Skip to content

Installing Traefik Enterprise on ECS Fargate

This page guides you through the installation of Traefik Enterprise on AWS ECS Fargate.

AWS Knowledge

Information about setting up AWS services is not included in this guide. If you want to know more about any of the components referenced in this guide, start with the following resources:

In this guide all examples surrounded by angle brackets <>, must be replaced accordingly.

Requirements

  • An ECS Fargate cluster
    • The aws CLI tool properly configured to communicate with the cluster
    • Enough permissions on the ECS Fargate instance role to access any integrated AWS service
    • All required ports are open on the associated security group of the container instances
  • Controller containers can reach https://v4.license.containous.cloud
  • The teectl CLI tool, for cluster management

Installation

Although some external AWS resources are referenced in the logConfiguration and secrets sections, they are optional. You can just remove or customize them in the task definition. Otherwise, you must create those resources manually with the AWS Console or CLI tool which is not covered in this guide as well.

Since teectl setup gen does not provide support for ECS Fargate manifest files, this guide demonstrates how to write your own task and service definitions, using JSON syntax, to define the necessary resources and deploy a Traefik Enterprise cluster of one controller and two proxies.

Note that flags used in each task definitions are referenced here: Traefikee Command-Line Reference

IAM Roles and Policy

Traefik Enterprise requires the 2 different roles to run, one for the task execution and one when the task is running. Roles needs will map policies, so we gonna need to create the policies first.

Execution role

AWS already have a built in policy for the execution policy named AmazonECSTaskExecutionRolePolicy. We can then create the role and attach the policy to it. Let's create a trust relashionships definition in a file named trust-policy.json, and put it this content:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "ecs-tasks.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

We create the role that we could name ecsTaskExecutionRole with this aws cli command:

aws iam create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://trust-policy.json 

And we associate the policy:

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonECSTaskExecutionRolePolicy --role-name ecsTaskExecutionRole
Use of Secret

If you want to use secret to pass your license, and the token as environement variables you need to add a policy to the ecsTaskExecutionRole in order to let the task be able to read the secret.

Here's an example for the secret read policy, that you only need to associate with the execution role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "<secret_arn>"
      ]
    }
  ]
}

Running role

As traefik need to access the ECS API for the service discovery, we will need to create a specific policy. To create the policy in AWS you could create a json file with the content below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TraefikECSReadAccess",
            "Effect": "Allow",
            "Action": [
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTaskDefinition",
                "ec2:DescribeInstances",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "TraefikECSContainerExec",
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Then create the policy with this command(change the name of the policy and file accordingly):

aws iam create-policy --policy-name TraefikECSReadAccessRolePolicy --policy-document file://TraefikECSReadAccessRolePolicy.json

Apply the same process as above to create a new role and associate the policy.

Service Discovery

This deployment use AWS Service discovery to manage internal DNS name for Traefik Enterprise component.

As stated before the AWS Service discovery is documented by AWS and will not be described here in details, this section will just give you the command to create a Service Discovery namespace to deploy Traefik Enterprise.

Create a Service Discovery namespace

aws servicediscovery create-private-dns-namespace --name traefikee --vpc <vpc-id>

Create a Service Discovery Service for Traefik Enterprise controller

aws servicediscovery create-service --name controller-0 --dns-config 'NamespaceId="<ns-id>",DnsRecords=[{Type="A",TTL="60"}]' --health-check-custom-config FailureThreshold=1

Create a Service Discovery Service for Traefik Enterprise registry

aws servicediscovery create-service --name registry --dns-config 'NamespaceId="<ns-id>",DnsRecords=[{Type="A",TTL="60"}]' --health-check-custom-config FailureThreshold=1

In case of many controllers, you will need to set up new services for each controller name accordingly.

Use of Secret

If you want to use secret to pass your license, and the token as environement variables you need to add a policy to the ecsTaskExecutionRole in order to let the task be able to read the secret.

here's an example for this policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "<secret_arn>"
      ]
    }
  ]
}

Traefik Enterprise will look for specific environment variable during startup, including for its license key and cluster tokens as follows:

  • TRAEFIKEE_LICENSE
  • TRAEFIKEE_JOIN_TOKEN
  • TRAEFIKEE_PLUGIN_TOKEN

However in ECS Fargate environment variables are not expanded at the container startup, which means you can't set command flags with environment variables. In the task definition in order to use the secret as environment varialbe we only will need to remove flags defining those values.

Plugin Registry Token

The plugin registry needs a token to secure its communications with the controller. This token is set on the controller and plugin registry task definition.

Here is an example of how to create it:

openssl rand -base64 10
MvXVeX3qDylxJQ==

Controllers

Mono controller installation

Controller Storage

Fargate by default assign non-persistent storage to the container, in order to keep state, certificate, and necessary data, if the controller container needs to be recreated you need to add an EFS volume as described on the task definition below.

