AWS EC2

​

Deploying Multiwoven on AWS EC2 Using Docker Compose

This guide walks you through setting up Multiwoven, on an AWS EC2 instance using Docker Compose. We’ll cover launching the instance, installing Docker, running Multiwoven with its dependencies, and finally, accessing the Multiwoven UI.

Important Note: at present, TLS is required. This means that to successfully deploy the Platform via docker-compose, you will need access to a DNS record set as well as the ability to obtain a valid TLS certificate from a Certificate Authority. You can obtain a free TLS certificates via tools like CertBot, Amazon Certificate Manager (if using an AWS Application Load Balancer to front an EC2 instance), letsencrypt-nginx-proxy-companion (if you add an nginx proxy to the docker-compose file to front the other services), etc.

Prerequisites:

• An active AWS account
• Basic knowledge of AWS and Docker
• A private repository access key (please contact your AIS point of contact if you have not received one)

Notes:

• This guide uses environment variables for sensitive information. Replace the placeholders with your own values before proceeding.
• This guide uses an Application Load Balancer (ALB) to front the EC2 instance for ease of enabling secure TLS communication with the backend using an Amazon Certificate Manager (ACM) TLS certificate. These certificates are free of charge and ACM automatically rotates them every 90 days. While the ACM certificate is free, the ALB is not. You can refer to the following document for current ALB pricing: ALB Pricing Page.

1. Obtain TLS Certificate (Requires access to DNS Record Set)

1.1 In the AWS Management Console, navigate to Amazon Certificate Manager and request a new certificate.

1.2 Unless your organization has created a Private CA (Certificate Authority), we recommend requesting a public certificate.

1.3 Request a single ACM certificate that can verify all three of your chosen subdomains for this deployment. DNS validation is recommended for automatic rotation of your certificate but this method requires access to your domain’s DNS record set.

1.4 Once you have added your selected sub-domains, scroll down and click Request.

5. Once your request has been made, you will be taken to a page that will describe your certificate request and its current status. Scroll down a bit and you will see a section labeled Domains with 3 subdomains and 1 CNAME validation record for each. These records need to be added to your DNS record set. Please refer to your organization’s internal documentation or the documentation of your DNS service for further instruction on how to add DNS records to your domain’s record set.
   

   

   Note: For automatic certificate rotation, you need to leave these records in your record set. If they are removed, automatic rotation will fail.

6. Once your ACM certificate has been issued, note the ARN of your certificate and proceed.

2. Create and Configure Application Load Balancer and Target Groups

1. In the AWS Management Console, navigate to the EC2 Dashboard and select Load Balancers.

   

2. On the next screen select Create under Application Load Balancer.

   

3. Under Basic configuration name your load balancer. If you are deploying this application within a private network, select Internal. Otherwise, select Internet-facing. Consult with your internal Networking team if you are unsure as this setting can not be changed post-deployment and you will need to create an entirely new load balancer to correct this.

   

4. Under Network mapping, select a VPC and write it down somewhere for later use. Also, select 2 subnets (2 are required for an Application Load Balancer) and write them down too for later use.
   

   Note: If you are using the internal configuration, select only private subnets. If you are using the internet-facing configuration, you must select public subnets and they must have routes to an Internet Gateway.

   

5. Under Security groups, select the link to create a new security group and a new tab will open.

   

6. Under Basic details, name your security group and provide a description. Be sure to pick the same VPC that you selected for your load balancer configuration.

   

7. Under Inbound rules, create rules for HTTP and HTTPS and set the source for both rules to Anywhere. This will expose inbound ports 80 and 443 on the load balancer. Leave the default Outbound rules allowing for all outbound traffic for simplicity. Scroll down and select Create security group.

   

8. Once the security group has been created, close the security group tab and return to the load balancer tab. On the load balancer tab, in the Security groups section, hit the refresh icon and select your newly created security group. If the VPC’s default security group gets appended automatically, be sure to remove it before proceeding.

   

9. Under Listeners and routing in the card for Listener HTTP:80, select Create target group. A new tab will open.

   

10. Under Basic configuration, select Instances.

    

11. Scroll down and name your target group. This first one will be for the Platform’s web app so you should name it accordingly. Leave the protocol set to HTTP but change the port value to 8000. Also, make sure that the pre-selected VPC matches the VPC that you selected for the load balancer. Scroll down and click Next.

