The latest articles on Forem by Niko Kiirala (@nikokiirala). https://forem.com/nikokiirala https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2374087%2F493fb2db-1078-45cf-a5d7-21e2150b2ecd.jpg https://forem.com/nikokiirala en Niko Kiirala Thu, 12 Dec 2024 12:15:27 +0000 https://forem.com/nikokiirala/nating-on-the-cheap-on-aws-2ln3 https://forem.com/nikokiirala/nating-on-the-cheap-on-aws-2ln3 <p>Let's consider this case: you have something running in AWS and that something needs occasional access to public internet. You can either give that something public IP addresses or there needs to be a NAT between your private network and the public internet. Let's consider this second case, setting up a NAT. </p> <p>In my use case, specifically, I'm running an EC2 instance that has a small web server on it. I also have a CodePipeline + CodeBuild setup that builds and deploys a new version of the server whenever the production branch in the Git repo is pushed to. This CodePipeline + CodeBuild setup is excellently suited for running in a private network as there's no point in having it visible from the public internet. It does, however, need to fetch stuff from the public internet - get dependencies from package repositories and such. Thus I need to have a NAT gateway, but I have no need for all the bells and whistles of AWS-provided NAT gateways. Not to mention, I have just a small budget as well.</p> <p>Let me be clear on one thing from the get-go: AWS-provided <a href="https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html" rel="noopener noreferrer">NAT gateways</a> work great. Fast, stable, simple to use - all sorts of things you'd want for production infrastructure. Also I'd like to give a shout-out to <a href="https://github.com/chime/terraform-aws-alternat" rel="noopener noreferrer">alterNAT</a> that is a production-grade replacement for NAT gateways, and from whom I've copied bits and pieces for my version.</p> <p>In case you have some testing environment, low-usage servers or such, a NAT gateway can get costly. The gateway has a base fee, a per-gigabyte fee for traffic and you need to pay for a public IP, too. These can easily end up costing more than the rest of your usage - especially so if you qualify for and use free tier services.</p> <p>If you're already running an EC2 instance with a public IP, it's possible to set up a NAT for no cost. Running a low-spec EC2 instance just for this purpose is fairly cheap, too. The solution is a <a href="https://docs.aws.amazon.com/vpc/latest/userguide/work-with-nat-instances.html" rel="noopener noreferrer">NAT instance</a>. </p> <h2> Set up the EC2 instance </h2> <p>You can use an EC2 instance you already have or set up a new one just for the purpose. This instance needs three important settings:</p> <ol> <li>A public IP address: the NAT gateway needs to be in a public subnet, with an Internet Gateway attached, and it needs to have a public IP address. All traffic from your internal subnets will appear to originate from this IP.</li> <li>Source/destination check disabled: by default, EC2 instances can only see their own traffic. Incoming traffic where the target IP is not one of the instance's own IPs is filtered out, as is outgoing traffic where source IP doesn't belong to the instance. However, when the instance is doing routing, we need it to do both, so we need to disable the check.</li> <li>User data blob: this contains the necessary instructions to set up the NAT functionality at every boot. The user data blob gets processed by <a href="https://cloudinit.readthedocs.io/en/latest/index.html" rel="noopener noreferrer">cloud-init</a> that's active by default in the Amazon Linux 2023 AMI that I'm using.</li> </ol> <p>I'll be using Terraform to set up my instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"arm64-ecs"</span> <span class="p">{</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amazon"</span><span class="p">]</span> <span class="nx">name_regex</span> <span class="p">=</span> <span class="s2">"^al2023-ami-ecs"</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"architecture"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arm64"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"arm64_machine"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">arm64-ecs</span><span class="p">.</span><span class="nx">image_id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t4g.small"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">iam_instance_profile</span> <span class="p">=</span> <span class="nx">aws_iam_instance_profile</span><span class="p">.</span><span class="nx">machine_profile</span><span class="p">.</span><span class="nx">name</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">machine_access</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">main</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">ecs_on_ec2</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">source_dest_check</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">instance_cloudconfig</span> <span class="nx">user_data_replace_on_change</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">service_name</span><span class="k">}</span><span class="s2">-arm64"</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The three important bits described above are already visible in this code snippet:</p> <ol> <li><code>associate_public_ip_address = true</code></li> <li><code>source_dest_check = false</code></li> <li><code>user_data = local.instance_cloudconfig</code></li> </ol> <h2> User data blob </h2> <p>I could build a new AMI that has the necessary bits and pieces to set up the instance to perform NAT at every boot. That's a fairly heavy process, though, so instead of that I'm using <em>user data</em> to drop a small script and a few configuration files to the instance at boot.