Create a file named controller-task.json with the following task definition:

{
    "family": "traefikee-controller",
    "taskRoleArn": "arn:aws:iam::<your_account_id>:role/RoleTraefikECSReadAccess",
    "executionRoleArn": "arn:aws:iam::<your_account_id>:role/ecsTaskExecutionRole",
    "cpu": "512",
    "memory": "1024",
    "containerDefinitions": [
        {
            "name": "controller-0",
            "image": "traefik/traefikee:v2.8.0",
            "cpu": 500,
            "portMappings": [
                {
                    "containerPort": 55055,
                    "hostPort": 55055,
                    "protocol": "tcp"
                }
            ],
            "essential": true,
            "command": [
                "controller",
                "--name=controller-0",
                "--advertise=controller-0.traefikee:4242",
                "--license=<your_license>",
                "--statedir=/data/state",
                "--jointoken.file.path=/data/tokens",
                "--api.socket=/var/run/traefikee/teectl-controller-0.sock",
                "--socket=/var/run/traefikee/controller-0.sock",
                "--api.autocerts",
                "--plugin.url=https://registry.traefikee:443",
                "--plugin.token=<your_generated_plugin_token>"
            ],
            "linuxParameters": {
                "initProcessEnabled": true
            },
            "environment": [],
            "secrets": [],
            "volumesFrom": [],
            "dockerLabels": {
                "com.traefik.traefikee.component": "controller"
            },
            "mountPoints": [
                {
                  "readOnly": false,
                  "containerPath": "/data",
                  "sourceVolume": "traefikee-data"
                }
            ],
            "readonlyRootFilesystem": false,
            "privileged": false,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "<your_cloud_watch_log_group",
                    "awslogs-region": "<your_aws_region>",
                    "awslogs-stream-prefix": "traefikee-controller"
                }
        }
    }
    ],
    "volumes": [
        {
          "name": "traefikee-data",
          "efsVolumeConfiguration": {
            "fileSystemId": "<controller_efs_id>",
            "transitEncryption": "DISABLED",
            "rootDirectory": "/"
          }
        }
    ],
    "networkMode": "awsvpc",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },

    "requiresCompatibilities": [
        "FARGATE"
    ]
}
{
    "family": "traefikee-controller",
    "taskRoleArn": "arn:aws:iam::<your_account_id>:role/RoleTraefikECSReadAccess",
    "executionRoleArn": "arn:aws:iam::<your_account_id>:role/ecsTaskExecutionRole",
    "cpu": "512",
    "memory": "1024",
    "containerDefinitions": [
        {
            "name": "controller-0",
            "image": "traefik/traefikee:v2.8.0",
            "cpu": 500,
            "portMappings": [
                {
                    "containerPort": 55055,
                    "hostPort": 55055,
                    "protocol": "tcp"
                }
            ],
            "essential": true,
            "command": [
                "controller",
                "--name=controller-0",
                "--advertise=controller-0.traefikee:4242",
                "--statedir=/data/state",
                "--jointoken.file.path=/data/tokens",
                "--api.socket=/var/run/traefikee/teectl-controller-0.sock",
                "--socket=/var/run/traefikee/controller-0.sock",
                "--api.autocerts",
                "--plugin.url=https://registry.traefikee:443"
            ],
            "linuxParameters": {
                "initProcessEnabled": true
            },
            "environment": [],
            "secrets": [
                {
                    "name": "TRAEFIKEE_LICENSE",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_license>::"
                },
                {
                    "name": "TRAEFIKEE_PLUGIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_plugin_token_key>::"
                }
            ],
            "volumesFrom": [],
            "dockerLabels": {
                "com.traefik.traefikee.component": "controller"
            },
            "mountPoints": [
                {
                    "readOnly": false,
                    "containerPath": "/data",
                    "sourceVolume": "traefikee-data"
                }
            ],
            "readonlyRootFilesystem": false,
            "privileged": false,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "<your_cloud_watch_log_group",
                    "awslogs-region": "<your_aws_region>",
                    "awslogs-stream-prefix": "traefikee-controller"
                }
            }
        }
    ],
    "volumes": [
        {
            "name": "traefikee-data",
            "efsVolumeConfiguration": {
                "fileSystemId": "<controller_efs_id>",
                "transitEncryption": "DISABLED",
                "rootDirectory": "/"
            }
        }
    ],
    "networkMode": "awsvpc",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },
    "requiresCompatibilities": [
        "FARGATE"
    ]
}

Customize the file, then register the task definition on ECS Fargate:

aws ecs register-task-definition --cli-input-json file://controller-task.json --region <aws_region>

Now create a file named controller-svc.json with the service definition:

{
    "serviceName": "traefikee-controller",
    "taskDefinition": "traefikee-controller",
    "desiredCount": 1,
    "launchType": "FARGATE",
    "schedulingStrategy": "REPLICA",
    "serviceRegistries": [
        {
           "registryArn": "<service_discovery_controller_service_arn>"
        }
    ],
    "networkConfiguration": {
        "awsvpcConfiguration": {
            "subnets": [
                "<subnet_id_a>",
                "<subnet_id_b>",
                "<subnet_id_c>"
            ],
            "securityGroups": [
                "<security_group_id>"
            ],
            "assignPublicIp": "ENABLED"
        }
    }
}

Customize the file and deploy it to the ECS Fargate cluster:

aws ecs create-service --cli-input-json file://controller-svc.json --cluster <my_cluster> --region <aws_region> --enable-execute-command

