Routing to AWS EC2 Instances

Gloo allows you to create upstreams from groups of EC2 instances.

Before jumping into the tutorial, let’s become familiar with the EC2 upstream specification.

Sample EC2 Upstream Config

The upstream config below creates an upstream that load balances to all EC2 instances that both match the filter criteria and are available to a user with the credentials provided by the secret.

kind: Upstream
  name: my-ec2-upstream
  namespace: gloo-system
      - key: some-key
      - kvPair:
          key: some-other-key
          value: some-value
      region: us-east-1
      publicIp: true
        name: my-aws-secret
        namespace: default
      roleArn: arn:aws:iam::123456789012:role/describe-ec2-demo

Key points

Tutorial: Basic Configuration of EC2 Upstreams

Prepare sample resources in AWS

Note, if you already have an EC2 instance you would like to route to and the necessary credentials configured, you can skip to the next section.

Configure an EC2 instance

Create a secret with AWS credentials

Create a role for Gloo to assume on behalf of your upstreams

Create a role
  1. First create a role. In the AWS console:
    • Navigate to IAM > Roles, choose “Create Role”
    • Follow the interactive guide to create a role
    • Choose “AWS account” as the type of trusted entity and provide the 12 digit account id of the account which holds the EC2 instances you want to route to.
  2. Choose or create a policy for the role

Example of a Policy that allows the role to describe EC2 instances:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
Allow your upstream’s user account to list EC2 instances

An example of Trust Relationship follows (many other variants are possible). Add the ARNs of each of the user accounts that you want to allow to assume this role.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": [
      "Action": "sts:AssumeRole"

Create an EC2 Upstream

Save the spec to `ec2-demo-upstream.yaml and use kubectl to create the upstream in Kubernetes.

kubectl apply -f ec2-demo-upstream.yaml

Create a route to your upstream

Now that you have created an upstream, you can route to it as you would with any other upstream.

glooctl add route  \
  --path-exact /echoapp  \
  --dest-name ec2-demo-upstream \
  --prefix-rewrite /

Verify that the route works

export URL=`glooctl proxy url`
curl $URL/echoapp

You should see the same output as when you queried the EC2 instance directly.


In this tutorial, we created an upstream that allows us to route traffic from our gateway to a set of EC2 instances. We created a single upstream and associaed it with a single instance. You can of course create an arbitrary number of upstreams and associate them with an arbitrary number of instances. We reviewed how to prepare your AWS account with a sample instance, role, and policy so as to demonstrate the information Gloo needs to implement a routable EC2 upstream.