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">instance_cloudconfig_data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">write_files</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/var/lib/cloud/scripts/per-boot/tinynat.sh"</span> <span class="nx">permissions</span> <span class="p">=</span> <span class="s2">"0744"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"root:root"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"initscript/tinynat.sh"</span><span class="p">)</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/etc/tinynat.conf"</span> <span class="nx">permissions</span> <span class="p">=</span> <span class="s2">"0644"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"root:root"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"initscript/tinynat.conf"</span><span class="p">)</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/etc/tinynat-route-table-ids.csv"</span> <span class="nx">permissions</span> <span class="p">=</span> <span class="s2">"0644"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"root:root"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/etc/tinynat-private-nets.csv"</span> <span class="nx">permissions</span> <span class="p">=</span> <span class="s2">"0644"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"root:root"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">join</span><span class="p">(</span><span class="s2">","</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[*].</span><span class="nx">cidr_block</span><span class="p">)</span> <span class="p">},</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">instance_cloudconfig</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">END</span><span class="sh"> #cloud-config ${jsonencode(local.instance_cloudconfig_data)} </span><span class="no"> END </span><span class="p">}</span> </code></pre> </div> <p>The <code>instance_cloudconfig_data</code> is a Terraform object, containing <a href="https://cloudinit.readthedocs.io/en/latest/index.html" rel="noopener noreferrer">cloud-init</a> instructions. Here, we drop four files in the file system: the setup script, a config file containing IDs of route tables belonging to private networks (likely just one ID), a config file containing IP address ranges of private networks that should get routed and finally a third config file that tells where to find the two other config files.</p> <p>The setup script is stored under <code>/var/lib/cloud/scripts/per-boot</code> so that it runs every time the instance is booted up. It's making iptables changes that are not persisted across power cycles, so it needs to get run at every boot.</p> <p>This script, <code>initscript/tinynat.sh</code> is as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># Based on alterNAT</span> <span class="c"># https://github.com/chime/terraform-aws-alternat/blob/main/scripts/alternat.sh</span> <span class="c"># Send output to a file and to the console</span> <span class="c"># Credit to the alestic blog for this one-liner</span> <span class="c"># https://alestic.com/2010/12/ec2-user-data-output/</span> <span class="nb">exec</span> <span class="o">&gt;</span> <span class="o">&gt;(</span><span class="nb">tee</span> /var/log/alternat.log|logger <span class="nt">-t</span> user-data <span class="nt">-s</span> 2&gt;/dev/console<span class="o">)</span> 2&gt;&amp;1 <span class="nb">shopt</span> <span class="nt">-s</span> expand_aliases panic<span class="o">()</span> <span class="o">{</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"tinyNAT setup failed"</span> <span class="nb">exit </span>1 <span class="o">}</span> load_config<span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="nb">.</span> <span class="s2">"</span><span class="nv">$CONFIG_FILE</span><span class="s2">"</span> <span class="k">else </span>panic <span class="s2">"Config file </span><span class="nv">$CONFIG_FILE</span><span class="s2"> not found"</span> <span class="k">fi </span>validate_var <span class="s2">"route_table_ids_csv"</span> <span class="s2">"</span><span class="nv">$route_table_ids_csv</span><span class="s2">"</span> validate_var <span class="s2">"private_net_cidr_ranges"</span> <span class="s2">"</span><span class="nv">$private_net_cidr_ranges</span><span class="s2">"</span> <span class="o">}</span> validate_var<span class="o">()</span> <span class="o">{</span> <span class="nv">var_name</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">var_val</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Config var </span><span class="se">\"</span><span class="nv">$var_name</span><span class="se">\"</span><span class="s2"> is unset"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="o">}</span> <span class="c"># configure_nat() sets up Linux to act as a NAT device.</span> <span class="c"># See https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#NATInstance</span> configure_nat<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Beginning NAT configuration"</span> <span class="nb">local </span><span class="nv">adapter</span><span class="o">=</span>ens5 <span class="nb">echo</span> <span class="s2">"Configuration before enabling NAT:"</span> sysctl net.ipv4.ip_forward net.ipv4.conf.