Check the service status to ensure the service was started:

aws ecs describe-services --services traefikee-controller --cluster <my_cluster> --region <aws_region>
{
    "services": [
        {
            "status": "ACTIVE",
            "serviceRegistries": [],
            "pendingCount": 0,
            "launchType": "FARGATE",
            "enableECSManagedTags": true,
            "schedulingStrategy": "REPLICA",
            "loadBalancers": [],
            "placementConstraints": [
                {
                    "type": "distinctInstance"
                }
            ],
            "createdAt": 1605815767.081,
            "desiredCount": 1,
            "serviceName": "traefikee-controller",
            "clusterArn": "arn:aws:ecs:aws_region:aws_account_id:cluster/traefikee-ecs",
            "createdBy": "arn:aws:iam::aws_account_id:user/aws_user",
            "taskDefinition": "arn:aws:ecs:aws_region:aws_account_id:task-definition/traefikee-controller:7",
            "serviceArn": "arn:aws:ecs:aws_region:aws_account_id:service/traefikee-ecs/traefikee-controller",
            "propagateTags": "SERVICE",
            "deploymentConfiguration": {
                "maximumPercent": 200,
                "minimumHealthyPercent": 100
            },
            "deployments": [
                {
                    "status": "PRIMARY",
                    "pendingCount": 0,
                    "launchType": "EC2",
                    "createdAt": 1605815767.081,
                    "desiredCount": 1,
                    "taskDefinition": "arn:aws:ecs:aws_region:aws_account_id:task-definition/traefikee-controller:7",
                    "updatedAt": 1605815785.903,
                    "id": "ecs-svc/4291651818662396701",
                    "runningCount": 1
                }
            ],
            "events": [
                {
                    "message": "(service traefikee-controller) has reached a steady state.",
                    "id": "2ae7ae80-11bc-48fa-bd1c-ec6235521928",
                    "createdAt": 1605815785.907
                },
                {
                    "message": "(service traefikee-controller) has started 1 tasks: (task fe932a1e5690403eacd5d3b4f8221b18).",
                    "id": "901615c4-8e67-4ed2-91f6-b52fcc88d147",
                    "createdAt": 1605815774.564
                }
            ],
            "runningCount": 1,
            "placementStrategy": []
        }
    ],
    "failures": []
}

Wait until the controllers are up and running before proceeding to the next steps.

Get the Proxy Join Token

Fetch the proxy join token by connecting to the container instance and executing the following commands:

# Get the tokens
aws ecs execute-command --cluster <my_cluster> --container controller-0 --task <task-arn> --interactive --command "/traefikee tokens --socket /var/run/traefikee/controller-0.sock"
export TRAEFIKEE_CONTROLLER_TOKEN=5531644e5645744f4c5445744e47706f4e7a5a3261574a765a485274616a55345a57526f4d7a566f65444e6f4e544e70616d4a6d615459314e5464684f48526f4d6e6c735933466e4e33686a6348417459544e6c4e5451314e475a70616d4e304e484e796432466f4e445a796447707859673d3d3a303a97b42afa416f0df94d7c453bd4c55fcddd339ec4570068eac2c5cc5504c158d42521e9852615ab95049e2b3296b67c4a
export TRAEFIKEE_PROXY_TOKEN=5531644e5645744f4c5445744e47706f4e7a5a3261574a765a485274616a55345a57526f4d7a566f65444e6f4e544e70616d4a6d615459314e5464684f48526f4d6e6c735933466e4e33686a634841744e47397563484d31636a4d354d7a42354e5463785933557762546b774e7a55794f413d3d3a313a97b42afa416f0df94d7c453bd4c55fcddd339ec4570068eac2c5cc5504c158d42194b3059e6861761121966a44f964d3

Write down the proxy token as it is required for the next step, the proxies task definition.

Multi controller Installation

Controller Storage

Fargate by default assign non-persistent storage to the container, in order to keep state, certificate, and necessary data, if the controllers needs to be recreated you need to add an EFS volume for each controller as described on the tasks definitions below.

Note that multi controller should not be deployed without secret, each controller will need the a join token if it is recreated or restarted. The environment variable that will be checked by the controller at bootstrap is TRAEFIKEE_JOIN_TOKEN.

In order to manage each controller independently in case of maintenance, it is recommended to create each and every controller as separated tasks.

After deploying the first controller get the join token and update secret accordingly.

Here is the example of the configuration for a 3 nodes controller cluster:

{
    "family": "traefikee-controller-0",
    "taskRoleArn": "arn:aws:iam::<your_account_id>:role/RoleTraefikECSReadAccess",
    "executionRoleArn": "arn:aws:iam::<your_account_id>:role/ecsTaskExecutionRole",
    "cpu": "512",
    "memory": "1024",
    "containerDefinitions": [
        {
            "name": "controller-0",
            "image": "traefik/traefikee:v2.8.0",
            "cpu": 500,
            "portMappings": [
                {
                    "containerPort": 55055,
                    "hostPort": 55055,
                    "protocol": "tcp"
                }
            ],
            "essential": true,
            "command": [
                "controller",
                "--name=controller-0",
                "--advertise=controller-0.traefikee:4242",
                "--discovery.static.peers=controller-1.traefikee:4242,controller-2.traefikee:4242",
                "--statedir=/data/state",
                "--jointoken.file.path=/data/tokens",
                "--api.socket=/var/run/traefikee/teectl-controller-0.sock",
                "--socket=/var/run/traefikee/controller-0.sock",
                "--api.autocerts",
                "--plugin.url=https://registry.traefikee:443"
            ],
            "linuxParameters": {
                "initProcessEnabled": true
            },
            "environment": [],
            "secrets": [
                                {
                    "name": "TRAEFIKEE_LICENSE",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_license>::"
                },
                {
                    "name": "TRAEFIKEE_PLUGIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_plugin_token_key>::"
                },
                {
                    "name": "TRAEFIKEE_JOIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_controller_join_token_key>::"
                }
            ],
            "volumesFrom": [],
            "dockerLabels": {
                "com.traefik.traefikee.component": "controller-0"
            },
            "mountPoints": [
                {
                  "readOnly": false,
                  "containerPath": "/data",
                  "sourceVolume": "traefikee-data"
                }
            ],
            "readonlyRootFilesystem": false,
            "privileged": false,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "<your_cloud_watch_log_group",
                    "awslogs-region": "<your_aws_region>",
                    "awslogs-stream-prefix": "traefikee-controller-0"
                }
        }
    }
    ],
    "volumes": [
        {
          "name": "traefikee-data",
          "efsVolumeConfiguration": {
            "fileSystemId": "<controller-0_efs_id>",
            "transitEncryption": "DISABLED",
            "rootDirectory": "/"
          }
        }
    ],
    "networkMode": "awsvpc",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },

