[Girder-users] Deploy Girder on AWS with Elastic Beanstalk
Michael Grauer
michael.grauer at kitware.com
Thu Apr 27 10:04:30 EDT 2017
Hi Carlos,
Thanks for sharing this!
I hope you don't mind if I ask you some follow-up questions :) Just trying
to understand your setup and choices in more detail.
I agree that your security setup sounds reasonable, HTTPS to load balancer,
HTTP from load balancer to Girder (though I have more questions on this
below), assuming the instances are not visible to the outside world and
only to the LB via the VPN, and Mongo/Instances talking to each other
inside the same VPN. Out of curiosity (rather than suggesting a policy),
how do you handle ssh, are each of the machines accessible to ssh or do you
have a VPN ssh gateway machine?
When you say load balancer, does that mean Elastic Load Balancer or
something else? I'm confused about how you use Nginx, are you using ELB +
Nginx, and if so how does ELB hand off to Nginx? Where does Nginx live, is
it in a separate Docker container that redirects to the Girder instances?
Thanks,
Mike
On Wed, Apr 26, 2017 at 5:02 PM, Carlos Agüero <caguero at osrfoundation.org>
wrote:
> hi Michael,
>
> Thanks for your reply! Sorry that I didn't follow-up before but I've been
> exploring and partially documenting the process.
>
> I managed to set-up an EC2 machine hosting the Mongo database. Also, I
> configured Elastic Beanstalk with a single Docker container (girder/girder)
> and a load balancer. The instances are running Girder and using the
> external database. I associated an SSL certificate to the load balancer.
> All the connections between the users and load balancer are secured and
> between the load balancer and the instances go though regular HTTP. I think
> this is OK because the load balancer and the instances are within the
> internal VPN that cannot be sniffed. The TSL termination happens on the
> load balancer.
>
> A similar thing occurs with the database instance. The Mongo port (27017)
> is configured with a security rule that allows access only from a machine
> within the same VPN (the Girder instances in this case).
>
> The default EB configuration uses NGINX, that redirects requests to the
> Docker container. I still have an open issue for redirecting the non-https
> requests to https without breaking the health checker monitor that EB uses.
> I've done this in the past but this is the first time that I do it with EB
> + docker.
>
> I'm in the process of documenting the process here:
>
> https://bitbucket.org/osrf/propshop-girder/overview
>
> On Thu, Apr 20, 2017 at 5:01 PM, Michael Grauer <
> michael.grauer at kitware.com> wrote:
>
>> Hi Carlos,
>>
>> Thanks for trying out Girder, I'm glad you appreciate our docs! We've
>> done a number of deployments to AWS, but they've all been EC2 instances.
>> EB is on our roadmap, we'd like to start playing with it over the next
>> couple months, but don't have much concrete to share yet. We'd love for
>> you to keep us informed about your progress, or let us know any stumbling
>> blocks you run into.
>>
>> The plan you describe sounds like what we were going to attempt, put
>> Mongo in a separate EC2 instance, and then have EB bring up Dockerized
>> (seems easiest, and we already have a Docker image in Girder's repo) Girder
>> containers. We normally would put Girder behind Nginx or Apache. Were you
>> going to use ELB for your load balancer, and is that what you normally use
>> for your EB deployments? How to best use ELB + possibly other proxy
>> servers if necessary (e.g., can you set all of the proxy rules in ELB to
>> allow stream notifications? where do you terminate TLS?) + Girder in EB are
>> open questions for us.
>>
>> Let us know if you have more specific questions as well.
>>
>> Thanks,
>> Mike
>>
>>
>>
>> On Thu, Apr 20, 2017 at 7:41 PM, Carlos Agüero <caguero at osrfoundation.org
>> > wrote:
>>
>>> Hello,
>>>
>>> I'm new to Girder and deployed a local instance on my own development
>>> machine without problems following your documentation (nice documentation
>>> by the way!).
>>>
>>> I'd like to deploy another Girder instance on AWS and I've read the
>>> "Deploy" section of the Administrator documentation. It seems to cover a
>>> few options but none of them is AWS.
>>>
>>> I normally use Elastic Beanstalk (EB) that allows you to configure a
>>> load balancer that will spin up machines depending on the server demand.
>>> This model seems compatible with Girder as long as the database is deployed
>>> in a separate machine separated from the servers, to make sure that there's
>>> only one machine running the database.
>>>
>>> Does anyone have experience, documentation or suggestions deploying
>>> Girder on AWS with EB?
>>>
>>> Thanks!
>>> Carlos
>>>
>>>
>>>
>>> _______________________________________________
>>> Girder-users mailing list
>>> Girder-users at public.kitware.com
>>> http://public.kitware.com/mailman/listinfo/girder-users
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/girder-users/attachments/20170427/ba5f4031/attachment.html>
More information about the Girder-users
mailing list