<span class="k">${</span><span class="nv">adapter</span><span class="k">}</span>.send_redirects net.ipv4.ip_local_port_range <span class="nb">echo</span> <span class="s2">"iptables default"</span> iptables <span class="nt">-n</span> <span class="nt">-v</span> <span class="nt">-L</span> <span class="nb">echo</span> <span class="s2">"iptables NAT"</span> iptables <span class="nt">-n</span> <span class="nt">-v</span> <span class="nt">-t</span> nat <span class="nt">-L</span> <span class="nb">echo</span> <span class="s2">"Enabling NAT..."</span> <span class="nv">IFS</span><span class="o">=</span><span class="s1">','</span> <span class="nb">read</span> <span class="nt">-r</span> <span class="nt">-a</span> vpc_cidrs &lt; <span class="s2">"</span><span class="k">${</span><span class="nv">private_net_cidr_ranges</span><span class="k">}</span><span class="s2">"</span> <span class="k">for </span>cidr <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">vpc_cidrs</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"Adding routing for private network </span><span class="k">${</span><span class="nv">cidr</span><span class="k">}</span><span class="s2">"</span> <span class="o">(</span>iptables <span class="nt">-t</span> nat <span class="nt">-C</span> POSTROUTING <span class="nt">-o</span> <span class="k">${</span><span class="nv">adapter</span><span class="k">}</span> <span class="nt">-s</span> <span class="s2">"</span><span class="nv">$cidr</span><span class="s2">"</span> <span class="nt">-j</span> MASQUERADE 2&gt;/dev/null <span class="o">||</span> iptables <span class="nt">-t</span> nat <span class="nt">-A</span> POSTROUTING <span class="nt">-o</span> <span class="k">${</span><span class="nv">adapter</span><span class="k">}</span> <span class="nt">-s</span> <span class="s2">"</span><span class="nv">$cidr</span><span class="s2">"</span> <span class="nt">-j</span> MASQUERADE<span class="o">)</span> <span class="o">||</span> panic <span class="k">done </span>iptables <span class="nt">-N</span> DOCKER-USER iptables <span class="nt">-C</span> DOCKER-USER <span class="nt">-i</span> <span class="k">${</span><span class="nv">adapter</span><span class="k">}</span> <span class="nt">-o</span> <span class="k">${</span><span class="nv">adapter</span><span class="k">}</span> <span class="nt">-j</span> ACCEPT 2&gt;/dev/null <span class="o">||</span> iptables <span class="nt">-I</span> DOCKER-USER <span class="nt">-i</span> <span class="k">${</span><span class="nv">adapter</span><span class="k">}</span> <span class="nt">-o</span> <span class="k">${</span><span class="nv">adapter</span><span class="k">}</span> <span class="nt">-j</span> ACCEPT <span class="o">||</span> panic iptables <span class="nt">-n</span> <span class="nt">-v</span> <span class="nt">-L</span> DOCKER-USER iptables <span class="nt">-n</span> <span class="nt">-v</span> <span class="nt">-t</span> nat <span class="nt">-L</span> POSTROUTING <span class="nb">echo</span> <span class="s2">"NAT configuration complete"</span> <span class="o">}</span> <span class="c"># First try to replace an existing route</span> <span class="c"># If no route exists already (e.g. first time set up) then create the route.</span> configure_route_table<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Configuring route tables"</span> <span class="nv">IFS</span><span class="o">=</span><span class="s1">','</span> <span class="nb">read</span> <span class="nt">-r</span> <span class="nt">-a</span> route_table_ids &lt; <span class="s2">"</span><span class="k">${</span><span class="nv">route_table_ids_csv</span><span class="k">}</span><span class="s2">"</span> <span class="k">for </span>route_table_id <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">route_table_ids</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"Attempting to find route table </span><span class="nv">$route_table_id</span><span class="s2">"</span> <span class="nb">local </span><span class="nv">rtb_id</span><span class="o">=</span><span class="si">$(</span>aws ec2 describe-route-tables <span class="nt">--filters</span> <span class="nv">Name</span><span class="o">=</span>route-table-id,Values<span class="o">=</span><span class="k">${</span><span class="nv">route_table_id</span><span class="k">}</span> <span class="nt">--query</span> <span class="s1">'RouteTables[0].RouteTableId'</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'"'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$rtb_id</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>panic <span class="s2">"Unable to find route table </span><span class="nv">$rtb_id</span><span class="s2">"</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"Found route table </span><span class="nv">$rtb_id</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Replacing route to 0.0.0.0/0 for </span><span class="nv">$rtb_id</span><span class="s2">"</span> aws ec2 replace-route <span class="nt">--route-table-id</span> <span class="s2">"</span><span class="nv">$rtb_id</span><span class="s2">"</span> <span class="nt">--instance-id</span> <span class="s2">"</span><span class="nv">$INSTANCE_ID</span><span class="s2">"</span> <span class="nt">--destination-cidr-block</span> 0.0.0.0/0 <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-eq</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Successfully replaced route to 0.0.0.0/0 via instance </span><span class="nv">$INSTANCE_ID</span><span class="s2"> for route table </span><span class="nv">$rtb_id</span><span class="s2">"</span> <span class="k">continue fi </span><span class="nb">echo</span> <span class="s2">"Unable to replace route. Attempting to create route"</span> aws ec2 create-route <span class="nt">--route-table-id</span> <span class="s2">"</span><span class="nv">$rtb_id</span><span class="s2">"</span> <span class="nt">--instance-id</span> <span class="s2">"</span><span class="nv">$INSTANCE_ID</span><span class="s2">"</span> <span class="nt">--destination-cidr-block</span> 0.0.0.0/0 <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-eq</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Successfully created route to 0.0.0.0/0 via instance </span><span class="nv">$INSTANCE_ID</span><span class="s2"> for route table </span><span class="nv">$rtb_id</span><span class="s2">"</span> <span class="k">else </span>panic <span class="s2">"Unable to replace or create the route!"