    "requiresCompatibilities": [
        "FARGATE"
    ]
}
{
    "family": "traefikee-controller-1",
    "taskRoleArn": "arn:aws:iam::<your_account_id>:role/RoleTraefikECSReadAccess",
    "executionRoleArn": "arn:aws:iam::<your_account_id>:role/ecsTaskExecutionRole",
    "cpu": "512",
    "memory": "1024",
    "containerDefinitions": [
        {
            "name": "controller-1",
            "image": "traefik/traefikee:v2.8.0",
            "cpu": 500,
            "portMappings": [
                {
                    "containerPort": 55055,
                    "hostPort": 55055,
                    "protocol": "tcp"
                }
            ],
            "essential": true,
            "command": [
                "controller",
                "--name=controller-1",
                "--advertise=controller-1.traefikee:4242",
                "--discovery.static.peers=controller-0.traefikee:4242,controller-2.traefikee:4242",
                "--statedir=/data/state",
                "--jointoken.file.path=/data/tokens",
                "--api.socket=/var/run/traefikee/teectl-controller-1.sock",
                "--socket=/var/run/traefikee/controller-1.sock",
                "--api.autocerts",
                "--plugin.url=https://registry.traefikee:443"
            ],
            "linuxParameters": {
                "initProcessEnabled": true
            },
            "environment": [],
            "secrets": [
                                {
                    "name": "TRAEFIKEE_LICENSE",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_license>::"
                },
                {
                    "name": "TRAEFIKEE_PLUGIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_plugin_token_key>::"
                },
                {
                    "name": "TRAEFIKEE_JOIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_controller_join_token_key>::"
                }
            ],
            "volumesFrom": [],
            "dockerLabels": {
                "com.traefik.traefikee.component": "controller-1"
            },
            "mountPoints": [
                {
                  "readOnly": false,
                  "containerPath": "/data",
                  "sourceVolume": "traefikee-data"
                }
            ],
            "readonlyRootFilesystem": false,
            "privileged": false,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "<your_cloud_watch_log_group",
                    "awslogs-region": "<your_aws_region>",
                    "awslogs-stream-prefix": "traefikee-controller-1"
                }
        }
    }
    ],
    "volumes": [
        {
          "name": "traefikee-data",
          "efsVolumeConfiguration": {
            "fileSystemId": "<controller-1_efs_id>",
            "transitEncryption": "DISABLED",
            "rootDirectory": "/"
          }
        }
    ],
    "networkMode": "awsvpc",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },

    "requiresCompatibilities": [
        "FARGATE"
    ]
}
{
    "family": "traefikee-controller-2",
    "taskRoleArn": "arn:aws:iam::<your_account_id>:role/RoleTraefikECSReadAccess",
    "executionRoleArn": "arn:aws:iam::<your_account_id>:role/ecsTaskExecutionRole",
    "cpu": "512",
    "memory": "1024",
    "containerDefinitions": [
        {
            "name": "controller-2",
            "image": "traefik/traefikee:v2.8.0",
            "cpu": 500,
            "portMappings": [
                {
                    "containerPort": 55055,
                    "hostPort": 55055,
                    "protocol": "tcp"
                }
            ],
            "essential": true,
            "command": [
                "controller",
                "--name=controller-2",
                "--advertise=controller-2.traefikee:4242",
                "--discovery.static.peers=controller-0.traefikee:4242,controller-1.traefikee:4242",
                "--statedir=/data/state",
                "--jointoken.file.path=/data/tokens",
                "--api.socket=/var/run/traefikee/teectl-controller-2.sock",
                "--socket=/var/run/traefikee/controller-2.sock",
                "--api.autocerts",
                "--plugin.url=https://registry.traefikee:443"
            ],
            "linuxParameters": {
                "initProcessEnabled": true
            },
            "environment": [],
            "secrets": [
                                {
                    "name": "TRAEFIKEE_LICENSE",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_license>::"
                },
                {
                    "name": "TRAEFIKEE_PLUGIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_plugin_token_key>::"
                },
                {
                    "name": "TRAEFIKEE_JOIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_controller_join_token_key>::"
                }
            ],
            "volumesFrom": [],
            "dockerLabels": {
                "com.traefik.traefikee.component": "controller-2"
            },
            "mountPoints": [
                {
                  "readOnly": false,
                  "containerPath": "/data",
                  "sourceVolume": "traefikee-data"
                }
            ],
            "readonlyRootFilesystem": false,
            "privileged": false,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "<your_cloud_watch_log_group>",
                    "awslogs-region": "<your_aws_region>",
                    "awslogs-stream-prefix": "traefikee-controller-2"
                }
        }
    }
    ],
    "volumes": [
        {
          "name": "traefikee-data",
          "efsVolumeConfiguration": {
            "fileSystemId": "<controller-2_efs_id>",
            "transitEncryption": "DISABLED",
            "rootDirectory": "/"
          }
        }
    ],
    "networkMode": "awsvpc",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },
    "requiresCompatibilities": [
        "FARGATE"
    ]
}

Create a service for each task as described in the mono controller section and deploy.

