Add a python project about Route 53 Failover Record with Health Check that resolve #789 (#1053)

junsjang · Kihoon Kown · naxxster · web-flow · commit 228810aea652 · 2024-08-03T17:39:07.000-05:00
* route53 failover record

* Reorganized stack structure

* Adding alias record based health check for failover record

* Changed container image of sample workload from personal sample app to managed sample app

* Changed personal information to example information

* Updated README file

* Added instruction to use pre-made Route 53 HostedZone

* Fixed the code to be deployed without previous resources.

Extracted hosted zone and pass it as parameter to health check stacks
example.com is reserved.
Changes domain name to different name

* Updated architecture diagram

Move the email icon to outside of the region
Added CloudWatch metrics that make alarm

---------

Co-authored-by: Kihoon Kown &lt;kihoonk@amazon.com&gt;
Co-authored-by: Junseong Jang &lt;junsjang@amazon.com&gt;
Co-authored-by: Michael Kaiser &lt;mjkaiser@gmail.com&gt;
diff --git a/python/route53-failover/README.md b/python/route53-failover/README.md
@@ -0,0 +1,32 @@
+# CDK Failover DNS with Route 53 Health Check
+
+This sample project demonstrates how to create a Failover DNS record in Route 53 using a CDK application. It leverages the Route 53 Health Check feature to monitor the status of endpoints and automatically fail over to a backup endpoint in case of failure. Additionally, it configures SNS notifications to alert administrators when a failover event occurs, ensuring prompt awareness and response.
+
+## Architecture
+
+The architecture of this solution is illustrated in the following diagram:
+
+![Architecture Diagram](images/architecture.png)
+
+The key components of the architecture are:
+
+1. **Primary Endpoint**: The main endpoint that serves traffic under normal circumstances.
+2. **Secondary Endpoint**: The backup endpoint that takes over traffic when the primary endpoint fails.
+3. **Route 53 Hosted Zone**: The DNS hosted zone where the Failover DNS record is created.
+4. **Route 53 Health Checks**: Health checks that monitor the availability of the primary and secondary endpoints.
+5. **Route 53 Failover DNS Record**: The DNS record that routes traffic to the primary endpoint by default, but automatically switches to the secondary endpoint when the primary endpoint fails the health check.
+6. **SNS Topic**: The Simple Notification Service (SNS) topic that publishes notifications when a failover event occurs.
+7. **SNS Subscription**: The subscription to the SNS topic, which can be configured to deliver notifications via email or other channels.
+
+## Getting Started
+
+To get started with this project, follow these steps:
+
+1. Clone the repository.
+2. Install the required dependencies using `npm install`.
+3. Configure the necessary AWS credentials and environment variables.
+4. Select a Route 53 HostedZone that can be used for this project.
+5. **Provide the required context values in the `cdk.json` file, including `domain` refering the HostedZone, `email` to get notifications, `primaryRegion`, and `secondaryRegion` to deploy the sample application.**
+6. Deploy the CDK application using `cdk deploy`.
+
+Refer to the project's documentation for more detailed instructions and configuration options.
diff --git a/python/route53-failover/alias_healthcheck_record_stack.py b/python/route53-failover/alias_healthcheck_record_stack.py
@@ -0,0 +1,57 @@
+from constructs import Construct
+from aws_cdk import (
+    Stack,
+    aws_route53 as route53,
+    aws_elasticloadbalancingv2 as elbv2,
+    aws_route53_targets as route53_targets,
+)
+
+class AliasHealthcheckRecordStack(Stack):
+  def __init__(self, scope: Construct, construct_id: str, zone: route53.HostedZone, primaryLoadBalancer: elbv2.ILoadBalancerV2, secondaryLoadBalancer: elbv2.ILoadBalancerV2, **kwargs) -> None:
+        super().__init__(scope, construct_id, **kwargs)
+
+        # primary record
+        primary = route53.ARecord(self, "PrimaryRecordSet",
+            zone = zone,
+            record_name="alias",
+            target = route53.RecordTarget.from_alias(route53_targets.LoadBalancerTarget(primaryLoadBalancer)),
+        )
+        primaryRecordSet = primary.node.default_child
+        primaryRecordSet.failover = "PRIMARY"
+        primaryRecordSet.add_property_override('AliasTarget.EvaluateTargetHealth', True)
+        primaryRecordSet.set_identifier = "Primary"
+
+        # secondary record
+        secondary = route53.ARecord(self, "SecondaryRecordSet",
+            zone = zone,
+            record_name="alias",
+            target= route53.RecordTarget.from_alias(route53_targets.LoadBalancerTarget(secondaryLoadBalancer)),