</span> <span class="k">fi done</span> <span class="o">}</span> <span class="c"># tinynatconfig file containing inputs needed for initialization</span> <span class="nv">CONFIG_FILE</span><span class="o">=</span><span class="s2">"/etc/tinynat.conf"</span> load_config <span class="nv">curl_cmd</span><span class="o">=</span><span class="s2">"curl --silent --fail"</span> <span class="nb">echo</span> <span class="s2">"Requesting IMDSv2 token"</span> <span class="nv">token</span><span class="o">=</span><span class="si">$(</span><span class="nv">$curl_cmd</span> <span class="nt">-X</span> PUT <span class="s2">"http://169.254.169.254/latest/api/token"</span> <span class="nt">-H</span> <span class="s2">"X-aws-ec2-metadata-token-ttl-seconds: 900"</span><span class="si">)</span> <span class="nb">alias </span><span class="nv">CURL_WITH_TOKEN</span><span class="o">=</span><span class="s2">"</span><span class="nv">$curl_cmd</span><span class="s2"> -H </span><span class="se">\"</span><span class="s2">X-aws-ec2-metadata-token: </span><span class="nv">$token</span><span class="se">\"</span><span class="s2">"</span> <span class="c"># Set CLI Output to text</span> <span class="nb">export </span><span class="nv">AWS_DEFAULT_OUTPUT</span><span class="o">=</span><span class="s2">"text"</span> <span class="c"># Disable pager output</span> <span class="c"># https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-pagination.html#cli-usage-pagination-clientside</span> <span class="c"># This is not needed in aws cli v1 which is installed on the current version of Amazon Linux 2.</span> <span class="c"># However, it may be needed to prevent breakage if they update to cli v2 in the future.</span> <span class="nb">export </span><span class="nv">AWS_PAGER</span><span class="o">=</span><span class="s2">""</span> <span class="c"># Set Instance Identity URI</span> <span class="nv">II_URI</span><span class="o">=</span><span class="s2">"http://169.254.169.254/latest/dynamic/instance-identity/document"</span> <span class="c"># Retrieve the instance ID</span> <span class="nv">INSTANCE_ID</span><span class="o">=</span><span class="si">$(</span>CURL_WITH_TOKEN <span class="nv">$II_URI</span> | <span class="nb">grep </span>instanceId | <span class="nb">awk</span> <span class="nt">-F</span><span class="se">\"</span> <span class="s1">'{print $4}'</span><span class="si">)</span> <span class="c"># Set region of NAT instance</span> <span class="nb">export </span><span class="nv">AWS_DEFAULT_REGION</span><span class="o">=</span><span class="si">$(</span>CURL_WITH_TOKEN <span class="nv">$II_URI</span> | <span class="nb">grep </span>region | <span class="nb">awk</span> <span class="nt">-F</span><span class="se">\"</span> <span class="s1">'{print $4}'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Beginning self-managed NAT configuration"</span> configure_nat configure_route_table <span class="nb">echo</span> <span class="s2">"Configuration completed successfully!"</span> </code></pre> </div> <p>And the configuration file <code>initscript/tinynat.conf</code> is simple two-line affair.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">route_table_ids_csv</span><span class="o">=</span>/etc/tinynat-route-table-ids.csv <span class="nv">private_net_cidr_ranges</span><span class="o">=</span>/etc/tinynat-private-nets.csv </code></pre> </div> <h2> Permissions setup </h2> <p>The init script reads info about the route table of your internal network and modifies it so that the NAT instance is the default gateway of the internal network. In order for it to do that, the EC2 instance needs an IAM policy that allows those two actions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"tinynat_ec2_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"tinynatDescribeRoutePermissions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:DescribeRouteTables"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"tinynatModifyRoutePermissions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:CreateRoute"</span><span class="p">,</span> <span class="s2">"ec2:ReplaceRoute"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">route_table</span> <span class="nx">in</span> <span class="p">[</span><span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="err">:</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2">:route-table/</span><span class="k">${</span><span class="nx">route_table</span><span class="k">}</span><span class="s2">"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"tinynat_ec2"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"tinynat-policy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">tinynat_ec2_policy</span><span class="p">.</span><span class="nx">json</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">machine_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <p>You'll also need to verify that your security groups allow instances in your private network to contact the NAT instance, using any protocols and ports they may need for their internet-facing traffic. Also, the NAT instance needs to be allowed to receive such traffic and to send it to public internet. Quite likely, said traffic will be TCP to port 443, aka. HTTPS connections.