Proxies

Create a file named proxies-task.json with the following task definition:

{
    "family": "traefikee-proxies",
    "taskRoleArn": "arn:aws:iam::<your_account_id>:role/RoleTraefikECSReadAccess",
    "executionRoleArn": "arn:aws:iam::<your_account_id>:role/ecsTaskExecutionRole",
    "cpu": "512",
    "memory": "1024",
    "containerDefinitions": [
        {
            "name": "proxy",
            "image": "traefik/traefikee:v2.8.0",
            "cpu": 500,
            "portMappings": [
                {
                    "containerPort": 80,
                    "hostPort": 80,
                    "protocol": "tcp"
                },
                {
                    "containerPort": 443,
                    "hostPort": 443,
                    "protocol": "tcp"
                },
                {
                    "containerPort": 8484,
                    "hostPort": 8484,
                    "protocol": "tcp"
                }
            ],
            "essential": true,
            "command": [
                "proxy",
                "--role=ingress",
                "--discovery.static.peers=controller-0.traefikee:4242",
                "--jointoken.value=<proxy_join_token>"
            ],
            "linuxParameters": {},
            "environment": [],
            "volumesFrom": [],
            "secrets": [],
            "dockerLabels": {
                "com.traefik.traefikee.component": "proxies"
            },
            "mountPoints": [],
            "readonlyRootFilesystem": true,
            "privileged": false,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "<your_cloud_watch_log_group",
                    "awslogs-region": "<your_aws_region>",
                    "awslogs-stream-prefix": "traefikee-proxies"
                }
        }
    ],
    "networkMode": "awsvpc",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },

    "requiresCompatibilities": [
        "FARGATE"
    ]
}
{
    "family": "traefikee-proxies",
    "taskRoleArn": "arn:aws:iam::<your_account_id>:role/RoleTraefikECSReadAccess",
    "executionRoleArn": "arn:aws:iam::<your_account_id>:role/ecsTaskExecutionRole",
    "cpu": "512",
    "memory": "1024",
    "containerDefinitions": [
        {
            "name": "proxy",
            "image": "traefik/traefikee:v2.8.0",
            "cpu": 500,
            "portMappings": [
                {
                    "containerPort": 80,
                    "hostPort": 80,
                    "protocol": "tcp"
                },
                {
                    "containerPort": 443,
                    "hostPort": 443,
                    "protocol": "tcp"
                },
                {
                    "containerPort": 8484,
                    "hostPort": 8484,
                    "protocol": "tcp"
                }
            ],
            "essential": true,
            "command": [
                "proxy",
                "--role=ingress",
                "--discovery.static.peers=controller-0.traefikee:4242"
            ],
            "linuxParameters": {},
            "environment": [],
            "volumesFrom": [],
            "secrets": [
                {
                    "name": "TRAEFIKEE_JOIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_proxy_join_token_key>::"
                }
            ],
            "dockerLabels": {
                "com.traefik.traefikee.component": "proxies"
            },
            "mountPoints": [],
            "readonlyRootFilesystem": true,
            "privileged": false,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "<your_cloud_watch_log_group",
                    "awslogs-region": "<your_aws_region>",
                    "awslogs-stream-prefix": "traefikee-proxies"
                }
        }

        }
    ],
    "networkMode": "awsvpc",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },

    "requiresCompatibilities": [
        "FARGATE"
    ]
}

Proxies

In case of multi controller installation you should add all the controller in the static.discovery.peers field.

Customize the file then register the task definition in Fargate:

aws ecs register-task-definition --cli-input-json file://proxies-task.json --region <aws_region>

Now create a file named proxies-svc.json with the service definition:

{
    "serviceName": "traefikee-proxies",
    "taskDefinition": "traefikee-proxies",
    "desiredCount": 2,
    "launchType": "FARGATE",
    "schedulingStrategy": "REPLICA",
    "networkConfiguration": {
        "awsvpcConfiguration": {
            "subnets": [
                "<subnet_id_a>",
                "<subnet_id_b>",
                "<subnet_id_c>"
            ],
            "securityGroups": [
                "<security_group_id>"
            ],
            "assignPublicIp": "ENABLED"
        }
    }
}

Customize the file and deploy it to the Fargate cluster:

aws ecs create-service --cli-input-json file://proxies-svc.json --cluster <my_cluster> --region <aws_region>

