💡Note
Step 1. Prepare the tines-tunnel Docker image for upload to AWS ECR
Again, to make things a little easier, we copy the image from Docker Hub into an ECR repository:
aws ecr create-repository --repository-name tines-tunnel
# Replace this with the address of the registry output in the previous command:
REGISTRY=306378194054.dkr.ecr.eu-west-1.amazonaws.com
aws ecr get-login-password --region eu-west-1 | \
docker login --username AWS --password-stdin $REGISTRY
TUNNEL_IMAGE=tines-tunnel:latest
docker pull tines/$TUNNEL_IMAGE
docker tag tines/$TUNNEL_IMAGE $REGISTRY/$TUNNEL_IMAGE
docker push $REGISTRY/$TUNNEL_IMAGEStep 2. Create and upload the .env file to S3
# Replace this with your own unique bucket name:
ENV_FILE_S3_BUCKET=tines-tunnel-env
# Replace this with the name of AWS region you're running Tines in:
AWS_REGION=eu-west-1
aws s3api create-bucket \
--bucket $ENV_FILE_S3_BUCKET \
--region $AWS_REGION \
--create-bucket-configuration "LocationConstraint=$AWS_REGION"
aws s3api put-public-access-block \
--bucket $ENV_FILE_S3_BUCKET \
--public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
cat << EOF > tines-tunnel.env
# Copy this variable from https://<your-tenant>.tines.com/admin/tunnel
# Make sure to remove any quote characters from the value
TINES_TUNNEL_SECRET=...
EOF
aws s3 cp tines-tunnel.env s3://$ENV_FILE_S3_BUCKET/tines-tunnel.envStep 3. Create the IAM roles for running the containers
# This only needs to be create once for an AWS account - if you're already using ECS, you can skip this command:
aws iam create-service-linked-role \
--aws-service-name ecs.amazonaws.com
aws iam create-role \
--role-name tinesTunnelTaskExecutionRole \
--assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [{ "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" }]}'
aws iam attach-role-policy \
--role-name tinesTunnelTaskExecutionRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
# Replace this with the name of the bucket you created in step B2:
ENV_FILE_S3_BUCKET="tines-tunnel-env"
aws iam put-role-policy \
--role-name tinesTunnelTaskExecutionRole \
--policy-name TinesEnvAccess \
--policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": ["arn:aws:s3:::'$ENV_FILE_S3_BUCKET'/tines-tunnel.env"]}, { "Effect": "Allow", "Action": ["s3:GetBucketLocation"], "Resource": ["arn:aws:s3:::'$ENV_FILE_S3_BUCKET'"]}]}'Step 4. Prepare a security group
aws ec2 create-security-group \
--group-name tines-tunnel \
--description "tines-tunnel container security group for the Tines Tunnel application"Step 5. Create the ECS task definitions and cluster
aws logs create-log-group --log-group-name tines-tunnel
# Replace this with the ARN of the role you created in step B3:
EXECUTION_ROLE_ARN=arn:aws:iam::306378194054:role/tinesTunnelTaskExecutionRole
# Replace this with the address of the registry created in step B1:
REGISTRY=306378194054.dkr.ecr.eu-west-1.amazonaws.com
# Replace this with the name of the image you added to the registry in step B1:
IMAGE=tines-tunnel:latest
# Replace this with the name of the bucket you created in step B2:
ENV_FILE_S3_BUCKET=tines-tunnel-env
# Replace this with the name of AWS region you're running Tines in:
AWS_REGION=eu-west-1
aws ecs register-task-definition \
--family "tines-tunnel" \
--memory 2048 \
--network-mode awsvpc \
--cpu 1024 \
--execution-role-arn $EXECUTION_ROLE_ARN \
--container-definitions '[{"name": "tines-tunnel", "image": "'$REGISTRY'/'$IMAGE'", "environmentFiles": [{"value": "arn:aws:s3:::'$ENV_FILE_S3_BUCKET'/tines-tunnel.env", "type": "s3"}], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "tines-tunnel", "awslogs-region": "'$AWS_REGION'", "awslogs-stream-prefix": "tines" }}}]'
aws ecs create-cluster --cluster-name tines-tunnelStep 6. Start the service
# Replace these with the IDs of two subnets from your VPC:
SUBNET_IDS=subnet-606e7706,subnet-bd5bb2f6
# Replace this with the ID of the tines-tunnel security group created above:
SECURITY_GROUP_ID=sg-01eb5f237d80b8458
aws ecs create-service \
--cluster tines-tunnel \
--service-name tines-tunnel \
--task-definition tines-tunnel:1 \
--desired-count 1 \
--launch-type "FARGATE" \
--network-configuration "awsvpcConfiguration={subnets=[$SUBNET_IDS],securityGroups=[$SECURITY_GROUP_ID],assignPublicIp=ENABLED}"Automatic Restarts with AWS Fargate
Note: When you deploy the Tines Tunnel using an ECS Service on AWS Fargate (as described above), the service will automatically ensure that the tunnel container is always running. If the container or underlying infrastructure stops or restarts for any reason, ECS will automatically launch a new instance to maintain the desired count. No additional configuration is required for automatic restarts, this is handled by the ECS Service itself.