Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How can I run an Amazon ECS task on Fargate in a private subnet?
I want to run an Amazon Elastic Container Service (Amazon ECS) task on AWS Fargate in a private subnet.
Short description
You can run Amazon ECS tasks on Fargate in a private subnet with or without internet access. For certain operations, tasks require internet access. For example, Amazon ECS requires internet access to pull images from public repositories.
To run tasks in a private subnet without internet access, create virtual private cloud (VPC) endpoints. To run tasks that require internet access in a private subnet, create a NAT gateway.
Resolution
Configure VPC endpoints for a private subnet without internet access
Complete the following steps:
- Create a VPC with public or private subnets.
- Create a gateway endpoint that connects to Amazon Simple Storage Service (Amazon S3).
- Create VPC interface endpoints for Amazon Elastic Container Registry (Amazon ECR).
Note: For tasks that use Amazon CloudWatch Logs and AWS Secrets Manager to add secrets to tasks, create interface VPC endpoints for both services. Also, create security groups for VPC endpoints and allow inbound traffic on TCP port 443 from the Fargate task security group or VPC CIDR block.
Configure a NAT gateway for a private subnet with internet access
To configure a NAT gateway for a private subnet, see How do I set up a NAT gateway for a private subnet in Amazon VPC?
Create an Amazon ECS cluster and service
Complete the following steps:
- Create an Amazon ECS cluster.
Note: For Infrastructure, select AWS Fargate (serverless). - Create an Amazon ECS service. For instructions, see Create a service with the default options and Create a service using defined parameters.
Note: When you select a subnet, choose the private subnet that you configured for the VPC endpoints or NAT gateway. When you create the security group, allow outbound traffic on port 443 to access Amazon ECS endpoints.
- Topics
- Containers
- Language
- English
To run an Amazon ECS task on Fargate in a private subnet, you will need to follow these general steps:
Create a VPC with at least two private subnets: You will need to create a VPC (Virtual Private Cloud) with at least two private subnets in different availability zones. This will allow you to create a highly available environment for your Fargate tasks.
Create an ECS cluster: Create an Amazon ECS cluster that uses the VPC you created in step 1. When creating the cluster, make sure to select the Fargate launch type.
Create a task definition: Create an ECS task definition that defines the container(s) you want to run. When creating the task definition, make sure to specify the Fargate launch type.
Create a task: Create an ECS task using the task definition you created in step 3. When creating the task, select the private subnets you created in step 1.
Create a service: Create an ECS service that uses the task you created in step 4. When creating the service, specify the private subnets you created in step 1.
Create a VPC endpoint for ECS: Create a VPC endpoint for ECS in your VPC to allow the Fargate tasks to communicate with the ECS service without going over the internet.
Configure security groups: Configure the security groups for your Fargate tasks and the ECS service to allow traffic between them.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