</p> <h2> Wrap-up </h2> <p>With all this set up, servers in your internal network should now be able to contact the public internet.</p> <p>When viewing the setup through AWS web UI, the resource map of your VPC should show that your private networks are connected to the routing table you specified in <code>local.instance_cloudconfig_data</code>, but it won't show where that table is routing the traffic to. Viewing the route table, you should see a route with destination <code>0.0.0.0/0</code> i.e. the default route with an ENI as its target. Finally, viewing that ENI, under Instance Details there should be a link to your NAT instance.</p> <p>This, I hope, makes running small-time applications and various under AWS more approachable. For me, at least, this approach provided me major cost savings for running a tiny application, since I could make my existing EC2 instance double as a NAT gateway instead of running one separately.</p> aws network devops terraform Niko Kiirala Wed, 27 Nov 2024 09:11:35 +0000 https://forem.com/nikokiirala/compile-protocol-buffers-grpc-to-typescript-with-yarn-54j https://forem.com/nikokiirala/compile-protocol-buffers-grpc-to-typescript-with-yarn-54j <p>Earlier I explored on the high level why one might use Protocol Buffers and gRPC. Now I'll start to go into the details how this is actually implemented.</p> <p>There's a <a href="https://github.com/kiirala/web-grpc" rel="noopener noreferrer">web-grpc repository on GitHub</a> that shows a full example implementation of what I describe in this post.</p> <p>There are various libraries for protobuf and gRPC on web, and they have significant differences. I will use the <a href="https://github.com/stephenh/ts-proto" rel="noopener noreferrer">ts-proto</a> library - this library generates idiomatic Typescript classes at compile time from <code>.proto</code> message definitions, giving a good development experience. You get working autocomplete in IDE, compile-time type checking and reading and writing message fields works like with any other TS object. It also supports both protobuf and JSON wire formats for data. It does not implement gRPC out of the box, but provides support for gRPC-Web proxy connections. For my use case, where I encode <a href="https://cloud.google.com/endpoints/docs/grpc/transcoding" rel="noopener noreferrer">gRPC as HTTP+JSON</a> requests, there's unfortunately no direct support currently.</p> <p>In order to integrate protobuf build into Yarn build pipeline, we'll need multiple parts, and unfortunately many of them are quite non-obvious to set up:</p> <ul> <li>protoc compiler: reads <code>.proto</code> files, and uses plugins to write implementations for them in various languages</li> <li>protoc plugin for Typescript: included in the <code>ts-proto</code> library, creates Typescript class definitions and encoding/decoding methods for them</li> <li>Protocol Buffers common types, distributed as a large collection of <code>.proto</code> files</li> <li>Compilation script to call <code>protoc</code> with the right parameters, paths, etc.</li> </ul> <h2> protoc compiler </h2> <p>The <code>protoc</code> compiler can be installed <a href="https://grpc.io/docs/protoc-installation/" rel="noopener noreferrer">by various means</a>. I am going to use the <a href="https://www.npmjs.com/package/grpc-tools" rel="noopener noreferrer">grpc-tools</a> NPM package - a method not included in the official documents - since that allows building the packages with Yarn without installing additional software. The downside of this is limiting the platforms where the build can be done: ARM processors are not supported, Linux builds must be done on glibc-based distros and likely other similar limitations.</p> <h2> Protocol Buffer common types </h2> <p>Common types extend what can be described in protocol buffer messages. Some of the types, such as types for dates and times, are distributed with the compiler. Vast majority of the types are, however, distributed separately. Most importantly, we'll need the <code>google.api.http</code> type that is used to describe the gRPC to HTTP+JSON mapping.</p> <p>There are again many ways to get the common types. They can be copied into your codebase next to your own <code>.proto</code> files. They can be linked as a submodule to your Git repository. I prefer not to pull this kind of dependencies to my codebase, however, so I'm using the <a href="https://www.npmjs.com/package/google-proto-files" rel="noopener noreferrer">google-proto-files</a> NPM package.</p> <h2> Compilation script </h2> <p>It's time to put the compilation script together. The script will need to locate the <code>protoc</code> binary, the Typescript plugin, the common type files and your own <code>.proto</code> files on disk and to call the <code>protoc</code> binary with the correct parameters.</p> <p>When using Yarn with the <a href="https://yarnpkg.com/features/pnp" rel="noopener noreferrer">PnP</a> mode of installing packages, we need special considerations. Usually Yarn in PnP mode installs packages as <code>.zip</code> files instead of populating a massive <code>node_modules</code> directory. However, running a binary from inside a <code>.zip</code> file is non-trivial and even if we'd manage that, the <code>protoc</code> binary would not know how to load a plugin or <code>.proto</code> files from inside a <code>.zip</code> file. To support such cases, Yarn allows installing packages in unplugged mode, where the contents of single packages are extracted as ordinary files on disk.