    

12. Leave all defaults on the next screen, scroll down and select Create target group. Repeat this process 2 more times, once for the Platform API on port 3000 and again for Temporal UI on port 8080. You should now have 3 target groups.

    

13. Navigate back to the load balancer configuration screen and hit the refresh button in the card for Listener HTTP:80. Now, in the target group dropdown, you should see your 3 new target groups. For now, select any one of them. There will be some further configuration needed after the creation of the load balancer.

    

14. Now, click Add listener.

    

15. Change the protocol to HTTPS and in the target group dropdown, again, select any one of the target groups that you previously created.

    

16. Scroll down to the Secure listener settings. Under Default SSL/TLS server certificate, select From ACM and in the Select a certificate dropdown, select the certificate that you created in Step 1. In the dropdown, your certificate will only show the first subdomain that you listed when you created the certificate request. This is expected behavior.

    Note: If you do not see your certificate in the dropdown list, the most likely issues are:
    (1) your certificate has not yet been successfully issued. Navigate back to ACM and verify that your certificate has a status of Issued. (2) you created your certificate in a different region and will need to either recreate your load balancer in the same region as your certificate OR recreate your certificate in the region in which you are creating your load balancer.

    

17. Scroll down to the bottom of the page and click Create load balancer. Load balancers take a while to create, approximately 10 minutes or more. However, while the load balancer is creating, copy the DNS name of the load balancer and create CNAME records in your DNS record set, pointing all 3 of your chosen subdomains to the DNS name of the load balancer. Until you complete this step, the deployment will not work as expected. You can proceed with the final steps of the deployment but you need to create those CNAME records.

    

18. At the bottom of the details page for your load balancer, you will see the section Listeners and rules. Click on the listener labeled HTTP:80.

    

19. Check the box next to the Default rule and click the Actions dropdown.

    

20. Scroll down to Routing actions and select Redirect to URL. Leave URI parts selected. In the Protocol dropdown, select HTTPS and set the port value to 443. This configuration step will automatically redirect all insecure requests to the load balancer on port 80 (HTTP) to port 443 (HTTPS). Scroll to the bottom and click Save.

    

21. Return to the load balancer’s configuration page (screenshot in step 18) and scroll back down to the Listeners and rules section. This time, click the listener labled HTTPS:443.

    

22. Click Add rule.

    

23. On the next page, you can optionally add a name to this new rule. Click Next.

24. On the next page, click Add condition. In the Add condition pop-up, select Host header from the dropdown. For the host header, put the subdomain that you selected for the Platform web app and click Confirm and then click Next.

    
    

25. One the next page, under Actions. Leave the Routing actions set to Forward to target groups. From the Target group dropdown, select the target group that you created for the web app. Click Next.

    

26. On the next page, you can set the Priority to 1 and click Next.

    

27. On the next page, click Create.

28. Repeat steps 24 - 27 for the api (priority 2) and temporal ui (priority 3).

29. Optionally, you can also edit the default rule so that it Returns a fixed response. The default Response code of 503 is fine.

    

3. Launch EC2 Instance

1. Navigate to the EC2 Dashboard and click Launch Instance.

   

2. Name your instance and select Ubuntu 22.04 or later with 64-bit architecture.

   

3. For instance type, we recommend t3.large. You can find EC2 on-demand pricing here: EC2 Instance On-Demand Pricing. Also, create a key pair or select a pre-existing one as you will need it to SSH into the instance later.

   

4. Under Network settings, click Edit.

   

5. First, verify that the listed VPC is the same one that you selected for the load balancer. Also, verify that the pre-selected subnet is one of the two that you selected earlier for the load balancer as well. If either is incorrect, make the necessary changes. If you are using private subnets because your load balancer is internal, you do not need to auto-assign a public IP. However, if you chose internet-facing, you may need to associate a public IP address with your instance so you can SSH into it from your local machine.

   

6. Under Firewall (security groups), we recommend that you name the security group but this is optional. After naming the security security group, click the button *Add security group rule** 3 times to create 3 additional rules.