Check the service status to ensure the service was started:

aws ecs describe-services --services traefikee-proxies --cluster <my_cluster> --region <aws_region>
{
    "services": [
        {
            "status": "ACTIVE",
            "serviceRegistries": [],
            "pendingCount": 0,
            "launchType": "EC2",
            "enableECSManagedTags": true,
            "schedulingStrategy": "REPLICA",
            "loadBalancers": [],
            "placementConstraints": [
                {
                    "type": "distinctInstance"
                }
            ],
            "createdAt": 1605879947.392,
            "desiredCount": 2,
            "serviceName": "traefikee-proxies",
            "clusterArn": "arn:aws:ecs:aws_region:aws_account_id:cluster/traefikee-ecs",
            "createdBy": "arn:aws:iam::aws_account_id:user/aws_user",
            "taskDefinition": "arn:aws:ecs:aws_region:aws_account_id:task-definition/traefikee-proxies:5",
            "serviceArn": "arn:aws:ecs:aws_region:aws_account_id:service/traefikee-ecs/traefikee-proxies",
            "propagateTags": "SERVICE",
            "deploymentConfiguration": {
                "maximumPercent": 200,
                "minimumHealthyPercent": 100
            },
            "deployments": [
                {
                    "status": "PRIMARY",
                    "pendingCount": 0,
                    "launchType": "EC2",
                    "createdAt": 1605880984.365,
                    "desiredCount": 2,
                    "taskDefinition": "arn:aws:ecs:aws_region:aws_account_id:task-definition/traefikee-proxies:5",
                    "updatedAt": 1605881208.064,
                    "id": "ecs-svc/4529007424825088897",
                    "runningCount": 2
                }
            ],
            "events": [
                {
                    "message": "(service traefikee-proxies) has reached a steady state.",
                    "id": "51e07037-3595-40fa-a394-c489561fcd11",
                    "createdAt": 1605881208.068
                },
                {
                    "message": "(service traefikee-proxies) has started 1 tasks: (task 11ad2458e5624330955dc97f6ce41d41).",
                    "id": "7e74652c-f88c-4e0f-b922-446ac8a7a114",
                    "createdAt": 1605881197.123
                },
                {
                    "message": "(service traefikee-proxies) has reached a steady state.",
                    "id": "2d857d41-658a-452b-b7d6-c1c3bb4a2944",
                    "createdAt": 1605881165.664
                },
                {
                    "message": "(service traefikee-proxies) has started 1 tasks: (task b94de86d3664413081c045ed25f9b326).",
                    "id": "74bb63a2-bbf8-45a2-bc22-a5a266b4289e",
                    "createdAt": 1605881153.114
                }
            ],
            "runningCount": 2,
            "placementStrategy": []
        }
    ],
    "failures": []
}

Plugin Registry

Create a file named registry-task.json with the following task definition:

Registry Storage

Fargate by default assign non-persistent storage to the container, in order to keep your custom plugins, if the registry container needs to be recreated you need to add an EFS volume as described on the task definition below.

{
  "family": "traefikee-registry",
  "taskRoleArn": "arn:aws:iam::<your_account_id>:role/RoleTraefikECSReadAccess",
  "executionRoleArn": "arn:aws:iam::<your_account_id>:role/ecsTaskExecutionRole",
  "cpu": "512",
  "memory": "1024",
  "containerDefinitions": [
      {
        "name" : "registry",
        "image": "traefik/traefikee:v2.8.0",
        "cpu": 500,
        "portMappings": [
          {
            "hostPort": 443,
            "protocol": "tcp",
            "containerPort": 443
          }
        ],
        "essential": true,
        "command": [
          "plugin-registry",
          "--name=registry",
          "--discovery.static.peers=controller-0.traefikee",
          "--plugindir=/var/lib/plugins",
          "--token=<your_generated_plugin_token>",
          "--jointoken.value=<proxy_join_token>"
        ],
        "linuxParameters": {},
        "environment": [],
        "volumesFrom": [],
        "secrets": [],
        "dockerLabels": {
            "com.traefik.traefikee.component": "registry"
        },
        "mountPoints": [
          {
            "readOnly": false,
            "containerPath": "/var/lib/plugins",
            "sourceVolume": "traefikee-plugins"
          }
        ],
        "readonlyRootFilesystem": false,
        "privileged": false,
        "logConfiguration": {
            "logDriver": "awslogs",
            "options": {
                "awslogs-group": "<your_cloud_watch_log_group",
                "awslogs-region": "<your_aws_region>",
                "awslogs-stream-prefix": "traefikee-registry"
            }
    }
      }
    ],
    "volumes": [
      {
        "name": "traefikee-plugins",
        "efsVolumeConfiguration": {
          "fileSystemId": "<registry_efs_id>",
          "transitEncryption": "DISABLED",
          "rootDirectory": "/"
        }
      }
  ],
  "networkMode": "awsvpc",
  "runtimePlatform": {
      "cpuArchitecture": "X86_64",
      "operatingSystemFamily": "LINUX"
  },