</p> <p>Some packages define unplugged mode by default, for example <a href="https://www.npmjs.com/package/grpc-tools" rel="noopener noreferrer">grpc-tools</a>, but all packages might not. Either they haven't been written with PnP in mind, or their main use case might not require unplugging. To unplug these, we can add a <code>dependenciesMeta</code> section to our <code>package.json</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"dependenciesMeta"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"google-proto-files@4.2.0"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"unplugged"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ts-proto@2.4.0"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"unplugged"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Note that the packages in <code>dependenciesMeta</code> are specifies with their exact version number. This number needs to match whichever version is actually installed, so I would highly recommend editing <code>devDependencies</code> section that these packages are imported by their exact version number, too. For example, the dependency should be <code>"ts-proto": "2.4.0",</code> instead of the default format <code>"ts-proto": "^2.4.0",</code> - note the caret in the latter one.</p> <p>With the dependencies installed and unplugged, we can create a Node program to locate the various pieces and run the <code>protoc</code> program with correct parameters. The full version of this script is <a href="https://github.com/kiirala/web-grpc/blob/main/web-client/bin/build-proto.js" rel="noopener noreferrer">build-proto.js (GitHub)</a></p> <p>In this script we can import the <code>pnp</code> module to locate any dependencies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">pnp</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../.pnp.cjs</span><span class="dl">'</span><span class="p">;</span> <span class="nx">pnp</span><span class="p">.</span><span class="nf">setup</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">selfName</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">protocPath</span> <span class="o">=</span> <span class="nx">pnp</span><span class="p">.</span><span class="nf">resolveRequest</span><span class="p">(</span><span class="dl">'</span><span class="s1">grpc-tools/bin/protoc</span><span class="dl">'</span><span class="p">,</span> <span class="nx">selfName</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tsExtension</span> <span class="o">=</span> <span class="nx">pnp</span><span class="p">.</span><span class="nf">resolveRequest</span><span class="p">(</span><span class="dl">'</span><span class="s1">ts-proto/protoc-gen-ts_proto</span><span class="dl">'</span><span class="p">,</span> <span class="nx">selfName</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">protoLibsPath</span> <span class="o">=</span> <span class="nx">pnp</span><span class="p">.</span><span class="nf">resolveToUnqualified</span><span class="p">(</span><span class="dl">'</span><span class="s1">google-proto-files</span><span class="dl">'</span><span class="p">,</span> <span class="nx">selfName</span><span class="p">);</span> </code></pre> </div> <p>These functions are further described in the <a href="https://yarnpkg.com/advanced/pnpapi" rel="noopener noreferrer">PnP API documentation</a>. Importantly here, <code>resolveRequest</code> locates a specific file inside a package, whereas <code>resolveToUnqualified</code> can locate directories, like the root directory of a package here. We also could use <code>import pnp from 'pnpapi'</code> as described in the documentation, but then this script could only be run through <code>yarn node bin/build-proto.js</code>. As a flip side, when importing the <code>.pnp.cjs</code> directly, we need to be explicit about where the build script is located compared to the package root directory.</p> <p>Before invoking the compiler, we still need to locate the <code>.proto</code> files to compile. Here, the code is written with the assumption that the files are all located in a single directory and the directory name is passed as a command line argument to the script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:path</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">readdir</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:fs/promises</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">protoDir</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">protoFiles</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nf">readdir</span><span class="p">(</span><span class="nx">protoDir</span><span class="p">))</span> <span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">x</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">x</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">.proto</span><span class="dl">'</span><span class="p">))</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">x</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">protoDir</span><span class="p">,</span> <span class="nx">x</span><span class="p">).</span><span class="nf">replaceAll</span><span class="p">(</span><span class="dl">'</span><span class="se">\\</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p>As an improvement, it would be useful to change this so that it recurses into any subdirectories and locates any <code>.proto</code> files in those, too.</p> <p>Finally, the script invokes <code>protoc</code> with parameters derived from these.