+        )
+        secondaryRecordSet = secondary.node.default_child
+        secondaryRecordSet.failover = "SECONDARY"
+        secondaryRecordSet.add_property_override('AliasTarget.EvaluateTargetHealth', True)
+        secondaryRecordSet.set_identifier = "Secondary"
+
+        # # cloudwatch metric & alarm to SNS
+        # snsTopic = sns.Topic(self, "AlarmNotificationTopic")
+        # snsTopic.add_subscription(
+        #     EmailSubscription(email_address=email)
+        # )
+
+        # healthCheckMetric = cloudwatch.Metric(
+        #     metric_name="HealthCheckStatus",
+        #     namespace="AWS/Route53",
+        #     statistic="Minimum",
+        #     period=Duration.minutes(1),
+        #     region="us-east-1",
+        #     dimensions_map={
+        #         "HealthCheckId": primaryHealthCheck.attr_health_check_id
+        #     }
+        # )
+        # healthCheckAlarm = healthCheckMetric.create_alarm(self, 'HealthCheckFailureAlarm', 
+        #     evaluation_periods=1,
+        #     threshold=1,
+        #     comparison_operator=cloudwatch.ComparisonOperator.LESS_THAN_THRESHOLD
+        # )
+
+        # healthCheckAlarm.add_alarm_action(SnsAction(snsTopic))
diff --git a/python/route53-failover/app.py b/python/route53-failover/app.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+import os
+
+import aws_cdk as cdk
+
+from fargate_app_stack import FargateAppStack
+from hosted_zone_stack import HostedZoneStack
+from healthcheck_alarm_stack import HealthcheckAlarmStack
+from alias_healthcheck_record_stack import AliasHealthcheckRecordStack
+
+app = cdk.App()
+
+domain=app.node.try_get_context('domain')
+email=app.node.try_get_context('email')
+primaryRegion=app.node.try_get_context('primaryRegion')
+secondaryRegion=app.node.try_get_context('secondaryRegion')
+account=os.getenv('CDK_DEFAULT_ACCOUNT')
+region=os.getenv('CDK_DEFAULT_REGION')
+
+# Sample app 1
+app1 = FargateAppStack(app, "PrimaryFargateApp", env=cdk.Environment(
+    account=account,
+    region=primaryRegion
+))
+
+# Sample app 2
+app2 = FargateAppStack(app, "SecondaryFargateApp", env=cdk.Environment(
+    account=account,
+    region=secondaryRegion
+))
+
+# Hosted Zone
+hostedZoneStack = HostedZoneStack(app, "HostedZone", domain=domain, env=cdk.Environment(
+    account=account,
+    region="us-east-1"
+))
+
+HealthcheckAlarmStack(
+    app, "HealthCheckAlarm",
+    zone=hostedZoneStack.zone,
+    primaryLoadBalancer=app1.fargate_service.load_balancer,
+    secondaryLoadBalancer=app2.fargate_service.load_balancer,
+    email=email,
+    env=cdk.Environment(
+        account=account,
+        region="us-east-1"
+    ),
+    cross_region_references=True
+)
+
+AliasHealthcheckRecordStack(
+    app, "AliasHealthCheckRecord",
+    zone=hostedZoneStack.zone,
+    primaryLoadBalancer=app1.fargate_service.load_balancer,
+    secondaryLoadBalancer=app2.fargate_service.load_balancer,
+    env=cdk.Environment(
+        account=account,
+        region="us-east-1"
+    ),
+    cross_region_references=True
+)
+
+app.synth()
diff --git a/python/route53-failover/cdk.json b/python/route53-failover/cdk.json
@@ -0,0 +1,74 @@
+{
+  "app": "python3 app.py",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "requirements*.txt",
+      "source.bat",
+      "**/__init__.py",
+      "**/__pycache__",
+      "tests"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "domain": "aws-cdk-samples.com",
+    "email": "user@aws-cdk-samples.com",
+    "primaryRegion": "us-east-1",
+    "secondaryRegion": "us-west-2"
+  }
+}
diff --git a/python/route53-failover/fargate_app_stack.py b/python/route53-failover/fargate_app_stack.py
@@ -0,0 +1,44 @@
+from aws_cdk import (
+    aws_ec2 as ec2,
+    aws_ecs as ecs,
+    aws_ecs_patterns as ecs_patterns,
+    CfnOutput, Stack
+)
+from constructs import Construct
+
+# Need to Change different app
+class FargateAppStack(Stack):
+
+    def __init__(self, scope: Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create VPC and Fargate Cluster
+        # NOTE: Limit AZs to avoid reaching resource quotas
+        vpc = ec2.Vpc(
+            self, "MyVpc",
+            max_azs=2
+        )
+
+        cluster = ecs.Cluster(
+            self, 'Ec2Cluster',
+            vpc=vpc
+        )
+
+        self.fargate_service = ecs_patterns.NetworkLoadBalancedFargateService(
+            self, "FargateService",
+            cluster=cluster,
+            task_image_options=ecs_patterns.NetworkLoadBalancedTaskImageOptions(
+                image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample")
+            )
+        )
+
+        self.fargate_service.service.connections.security_groups[0].add_ingress_rule(
+            peer = ec2.Peer.ipv4(vpc.vpc_cidr_block),
