I'm currently operating an ECS cluster, hosted on EC2 instances, that houses a Django-based API service, an Nginx web server, and a Filebeat module to facilitate the ELK logging mechanism as a sidecar container. The aforementioned cluster resides within a VPC dubbed 'vpc-ecs'.
Simultaneously, I maintain a MySQL database, hosted in a public subnet within a separate VPC, referred to as 'vpc-db'. My primary objective is to establish a secure connection between my Django ECS container and the above database across these VPCs.
For security considerations, I intend to create a MySQL user (referred to as 'ecs_user') whose host isn't configured with a wildcard. Rather, I'd prefer the connection to originate from a specific, static IP address in the format of ecs_user@1.2.3.4. Here, 1.2.3.4 would represent a fixed IP transmitted by the ECS service.
The inherent dynamic nature of ECS and the auto-scaling groups associated with EC2 instances creates a challenge, as EC2 instances are frequently terminated and supplanted. Consequently, I'm grappling with the task of maintaining a consistent, static IP for the database connection despite the dynamism.
I kindly request insights regarding the most feasible way to maintain this static IP for the connection with the MySQL database. Additionally, I'm open to any suggestions for enhancing the security measures for this connection.
That is true. But my Mysql database is hosted on EC2 and it have rule allow all for few ports because it is analytics bases. At level of mysql database, I ensure only allowed IP can connect. So I need to know mechanism for static IP in ECS deployment.
Thanks for the reply. By the way, what network mode do you use for ECS? If the network mode is host or bridge, the IP address of the EC2 instance is used, so if you can design the system to execute Lambda, etc. according to the EC2 startup event, you can set the IP of the MySQL user. However, such an architecture is difficult to create without knowledge, so I would create a MySQL user so that it can be accessed from the CIDR of the subnet on which EC2 is started. For example, you can allow access from EC2 by setting the CIDR of the subnet with the following command.