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">outputDir</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">src/proto</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">args</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">`--plugin=</span><span class="p">${</span><span class="nx">tsExtension</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`--ts_proto_out=</span><span class="p">${</span><span class="nx">outputDir</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">--ts_proto_opt=esModuleInterop=true</span><span class="dl">'</span><span class="p">,</span> <span class="s2">`--proto_path=</span><span class="p">${</span><span class="nx">protoDir</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="s2">`--proto_path=</span><span class="p">${</span><span class="nx">protoLibsPath</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">...</span><span class="nx">protoFiles</span><span class="p">,</span> <span class="p">];</span> <span class="kd">const</span> <span class="nx">protoc</span> <span class="o">=</span> <span class="nf">spawn</span><span class="p">(</span><span class="nx">protocPath</span><span class="p">,</span> <span class="nx">args</span><span class="p">);</span> <span class="nx">protoc</span><span class="p">.</span><span class="nx">stdout</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`stdout: </span><span class="p">${</span><span class="nx">data</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="nx">protoc</span><span class="p">.</span><span class="nx">stderr</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`stderr: </span><span class="p">${</span><span class="nx">data</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="nx">protoc</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">close</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`child process exited with code </span><span class="p">${</span><span class="nx">code</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Now we have the ability to run the compilation manually. In order to run it automatically whenever the package is installed, we can use the <a href="https://dev.toyarn-plugin-after-install">https://github.com/mhassan1/yarn-plugin-after-install</a> plugin for Yarn. This plugin can be installed by calling <code>yarn plugin import</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>yarn plugin import https://raw.githubusercontent.com/mhassan1/yarn-plugin-after-install/v0.6.0/bundles/@yarnpkg/plugin-after-install.js </code></pre> </div> <p>When installed, we can add a <code>afterInstall</code> clause to <code>.yarnrc.yml</code> configuration file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">afterInstall</span><span class="pi">:</span> <span class="s">yarn node bin/build-proto.js ../proto</span> </code></pre> </div> <p>Now, whenever we run <code>yarn</code> to install dependencies, the <code>.proto</code> files will get built automatically, too.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ yarn ➤ YN0000: · Yarn 4.5.3 ➤ YN0000: ┌ Resolution step ➤ YN0000: └ Completed ➤ YN0000: ┌ Fetch step ➤ YN0000: └ Completed in 0s 259ms ➤ YN0000: ┌ Link step ➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental ➤ YN0000: └ Completed Running `afterInstall` hook... Working directory: /workspaces/web-grpc/web-client Script directory: /workspaces/web-grpc/web-client/bin Script name /workspaces/web-grpc/web-client/bin/build-proto.js /workspaces/web-grpc/web-client/.yarn/unplugged/google-proto-files-npm-4.2.0-28512554de/node_modules/google-proto-files/ Running protoc [ '/workspaces/web-grpc/web-client/.yarn/unplugged/grpc-tools-npm-1.12.4-956df6794d/node_modules/grpc-tools/bin/protoc', '--plugin=/workspaces/web-grpc/web-client/.yarn/unplugged/ts-proto-npm-2.4.0-c5c2c1ec55/node_modules/ts-proto/protoc-gen-ts_proto', '--ts_proto_out=src/proto', '--ts_proto_opt=esModuleInterop=true', '--proto_path=../proto', '--proto_path=/workspaces/web-grpc/web-client/.yarn/unplugged/google-proto-files-npm-4.2.0-28512554de/node_modules/google-proto-files/', '../proto/notes.proto', '../proto/ping.proto' ] child process exited with code 0 ➤ YN0000: · Done with warnings in 1s 101ms </code></pre> </div> <p>This setup gets us a long way to an excellent build pipeline. Without installing extra tools on your dev system, or on a build machine, this setup gives us Typescript definitions for our protobuf messages. There are improvements to be had as well. Automated builds as the <code>.proto</code> files are modified would be a big one. Expanding the range of supported platforms with Windows and ARM would be big, too.</p> <p>In next posts I'll look into building the same <code>.proto</code> files for a .NET server and connecting the web client and the server together. Also, remember to check out <a href="https://github.com/kiirala/web-grpc" rel="noopener noreferrer">web-grpc repository on GitHub</a> for a full implementation of the techniques described in this post.</p> protobuf typescript webdev yarn Niko Kiirala Thu, 07 Nov 2024 14:46:11 +0000 https://forem.com/nikokiirala/strongly-typed-web-apis-with-grpc-2ne https://forem.com/nikokiirala/strongly-typed-web-apis-with-grpc-2ne <p>Your web application receives JSON data from the server and shows it in the UI. Simple, right? Indeed, but also filled with pitfalls. Mistyped a field name in UI code? UI crashes. Server leaves out a field you thought would always be there? UI crashes. You quickly become vigilant about checking that you actually received the data you expected to receive, but it never ceases being a burden.</p> <p>I’m going to describe using gRPC, a cross-platform framework for APIs, to make sure the client and the server agree on message contents. This gives us several great features:</p> <ul> <li>Single source of truth. Each API is described in Protocol Buffers language, also known as a <code>.proto</code> file, and in that language only. From this description you can generate API code for just about any commonly used programming language out there.