  "requiresCompatibilities": [
      "FARGATE"
  ]
}
{
  "family": "traefikee-registry",
  "taskRoleArn": "arn:aws:iam::<your_account_id>:role/RoleTraefikECSReadAccess",
  "executionRoleArn": "arn:aws:iam::<your_account_id>:role/ecsTaskExecutionRole",
  "cpu": "512",
  "memory": "1024",
  "containerDefinitions": [
      {
        "name" : "registry",
        "image": "traefik/traefikee:v2.8.0",
        "cpu": 500,
        "portMappings": [
          {
            "hostPort": 443,
            "protocol": "tcp",
            "containerPort": 443
          }
        ],
        "essential": true,
        "command": [
          "plugin-registry",
          "--name=registry",
          "--discovery.dns.domain=controller-0.traefikee",
          "--plugindir=/var/lib/plugins"
        ],
        "linuxParameters": {},
        "environment": [],
        "volumesFrom": [],
        "secrets": [
                {
                    "name": "TRAEFIKEE_PLUGIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_plugin_token_key>::"
                },
                {
                    "name": "TRAEFIKEE_JOIN_TOKEN",
                    "valueFrom": "arn:aws:secretsmanager:<your_aws_region>:<your_account_id>:secret:<your_secret_name>:<traefik_proxy_join_token_key>::"
                }
        ],
        "dockerLabels": {
            "com.traefik.traefikee.component": "registry"
        },
        "mountPoints": [
          {
            "readOnly": false,
            "containerPath": "/var/lib/plugins",
            "sourceVolume": "traefikee-plugins"
          }
        ],
        "readonlyRootFilesystem": false,
        "privileged": false,
        "logConfiguration": {
            "logDriver": "awslogs",
            "options": {
                "awslogs-group": "<your_cloud_watch_log_group",
                "awslogs-region": "<your_aws_region>",
                "awslogs-stream-prefix": "traefikee-registry"
            }
    }
      }
    ],
    "volumes": [
      {
        "name": "traefikee-plugins",
        "efsVolumeConfiguration": {
          "fileSystemId": "<registry_efs_id>",
          "transitEncryption": "DISABLED",
          "rootDirectory": "/"
        }
      }
  ],
  "networkMode": "awsvpc",
  "runtimePlatform": {
      "cpuArchitecture": "X86_64",
      "operatingSystemFamily": "LINUX"
  },

  "requiresCompatibilities": [
      "FARGATE"
  ]
}

Registry with Multi controller

In case of multi controller installation, you should add all the controller in the static.discovery.peers field.

Customize the file, then register the task definition in Fargate:

aws ecs register-task-definition --cli-input-json file://registry-task.json --region <aws_region>

Now create a file named registry-svc.json with the service definition:

{
    "serviceName": "traefikee-registry",
    "taskDefinition": "traefikee-registry",
    "desiredCount": 1,
    "launchType": "FARGATE",
    "schedulingStrategy": "REPLICA",
    "serviceRegistries": [
        {
           "registryArn": "<service_discovery_registry_service_arn>"
        }
     ],
    "networkConfiguration": {
        "awsvpcConfiguration": {
            "subnets": [
                "<subnet_id_a>",
                "<subnet_id_b>",
                "<subnet_id_c>"
            ],
            "securityGroups": [
                "<security_group_id>"
            ],
            "assignPublicIp": "ENABLED"
        }
    }
}

Customize the file and deploy it to the Fargate cluster:

aws ecs create-service --cli-input-json file://registry-svc.json --cluster <my_cluster> --region <aws_region>

Check the service status to ensure the service was started:

aws ecs describe-services --services registry --cluster <my_cluster> --region <aws_region>
{
    "services": [
        {
            "serviceArn": "arn:aws:ecs:eu-north-1:114072598128:service/traefikee-ecs/traefikee-registry",
            "serviceName": "traefikee-registry",
            "clusterArn": "arn:aws:ecs:eu-north-1:114072598128:cluster/traefikee-ecs",
            "loadBalancers": [],
            "serviceRegistries": [],
            "status": "ACTIVE",
            "desiredCount": 1,
            "runningCount": 1,
            "pendingCount": 0,
            "launchType": "EC2",
            "taskDefinition": "arn:aws:ecs:eu-north-1:114072598128:task-definition/traefikee-registry:2",
            "deploymentConfiguration": {
                "deploymentCircuitBreaker": {
                    "enable": false,
                    "rollback": false
                },
                "maximumPercent": 200,
                "minimumHealthyPercent": 100
            },
            "deployments": [
                {
                    "id": "ecs-svc/5244500742569760246",
                    "status": "PRIMARY",
                    "taskDefinition": "arn:aws:ecs:eu-north-1:114072598128:task-definition/traefikee-registry:2",
                    "desiredCount": 1,
                    "pendingCount": 0,
                    "runningCount": 1,
                    "failedTasks": 0,
                    "createdAt": 1610097942.755,
                    "updatedAt": 1610097977.375,
                    "launchType": "EC2",
                    "rolloutState": "COMPLETED",
                    "rolloutStateReason": "ECS deployment ecs-svc/5244500742569760246 completed."
                }
            ],
            "events": [
                {
                    "id": "9b8f4549-e972-4506-848a-8050084f57f0",
                    "createdAt": 1610097977.381,
                    "message": "(service registry) has reached a steady state."
                },
                {
                    "id": "adee0f69-5ceb-4f11-8fd9-47effc1b39c2",
                    "createdAt": 1610097977.38,
                    "message": "(service registry) (deployment ecs-svc/5244500742569760246) deployment completed."
                },
                {
                    "id": "6b070094-8686-4ab7-9886-82c248203698",
                    "createdAt": 1610097966.485,
                    "message": "(service registry) has started 1 tasks: (task 65e57cd8504346da8a8d654917919c7b)."
                },
            ],
            "createdAt": 1610096466.659,
            "placementConstraints": [],
            "placementStrategy": [
                {
                    "type": "spread",
                    "field": "attribute:ecs.availability-zone"
                },
                {
                    "type": "spread",
                    "field": "instanceId"
                }
            ],
            "schedulingStrategy": "REPLICA",
            "createdBy": "arn:aws:iam::114072598128:user/xxx",
            "enableECSManagedTags": true,
            "propagateTags": "NONE"
        }
    ],
    "failures": []
}

Remote Access Through teectl

Once your cluster is ready, if you want to operate the cluster remotely using the teectl tool, you will need to generate credentials from your cluster using traefikee generate credentials on one of your controllers and use teectl to import the cluster credentials.