+            connection = ec2.Port.tcp(80),
+            description="Allow http inbound from VPC"
+        )
+
+        CfnOutput(
+            self, "LoadBalancerDNS",
+            value=self.fargate_service.load_balancer.load_balancer_dns_name
+        )
diff --git a/python/route53-failover/healthcheck_alarm_stack.py b/python/route53-failover/healthcheck_alarm_stack.py
@@ -0,0 +1,72 @@
+from constructs import Construct
+from aws_cdk import (
+    Stack,
+    Duration,
+    aws_route53 as route53,
+    aws_elasticloadbalancingv2 as elbv2,
+    aws_route53_targets as route53_targets,
+    aws_cloudwatch as cloudwatch,
+    aws_sns as sns
+)
+from aws_cdk.aws_cloudwatch_actions import SnsAction
+from aws_cdk.aws_sns_subscriptions import EmailSubscription
+
+class HealthcheckAlarmStack(Stack):
+  def __init__(self, scope: Construct, construct_id: str, zone: route53.HostedZone, primaryLoadBalancer: elbv2.ILoadBalancerV2, secondaryLoadBalancer: elbv2.ILoadBalancerV2, email: str, **kwargs) -> None:
+        super().__init__(scope, construct_id, **kwargs)
+
+        # primary record
+        primaryHealthCheck = route53.CfnHealthCheck(self, "DNSPrimaryHealthCheck", health_check_config=route53.CfnHealthCheck.HealthCheckConfigProperty(
+            fully_qualified_domain_name=primaryLoadBalancer.load_balancer_dns_name,
+            type="HTTP",
+            port=80
+        ))
+        primary = route53.ARecord(self, "PrimaryRecordSet",
+            zone = zone,
+            record_name="failover",
+            target = route53.RecordTarget.from_alias(route53_targets.LoadBalancerTarget(primaryLoadBalancer)),
+        )
+        primaryRecordSet = primary.node.default_child
+        primaryRecordSet.failover = "PRIMARY"
+        primaryRecordSet.health_check_id = primaryHealthCheck.attr_health_check_id
+        primaryRecordSet.set_identifier = "Primary"
+
+        # secondary record
+        secondaryHealthCheck = route53.CfnHealthCheck(self, "DNSSecondaryHealthCheck", health_check_config=route53.CfnHealthCheck.HealthCheckConfigProperty(
+            fully_qualified_domain_name=secondaryLoadBalancer.load_balancer_dns_name,
+            type="HTTP",
+            port=80,
+        ))
+        secondary = route53.ARecord(self, "SecondaryRecordSet",
+            zone = zone,
+            record_name="failover",
+            target= route53.RecordTarget.from_alias(route53_targets.LoadBalancerTarget(secondaryLoadBalancer)),
+        )
+        secondaryRecordSet = secondary.node.default_child
+        secondaryRecordSet.failover = "SECONDARY"
+        secondaryRecordSet.health_check_id = secondaryHealthCheck.attr_health_check_id
+        secondaryRecordSet.set_identifier = "Secondary"
+
+        # cloudwatch metric & alarm to SNS
+        snsTopic = sns.Topic(self, "AlarmNotificationTopic")
+        snsTopic.add_subscription(
+            EmailSubscription(email_address=email)
+        )
+
+        healthCheckMetric = cloudwatch.Metric(
+            metric_name="HealthCheckStatus",
+            namespace="AWS/Route53",
+            statistic="Minimum",
+            period=Duration.minutes(1),
+            region="us-east-1",
+            dimensions_map={
+                "HealthCheckId": primaryHealthCheck.attr_health_check_id
+            }
+        )
+        healthCheckAlarm = healthCheckMetric.create_alarm(self, 'HealthCheckFailureAlarm', 
+            evaluation_periods=1,
+            threshold=1,
+            comparison_operator=cloudwatch.ComparisonOperator.LESS_THAN_THRESHOLD
+        )
+
+        healthCheckAlarm.add_alarm_action(SnsAction(snsTopic))
diff --git a/python/route53-failover/hosted_zone_stack.py b/python/route53-failover/hosted_zone_stack.py
@@ -0,0 +1,14 @@
+from constructs import Construct
+from aws_cdk import (
+    Stack,
+    aws_route53 as route53,
+)
+
+class HostedZoneStack(Stack):
+  def __init__(self, scope: Construct, construct_id: str, domain: str, **kwargs) -> None:
+        super().__init__(scope, construct_id, **kwargs)
+
+        # Test Env
+        self.zone = route53.PublicHostedZone(self, "HostedZone", zone_name=domain)
+        # use below code to use already created hosted zone
+        # self.hostzone = route53.HostedZone.from_lookup(self, "HostedZone", domain_name=domain)
diff --git a/python/route53-failover/images/.gitignore b/python/route53-failover/images/.gitignore
@@ -0,0 +1 @@
+*.drawio.bkp
diff --git a/python/route53-failover/images/architecture.drawio b/python/route53-failover/images/architecture.drawio
diff --git a/python/route53-failover/images/architecture.png b/python/route53-failover/images/architecture.png
diff --git a/python/route53-failover/requirements.txt b/python/route53-failover/requirements.txt