</li> <li>Clear upgrade path. Protocol Buffer messages have clearly defined semantics for common changes like adding and removing fields from messages. Very often you can just update message description and old clients work seamlessly with new servers and old servers work with new clients as well. When the API changes are too large, it’s simple to do a versioned API.</li> <li>Cross-platform. A single server implementation can easily talk to a Typescript web app, an Android app, an iOS app and more.</li> <li>Compact on-wire binary format. OK, this is only partially true – a lot of what I’ll describe will use JSON as the wire format between the client and the server. But typically gRPC would use the Protocol Buffer binary format that is often significantly smaller than JSON.</li> </ul> <h2> What is gRPC? </h2> <p>The gRPC is a cross-platform framework for communicating between different pieces of software over network. It was originally developed by Google and is extensively used within Google, but is not in any way tied to them. You might think the name is related to the origins, but it <em>obviously</em> is just a recursive acronym for “gRPC Remote Procedure Calls”. It’s closely related to Protocol Buffers, a domain-specific language for describing messages and a binary format for storing these messages.</p> <p>In a typical application, a gRPC server receives and transmits messages in Protocol Buffers binary format over a HTTP/2 channel. This works nicely for server-to-server communications and for Android, iOS, Windows, Mac, Linux, etc. applications.</p> <p>For clients running inside a web browser, however, a different approach must be taken. While modern browsers can talk HTTP/2, a gRPC implementation would require a low-level access to the HTTP/2 connection, and no browser provides that and likely never will. Instead we’ll need to use some sort of a translation layer. This can either be a separate proxy server, or built-in to the application server. With this layer, the browsers can do HTTP requests as usual and the data can be transmitted either in the Protocol Buffers binary format or in the JSON format.</p> <p>In browser applications, using JSON as wire format gives certain advantages. Notably the in-browser developer tools automatically pretty-print JSON messages for you, whereas it’s practically impossible to read a Protocol Buffers message in the network traffic view. This is not an all-or-nothing choice, though, since HTTP content negotiation features make it possible to write servers and clients that can use either format. For example, debug version of your app could use JSON and production version Protocol Buffers.</p> <h2> Typescript for write-time type checking </h2> <p>Typescript, an extended version of Javascript developed by Microsoft, is the modern approach in web application development to giving types to variables and for doing compile-time type checking. Not the only one, mind – for example, Google separately developed their own way of attaching type info to Javascript that used type declarations in specially formatted code comments.</p> <p>Typescript helps somewhat with handling API message contents. If you manually create a type definition for the data you expect to receive, your IDE can auto-complete field names for you and immediately warn you for mistyped field names and for assuming a wrong type for a field. If your backend is also written in Typescript, you can even share the same type declaration between the server and the client. With that, you could already be fairly certain that the messages sent by the server match the ones the clients expect to receive.</p> <p>It is possible to generate Typescript API interfaces and message type declarations from protocol buffer files. With this approach, you only need to declare the message types once instead of writing them separately for each programming language you use. This is especially important when modifying the message contents, such as adding new fields. If you need to update several declarations separately they are likely to diverge, but a single declaration will not.</p> <p>The gRPC client libraries don’t just give compile-time type checks, but also runtime assistance. Say, what happens when you leave a field unset on the server and send the message as JSON? Depending on your JSON library and its settings, typically the field would either get left out of the message altogether or it would get set to null. The gRPC client libraries, however, ensure that the runtime object decoded from the JSON contains all the fields that were declared in the proto file at the compile time and that they are of the correct type.</p> <h2> Coming up </h2> <p>In future posts I’m going to delve into the details on how exactly the above gets done. Especially I will look into building a C#/.NET server that talks with a Typescript/React application that uses Yarn as package manager. These topics will include:</p> <ul> <li>How to automatically compile <code>.proto</code> files <ul> <li><a href="https://dev.to/nikokiirala/compile-protocol-buffers-grpc-to-typescript-with-yarn-54j">Into Typescript code using Yarn</a></li> <li>Into a .NET package using <code>csproj</code> definition and <code>dotnet</code> tools</li> </ul> </li> <li>How to write a .NET single controller that talks to both native gRPC clients and to web clients</li> <li>How to call these gRPC services from a React app</li> </ul> webdev typescript fullstack grpc