First connect to a container instance running a controller task, then run:

# Get a teectl config with credentials
aws ecs execute-command --cluster <my_cluster> --container controller-0 --task <task-arn> --interactive --command "/traefikee generate credentials --cluster <my_cluster> --onpremise.hosts <controller-container-public-ip> --socket /var/run/teectl-controller-0.sock"
cluster_name: <my_cluster>
tls:
  cert: |
    -----BEGIN CERTIFICATE-----
    MIIB+jCCAaCgAwIBAgIQKHgQX14LGetAsD8wSEta5jAKBggqhkjOPQQDAjAuMRUw
    EwYDVQQKEwxUcmFlZmlrIExhYnMxFTATBgNVBAMTDFRyYWVmaWtFRSBDQTAgFw0y
    MDExMTkyMDAwMDNaGA8yMTIwMTAyNjIwMDAwM1owFTETMBEGA1UEAxMKY2xpZW50
    LmVjczBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKcFJkSGRxbfAnQx2JtYpEnA
    knHdqukFWF8Sbvht30Ge/EnBrTe37ilzJ0KlY11UQK/KlGPMoqVSrjAnqZz10nGj
    gbYwgbMwDgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1Ud
    EwEB/wQCMAAwKQYDVR0OBCIEIKh1ygHajrADFcxpfv4p/ff7FH4lDULi0uqcDp7j
    qaylMCsGA1UdIwQkMCKAILoCK8uf89Yveb/uZN+Vs+gfvz05Y6NHB2/hd3T6ix3T
    MCYGA1UdEQQfMB2CCmNsaWVudC5lY3OCCWxvY2FsaG9zdIcEfwAAATAKBggqhkjO
    PQQDAgNIADBFAiEAiXT09co8egGQ0Y6hJ/lgIzCGC0I9GiFfvrxCGKl15l8CICYY
    E6ig/k2D4coprOclVF5QVkqHCcx2EL0HA/zK05eI
    -----END CERTIFICATE-----
  key: |
    -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIC8CsJ/B115S+JtR1/l3ZQwKA3XdXt9zLqusF1VXc/KloAoGCCqGSM49
    AwEHoUQDQgAEpwUmRIZHFt8CdDHYm1ikScCScd2q6QVYXxJu+G3fQZ78ScGtN7fu
    KXMnQqVjXVRAr8qUY8yipVKuMCepnPXScQ==
    -----END EC PRIVATE KEY-----
  ca: |
    -----BEGIN CERTIFICATE-----
    MIIB2DCCAX2gAwIBAgIQDEHgiwDfaIX3wS1EHF800DAKBggqhkjOPQQDAjAuMRUw
    EwYDVQQKEwxUcmFlZmlrIExhYnMxFTATBgNVBAMTDFRyYWVmaWtFRSBDQTAgFw0y
    MDExMTkxOTU2MjBaGA8yMTIwMTAyNjE5NTYyMFowLjEVMBMGA1UEChMMVHJhZWZp
    ayBMYWJzMRUwEwYDVQQDEwxUcmFlZmlrRUUgQ0EwWTATBgcqhkjOPQIBBggqhkjO
    PQMBBwNCAATe+gM99l/nAAeNIy/kn8vbrcSNORhbWGBUp+j1CtL2ADqLYIel/acB
    B3ssLPnbAZLoKJefrQS/CNJOdZpRZBnfo3sweTAOBgNVHQ8BAf8EBAMCAYYwDwYD
    VR0TAQH/BAUwAwEB/zApBgNVHQ4EIgQgugIry5/z1i95v+5k35Wz6B+/PTljo0cH
    b+F3dPqLHdMwKwYDVR0jBCQwIoAgugIry5/z1i95v+5k35Wz6B+/PTljo0cHb+F3
    dPqLHdMwCgYIKoZIzj0EAwIDSQAwRgIhAMRjpKzzAZr5wT5IXMaBWv0OUvy6wxFn
    kyZApTzhcbr9AiEAtaJZ7DN+xLeA0/RUljK0uDKuZALix30VSx4U2aaYdc4=
    -----END CERTIFICATE-----
onPremise:
  hosts:
  - <controller-container-public-ip>
  port: 55055

Save the output of the last command above to a file named teectl-config.yaml, and then run:

teectl cluster import --file="teectl-config.yaml"
teectl cluster use --name <my_cluster>

You can now use teectl to operate your cluster.

teectl get nodes
ID                         NAME                                      STATUS  ROLE
hlx1b3gu8bb5n1lg8qtiy5nvv  controller-0                              Ready   Controller (Leader)
jm5wv9kdmp9imspqx39n300b3  ip-10-0-0-130.us-east-1.compute.internal  Ready   Proxy / Ingress
y0l2me7zjalidnzqf3fqanuxk  ip-10-0-0-178.us-east-1.compute.internal  Ready   Proxy / Ingress
odxyyk3l7pkwiab8rtwvhflgs  registry                                  Ready   Plugin Registry

Going further

Now that the cluster is ready, we recommend reading the various operating guides to dive into all the features that Traefik Enterprise provides.