   

7. In the first new rule (rule 2), set the port to 3000. Click the Source input box and scroll down until you see the security group that you previously created for the load balancer. Doing this will firewall inbound traffic to port 3000 on the EC2 instance, only allowing inbound traffic from the load balancer that you created earlier. Do the same for rules 3 and 4, using ports 8000 and 8080 respectively.

   
   

8. Scroll to the bottom of the screen and click on Advanced Details.

   

9. In the User data box, paste the following to automate the installation of Docker and docker-compose.

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
sudo mkdir ais
cd ais
# install docker
sudo apt-get update
yes Y | sudo apt-get install apt-transport-https ca-certificates curl software-properties-common
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
echo | sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get update
yes Y | sudo apt-get install docker-ce
sudo systemctl status docker --no-pager && echo "Docker status checked"
# install docker-compose
sudo apt-get install -y jq
VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | jq -r .tag_name)
sudo curl -L "https://github.com/docker/compose/releases/download/${VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version
sudo systemctl enable docker

10. In the right-hand panel, click Launch instance.

    

4. Register EC2 Instance in Target Groups

1. Navigate back to the EC2 Dashboard and in the left panel, scroll down to Target groups.

   

2. Click on the name of the first listed target group.

   

3. Under Registered targets, click Register targets.

   

4. Under Available instances, you should see the instance that you just created. Check the tick-box next to the instance and click Include as pending below. Once the instance shows in Review targets, click Register pending targets.

   
   

5. Repeat steps 2 - 4 for the remaining 2 target groups.

5. Deploy AIS Platform

1. SSH into the EC2 instance that you created earlier. For assistance, you can navigate to your EC2 instance in the EC2 dashboard and click the Connect button. In the Connect to instance screen, click on SSH client and follow the instructions on the screen.

   

2. Verify that Docker and docker-compose were successfully installed by running the following commands

sudo docker --version
sudo docker-compose --version

You should see something similar to

3. Change directory to the ais directory and download the AIS Platform docker-compose file and the corresponding .env file.

cd \ais
sudo curl -LO https://multiwoven-deployments.s3.amazonaws.com/docker/docker-compose/docker-compose.yaml
sudo curl -LO https://multiwoven-deployments.s3.amazonaws.com/docker/docker-compose/.env.production && sudo mv /ais/.env.production /ais/.env

Verify the downloads

ls -a

You should see the following

4. You will need to edit both files a little before deploying. First open the .env file.

sudo nano .env

There are 3 required changes.

(1) Set the variable VITE_API_HOST so the UI knows to send requests to your API subdomain.

(2) If not present already, add a variable Track and set its value to no.

(3) If not present already, add a variable ALLOWED_HOST. The value for this is dependent on how you selected your subdomains earlier. This variable only allows for a single step down in subdomain so if, for instance, you selected app.mydomain.com, api.mydomain.com and temporal.mydomain.com you would set the value to .mydomain.com.

If you selected app.c1.mydomain.com, api.c1.mydomain.com and temporal.c1.mydomain.com you would set the value to .c1.mydomain.com.

For simplicity, the remaining defaults are fine.

Commands to save and exit nano.
Mac users:

  - to save your changes: Control + S
  - to exit: Control + X

Windows users:

  - to save your changes: Ctrl + O
  - to exit: Ctrl + X

5. Next, open the docker-compose file.

sudo nano docker-compose.yaml

The only changes that you should make here are to the AIS Platform image repositories. After opening the docker-compose file, scroll down to the Multiwoven Services and append -ee to the end of each repostiory and change the tag for each to edge. Before changes

After changes

6. Deploy the AIS Platform. This step requires a private repository access key that you should have received from your AIS point of contact. If you do not have one, please reach out to AIS.

DOCKERHUB_USERNAME="multiwoven"
DOCKERHUB_PASSWORD="YOUR_PRIVATE_ACCESS_TOKEN"
sudo docker login --username $DOCKERHUB_USERNAME --password $DOCKERHUB_PASSWORD
sudo docker-compose up -d

You can use the following command to ensure that none of the containers have exited

sudo docker ps -a

7. Return to your browser and navigate back to the EC2 dashboard. In the left panel, scroll back down to Target groups. Click through each target group and verify that each has the registered instance showing as healthy. This may take a minute or two after starting the containers.

8. Once all target groups are showing your instance as healthy, you can navigate to your browser and enter the subdomain that you selected for the AIS Platform web app to get started!