I wanted to "dip my toes" in the cloud, just get my feet wet, you know?
So I migrated some websites I had on a regular hosting service to an NGINX web server running in a Docker container on theLightSail container service on AWS, with the domains themselves hosted on Google Domains.
Now I can say all that in one (run-on) sentence, sure. But it wasn't that easy! And it's supposed to be a pretty painless way to get into cloud. LightSail containers is basically serverless. And Docker containers themselves are basically serverless.
Let me just say most of the time was spent on research. Everything that follows was pretty much non-intuitive (at least for me) much less tying it all together, so there were just hours of googling.
First I had to figure out Docker. I ended up setting up Docker on a bare metal Linux box (an old Mac Air), and SSH'ing from my current Mac. Then I had to learn enough NGINX to configure multiple websites and host headers (for the domains). Then I had to figure out how to package all that up in a container image.
I wanted to admin the whole thing from a Github repo as well. So I had the website content in there, the web server config, the Dockerfile, and the (shell) script to tear down and build the image. I cloned the repo both to my current Mac (to edit from VsCode) and the Linux Air (to deploy).
I already had an AWS account (basically empty). I figured out an IAM account (you're not supposed to use your actual account for security reasons), provisioning a LightSail container from the web Gui (console), and creating and pulling down the keys needed for programmatic access.
Then I installed the apis (command line tools) for AWS and LightSail on the Air. Finally I was able to fire up my container in the Cloud. Let me tell you I let out a whoop when that NGINX test page came up.
But I wasn't done. I had to get the custom domains working. So I moved them over to Google domains, leaving the DNS pointing to the prior hosting for the time-being. Then I provisioned a LightSail certificate for them all. You can do up to 4 domains in LightSail, though there's a gotcha that I will explain in a minute that I wish somebody had told me about. It is going to haunt me for awhile.
Next I reconfigured Google DNS to point the domains to AWS. That's where I ran into real trouble. And this is probably the point of the article, to explain it so nobody else gets caught. See AWS does not provide static ips for the LightSail container service. You just get a static public endpoint (url), that has a dynamic ip, and the ip changes every time you boot the container, or some similar event. There are static ips in LightSail, but they are only for instances (not containers).
Now that's only half the problem. DNS is designed to require an "A record" for "bare" domains. So that means you literally can't point "example.com" to anything other than an ip. Subdomains can be aliased via a "CNAME" record. But not bare domains. And I couldn't use a subdomain (like "www.example.com") because of the AWS cert limits.
But it turns out this is becoming kind of standard with the cloud. So many DNS providers have hacked a way to make this work (kind of against the DNS standard), by providing a new "ALIAS" (or similar) record for bare domains. But I chose Google domains, which decidedly does not support this.
So to get around all this, I turned to "LightSail domain zones". And here's where the gotcha got me. AWS LightSail supports 4 custom domains, BUT only 3 domain zones. Domain zones are basically AWS DNS for 3 domains, including the custom ALIAS record. So I pointed 3 of my domains to AWS for DNS in Google Domains, and they are hunky-dory. For now I temporarily gave Google Domains DNS the current ip of the public end-point of my container service for the 4th domain, but I know that is going to bite me in the rear with an unexpected outage soon.
I have some options for remediation. I was trying to stay totally within Lightsail, for cost and "dipping my toes" reasons. But I could investigate solving my problem by expanding to other AWS services, such as Route53 (DNS) and ECS (Elastic Container Service). Or I could consider switching the 4th domain onto it's own container on Google Cloud or Azure, to learn those clouds as well. Or I could change the DNS servers for the 4th domain to some other provider, or in 60 days (the minimum required wait time) I could move the domain to another provider. We will see.
No comments:
Post a Comment