AWS Copilot v1.19: Internal Load Balancers, Subnet Placement Specification, and more

Posted On: Jun 13, 2022

The AWS Copilot core team is excited to announce the v1.19 release! Special thanks to @gautam-nutalapati and @jonstacks, who contributed to this release. Our public сommunity сhat is growing and has nearly 300 people online, who help each other daily. Thanks to every one of you who shows love and support for AWS Copilot.

Copilot v1.19 brings brand-new features and several improvements:

• Load Balancing for Backend Services: You can now add an Application Load Balancer that is internal (as opposed to 'internet-facing', like those created for Load Balanced Web Services). See detailed section.
• Subnet Placement Specification: You now have even finer-grained control over where your ECS tasks are launched. Beyond public and private subnet placement, you can now tell Copilot specific subnets. Simply add the IDs of the desired subnets to your workload manifest.

  # in copilot/{service name}/manifest.yml
  network:
    vpc:
      placement:
        subnets: ["SubnetID1", "SubnetID2"]
  

• Hosted Zones–A Record Management: You can now list, along with aliases, the IDs of hosted zones in your service manifest. Copilot will handle the insertion of A records upon deployment to an environment with imported certificates. (#3608, #3643)

  # single alias and hosted zone
  http:
    alias: example.com
    hosted_zone: HostedZoneID1
  
  # multiple aliases that share a hosted zone
  http:
    alias: ["example.com", "www.example.com"]
    hosted_zone: HostedZoneID1
  
  # multiple aliases, some of which use the top-level hosted zone
  http:
    hosted_zone: HostedZoneID1
    alias:
      - name: example.com
      - name: www.example.com
      - name: something-different.com
        hosted_zone: HostedZoneID2
  

• Access to Created Private Route Tables: Copilot now exports private route table IDs from CloudFormation environment stacks. Use them to create VPC gateway endpoints with addons. (#3611)

• port for Target Group Health Checks: With the new port field, you can configure a non-default port for health checks, one different than that for requests from the load balancer. (#3548)

  http:
    path: '/'
    healthcheck:
      port: 8080
  

• Bug fixes:

  • Preserve tags applied by app init --resource-tags when services are deleted from an application (#3582)
  • Fix regression when enabling autoscaling fields for Load Balanced Web Services with Network Load Balancers (#3578)
  • Enable copilot svc exec for Fargate Windows tasks (#3566)

There are no breaking changes in this release.

What’s AWS Copilot?

The AWS Copilot CLI is a tool for developers to build, release, and operate production ready containerized applications on AWS. From getting started, pushing to staging, and releasing to production, Copilot can help manage the entire lifecycle of your application development. At the foundation of Copilot is AWS CloudFormation, which enables you to provision infrastructure as code in a single operation. Copilot provides pre-defined CloudFormation templates and user-friendly workflows for different types of micro services creation and operation, enabling you to focus on developing your application, instead of writing deployment scripts.

See the section Overview for a more detailed introduction to AWS Copilot.

Internal Load Balancers

Contributed by Janice Huang and Danny Randall
By configuring a few things when you initiate your Copilot environment and workload, you can now create an internal load balancer, whose nodes have only private IP addresses.

The internal load balancer is an environment-level resource, to be shared among other permitted services. When you run copilot env init, you can import some specific resources to support the ALB. For services with https capability, use the --import-cert-arns flag to import the ARNs of your existing private certificates. For now, Copilot will associate imported certs with an internal ALB only if the environment's VPC has no public subnets, so import only private subnets. If you'd like your ALB to receive ingress traffic within the environment VPC, use the --internal-alb-allow-vpc-ingress flag; otherwise, by default, access to the internal ALB will be limited to only Copilot-created services within the environment.

The only service type that you can place behind an internal load balancer is a Backend Service. To tell Copilot to generate an internal ALB in the environment in which you deploy this service, add the http field to your Backend Service's workload manifest:

# in copilot/{service name}/manifest.yml
http:
  path: '/'
  network:
    vpc:
      placement: private
  # for https
  alias: example.aws
  hosted_zone: Z0873220N255IR3MTNR4

For more, read our documentation on Internal ALBs!

What’s next?

Download the new Copilot CLI version by following the link below and leave your feedback on GitHub or our Community Chat:

• Download the latest CLI version
• Try our Getting Started Guide
• Read full release notes on GitHub