subnets for the ALB to run in. + Type: String + PortalCertificate: + Description: Arn of AWS Certificate + Type: String + VpcId: + Description: ID of the VPC + Type: AWS::EC2::VPC::Id + +Resources: + + #-- Network Load Balancer --# + PublicNLB: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Type: network + LoadBalancerAttributes: + - Key: deletion_protection.enabled + Value: false + Scheme: internet-facing + Subnets: !Split [",", !Ref PublicSubnets] + Tags: + - Key: Name + Value: !Sub "Nakama-${environment}-NLB" + - Key: environment + Value: !Ref environment + + # Target group for HTTP api + HttpApiTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Port: 7350 + Protocol: TCP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: '20' + VpcId: !Ref 'VpcId' + Tags: + - Key: Name + Value: !Sub 'nakama-http-${release}' + + # Listener for HTTP + HttpApiNlbListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref HttpApiTargetGroup + LoadBalancerArn: !Ref PublicNLB + Port: 7350 + Protocol: TCP + + # Target group for gRPC API + GRpcApiTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Port: 7349 + Protocol: TCP_UDP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: '20' + VpcId: !Ref 'VpcId' + Tags: + - Key: Name + Value: !Sub 'nakama-GRpc-${release}' + + # Listener for gRPC API + GRpcNlbListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref GRpcApiTargetGroup + LoadBalancerArn: !Ref PublicNLB + Port: 7349 + Protocol: TCP_UDP + + # Target group for gRPC embeded console + GRpcEApiTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Port: 7348 + Protocol: TCP_UDP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: '20' + VpcId: !Ref 'VpcId' + Tags: + - Key: Name + Value: !Sub 'nakama-GRpc-${release}' + + # Listener for gRPC embeded console + GRpcENlbListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref GRpcEApiTargetGroup + LoadBalancerArn: !Ref PublicNLB + Port: 7348 + Protocol: TCP_UDP + + #-- Application Load Balancer --# + PublicALB: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Type: application + LoadBalancerAttributes: + - Key: deletion_protection.enabled + Value: false + - Key: idle_timeout.timeout_seconds + Value: 60 + Scheme: internet-facing + SecurityGroups: + - !Ref AlbSecurityGroup + Subnets: !Split [",", !Ref PublicSubnets] + Tags: + - Key: Name + Value: !Sub "Nakama-${environment}-ALB" + - Key: environment + Value: !Ref environment + + AlbSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: ECS Allowed Ports + VpcId: !Ref VpcId + SecurityGroupIngress: + - IpProtocol: icmp + FromPort: "-1" + ToPort: "-1" + CidrIp: 0.0.0.0/0 + - IpProtocol: tcp + FromPort: "443" + ToPort: "443" + CidrIp: 0.0.0.0/0 + - IpProtocol: tcp + FromPort: "80" + ToPort: "80" + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: icmp + FromPort: "-1" + ToPort: "-1" + CidrIp: 0.0.0.0/0 + - IpProtocol: tcp + FromPort: "0" + ToPort: "65535" + CidrIp: 0.0.0.0/0 + - IpProtocol: udp + FromPort: "0" + ToPort: "65535" + CidrIp: 0.0.0.0/0 + + # Target group for admin portal port + AdminPortalTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + HealthCheckIntervalSeconds: 30 + HealthCheckProtocol: HTTP + HealthCheckTimeoutSeconds: 15 + HealthyThresholdCount: 2 + UnhealthyThresholdCount: 2 + Matcher: + HttpCode: '200' + HealthCheckPath: '/' + Port: 7351 + Protocol: HTTP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: '20' + VpcId: !Ref 'VpcId' + Tags: + - Key: Name + Value: !Sub 'nakama-${release}' + + # HTTPS for Admin Portal + AdminPortalAlbListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + Certificates: + - CertificateArn: !Ref PortalCertificate + DefaultActions: + - Type: forward + TargetGroupArn: !Ref AdminPortalTargetGroup + LoadBalancerArn: !Ref PublicALB + Port: 443 + Protocol: HTTPS + + # Redirect HTTP -> HTTPS + AdminPortalRedirectAlbListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: redirect + RedirectConfig: + Protocol: HTTPS + Port: 443 + Host: '#{host}' + Path: '/#{path}' + Query: '#{query}' + StatusCode: HTTP_301 + LoadBalancerArn: !Ref PublicALB + Port: 80 + Protocol: HTTP + +Outputs: + AdminPortalTargetGroup: + Description: "" + Value: !Ref AdminPortalTargetGroup + HttpApiTargetGroup: + Description: "" + Value: !Ref HttpApiTargetGroup + GRpcApiTargetGroup: + Description: "" + Value: !Ref GRpcApiTargetGroup + GRpcEApiTargetGroup: + Description: "" + Value: !Ref GRpcEApiTargetGroup + PublicNlbDnsName: + Description: "" + Value: !GetAtt PublicNLB.DNSName + PublicAlbDnsName: + Description: "" + Value: !GetAtt PublicALB.DNSName \ No newline at end of file diff --git a/cloudformation/nakama/top.yaml b/cloudformation/nakama/top.yaml index 6e464f0..75ad9b6 100644 --- a/cloudformation/nakama/top.yaml +++ b/cloudformation/nakama/top.yaml @@ -126,8 +126,8 @@ Resources: environment: !Ref environment Domain: !Ref Domain SubDomain: !Ref SubDomain - NakamaDns: !GetAtt PublicNLB.DNSName - AdminDns: !GetAtt PublicALB.DNSName + NakamaDns: !GetAtt LoadBalancing.Outputs.PublicNlbDnsName + AdminDns: !GetAtt LoadBalancing.Outputs.PublicAlbDnsName #---------- @@ -151,202 +151,16 @@ Resources: #----------------- # Load Balancing #----------------- - - #-- Network Load Balancer --# - PublicNLB: - Type: AWS::ElasticLoadBalancingV2::LoadBalancer + LoadBalancing: + Type: AWS::CloudFormation::Stack Properties: - Type: network - LoadBalancerAttributes: - - Key: deletion_protection.enabled - Value: false - Scheme: internet-facing - Subnets: !Split [",", !Ref PublicSubnets] - Tags: - - Key: Name - Value: !Sub "Nakama-${environment}-NLB" - - Key: environment - Value: !Ref environment - - # Target group for HTTP api - HttpApiTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - Port: 7350 - Protocol: TCP - TargetGroupAttributes: - - Key: deregistration_delay.timeout_seconds - Value: '20' - VpcId: !Ref 'VpcId' - Tags: - - Key: Name - Value: !Sub 'nakama-http-${release}' - - # Listener for HTTP - HttpApiNlbListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref HttpApiTargetGroup - LoadBalancerArn: !Ref PublicNLB - Port: 7350 - Protocol: TCP - - # Target group for gRPC API - GRpcApiTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - Port: 7349 - Protocol: TCP_UDP - TargetGroupAttributes: - - Key: deregistration_delay.timeout_seconds - Value: '20' - VpcId: !Ref 'VpcId' - Tags: - - Key: Name - Value: !Sub 'nakama-GRpc-${release}' - - # Listener for gRPC API - GRpcNlbListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref GRpcApiTargetGroup - LoadBalancerArn: !Ref PublicNLB - Port: 7349 - Protocol: TCP_UDP - - # Target group for gRPC embeded console - GRpcEApiTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - Port: 7348 - Protocol: TCP_UDP - TargetGroupAttributes: - - Key: deregistration_delay.timeout_seconds - Value: '20' - VpcId: !Ref 'VpcId' - Tags: - - Key: Name - Value: !Sub 'nakama-GRpc-${release}' - - # Listener for gRPC embeded console - GRpcENlbListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref GRpcEApiTargetGroup - LoadBalancerArn: !Ref PublicNLB - Port: 7348 - Protocol: TCP_UDP - - #-- Application Load Balancer --# - PublicALB: - Type: AWS::ElasticLoadBalancingV2::LoadBalancer - Properties: - Type: application - LoadBalancerAttributes: - - Key: deletion_protection.enabled - Value: false - - Key: idle_timeout.timeout_seconds - Value: 60 - Scheme: internet-facing - SecurityGroups: - - !Ref AlbSecurityGroup - Subnets: !Split [",", !Ref PublicSubnets] - Tags: - - Key: Name - Value: !Sub "Nakama-${environment}-ALB" - - Key: environment - Value: !Ref environment - - AlbSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupDescription: ECS Allowed Ports - VpcId: !Ref VpcId - SecurityGroupIngress: - - IpProtocol: icmp - FromPort: "-1" - ToPort: "-1" - CidrIp: 0.0.0.0/0 - - IpProtocol: tcp - FromPort: "443" - ToPort: "443" - CidrIp: 0.0.0.0/0 - - IpProtocol: tcp - FromPort: "80" - ToPort: "80" - CidrIp: 0.0.0.0/0 - SecurityGroupEgress: - - IpProtocol: icmp - FromPort: "-1" - ToPort: "-1" - CidrIp: 0.0.0.0/0 - - IpProtocol: tcp - FromPort: "0" - ToPort: "65535" - CidrIp: 0.0.0.0/0 - - IpProtocol: udp - FromPort: "0" - ToPort: "65535" - CidrIp: 0.0.0.0/0 - - # Target group for admin portal port - AdminPortalTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - HealthCheckIntervalSeconds: 30 - HealthCheckProtocol: HTTP - HealthCheckTimeoutSeconds: 15 - HealthyThresholdCount: 2 - UnhealthyThresholdCount: 2 - Matcher: - HttpCode: '200' - HealthCheckPath: '/' - Port: 7351 - Protocol: HTTP - TargetGroupAttributes: - - Key: deregistration_delay.timeout_seconds - Value: '20' - VpcId: !Ref 'VpcId' - Tags: - - Key: Name - Value: !Sub 'nakama-${release}' - - # HTTPS for Admin Portal - AdminPortalAlbListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - Certificates: - - CertificateArn: !Ref PortalCertificate - DefaultActions: - - Type: forward - TargetGroupArn: !Ref AdminPortalTargetGroup - LoadBalancerArn: !Ref PublicALB - Port: 443 - Protocol: HTTPS - - # Redirect HTTP -> HTTPS - AdminPortalRedirectAlbListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: redirect - RedirectConfig: - Protocol: HTTPS - Port: 443 - Host: '#{host}' - Path: '/#{path}' - Query: '#{query}' - StatusCode: HTTP_301 - LoadBalancerArn: !Ref PublicALB - Port: 80 - Protocol: HTTP - + TemplateURL: !Sub 'https://s3.${AWS::Region}.amazonaws.com/sumu-stacks/${release}/cloudformation/nakama/load_balancing.yaml' + Parameters: + environment: !Ref environment + release: !Ref release + VpcId: !Ref VpcId + PublicSubnets: !Ref PublicSubnets + PortalCertificate: !Ref PortalCertificate #------------------- # ECS Task & Service @@ -364,7 +178,7 @@ Resources: NakamaPasswordOverride: !Ref NakamaPasswordOverride EcsService: - DependsOn: AdminPortalAlbListener + DependsOn: LoadBalancing Type: AWS::ECS::Service Properties: Cluster: !Ref EcsCluster @@ -373,13 +187,13 @@ Resources: LoadBalancers: - ContainerName: "nakama" ContainerPort: 7351 - TargetGroupArn: !Ref AdminPortalTargetGroup + TargetGroupArn: !GetAtt LoadBalancing.Outputs.AdminPortalTargetGroup - ContainerName: "nakama" ContainerPort: 7350 - TargetGroupArn: !Ref HttpApiTargetGroup + TargetGroupArn: !GetAtt LoadBalancing.Outputs.HttpApiTargetGroup - ContainerName: "nakama" ContainerPort: 7349 - TargetGroupArn: !Ref GRpcApiTargetGroup + TargetGroupArn: !GetAtt LoadBalancing.Outputs.GRpcApiTargetGroup - ContainerName: "nakama" ContainerPort: 7348 - TargetGroupArn: !Ref GRpcEApiTargetGroup \ No newline at end of file + TargetGroupArn: !GetAtt LoadBalancing.Outputs.GRpcEApiTargetGroup \ No newline at end of file