How can I run an Amazon ECS task on Fargate in a private subnet?

3 minute read

I want to run an Amazon Elastic Container Service (Amazon ECS) task on AWS Fargate in a private subnet.

Short description

You can run Fargate tasks in private subnets. However, based on your use case, you might require internet access for certain operations. For example, you might want to pull an image from a public repository. Or, you might want to prevent any internet access for your tasks.

To run Fargate tasks in a private subnet without internet access, use virtual private cloud (VPC) endpoints. VPC endpoints allow you to run Fargate tasks without the need to grant the tasks access to the internet. The required endpoints are accessed over a private IP address.

If you need your task to access the internet from a private subnet, then use a NAT gateway to grant internet access. The required endpoints are accessed over the public IP address of the NAT gateway.

Resolution

Create a VPC

Create an Amazon Virtual Private Cloud (Amazon VPC) with public or private subnets. Then, depending on your use case, follow the steps in Use a private subnet without internet access (VPC endpoints method). Or, follow the steps in Use a Private subnet with internet access.

Use a private subnet without internet access (VPC endpoints method)

To create interface endpoints and an Amazon Simple Storage Solution (Amazon S3) gateway endpoint, complete the following steps:

Create an Amazon S3 gateway endpoint.
Create Amazon Elastic Container Registry (Amazon ECR) interface endpoints.
For tasks that use AWS Secrets Manager to inject secrets into tasks and Amazon CloudWatch Logs, create interface endpoints for both services.
Note: Security groups for these VPC endpoints allow inbound traffic on TCP port 443 from the Fargate task security group or Fargate task VPC CIDR range.
Follow the instructions in the Create an Amazon ECS cluster and service section of this article.

Use a private subnet with internet access

Create a NAT gateway. When you create your NAT gateway, complete the following tasks:

Put your NAT gateway inside the public subnet.
Update the route table of the private subnet:
For Destination, enter 0.0.0.0/0.
For Target, select the ID of your NAT gateway.

Then, follow the instructions in the Create an Amazon ECS cluster and service section of this article.

Create an Amazon ECS cluster and service

Create an Amazon ECS cluster. For Infrastructure, select AWS Fargate (serverless).
Create an Amazon ECS service.

When you configure the network for the Fargate service, complete the following tasks:

Based on the method that you chose earlier, choose the private subnet that you configured for the VPC endpoints. Or, choose the subnet that you configured for the NAT gateway.
For your security group, allow outbound traffic on port 443 to access Amazon ECS endpoints.

Topics

Containers

Tags

Amazon Elastic Container Service

Language

English

AWS OFFICIALUpdated a year ago

2 Comments

To run an Amazon ECS task on Fargate in a private subnet, you will need to follow these general steps:

Create a VPC with at least two private subnets: You will need to create a VPC (Virtual Private Cloud) with at least two private subnets in different availability zones. This will allow you to create a highly available environment for your Fargate tasks.

Create an ECS cluster: Create an Amazon ECS cluster that uses the VPC you created in step 1. When creating the cluster, make sure to select the Fargate launch type.

Create a task definition: Create an ECS task definition that defines the container(s) you want to run. When creating the task definition, make sure to specify the Fargate launch type.

Create a task: Create an ECS task using the task definition you created in step 3. When creating the task, select the private subnets you created in step 1.

Create a service: Create an ECS service that uses the task you created in step 4. When creating the service, specify the private subnets you created in step 1.

Create a VPC endpoint for ECS: Create a VPC endpoint for ECS in your VPC to allow the Fargate tasks to communicate with the ECS service without going over the internet.

Configure security groups: Configure the security groups for your Fargate tasks and the ECS service to allow traffic between them.

kishanpokar

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied 2 years ago

Relevant content

Using endpoints to access ECR for ECS Fargate tasks on a private subnet
Accepted Answer
Mark
asked a year ago
How can I monitor the TCP handshakes between the ALB public faced and ECS Fargate tasks that are in a private subnet?
Accepted Answer
Ashok
asked 2 months ago
AWS Fargate and Tasks in a Private Subnet
Damien Gallagher
asked a year ago
ECS Fargate task running in private subnet can't pull container from private ECR repository
Laszlo Hegedus
asked 2 years ago
ECS Fargate task in private subnet can't reach another IP in private subnet
rePost-User-1449731
asked 2 years ago
How can I use a static or Elastic IP address for an Amazon ECS task on Fargate?
AWS OFFICIALUpdated 2 months ago
How do I resolve the "cannotpullcontainererror" error for my Amazon ECS tasks on Fargate?
AWS OFFICIALUpdated 7 months ago
How do I take action on an Amazon ECS task retirement notice for a task that runs on Fargate?
AWS OFFICIALUpdated a month ago
How do I mount an Amazon EFS file system on an Amazon ECS container or a task that runs on Fargate?
AWS OFFICIALUpdated 2 months ago
How to notify by email when the "exitCode" of an ECS Fargate task ends with a value other than 0
EXPERT
Riku_Kobayashi
published 2 months ago