By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to ensure Static IP Addresses for ECS Farget Services with ALB in AWS for Third-Party inbound IP allowlist?

0

I have a service running in ECS Fargate with an Application Load Balancer (ALB) that needs to communicate with a third-party application or service located outside my VPC. The third party has implemented a firewall or security group that only allows incoming requests from specific allowlist IP addresses.

The challenge is that ECS Fargate tasks receive different IP addresses with each deployment, making it difficult to add in allowlist in the third-party system. How can I ensure a consistent and static IP address for my ECS Fargate service to accommodate the third-party application's requirements?

Additional Points:

Current Challenge: The ECS Fargate service's dynamic IP addresses make it challenging to maintain a consistent allowlist entry in the third-party system.

Security Considerations: Security is a priority, so any solution should not compromise the integrity of the setup.

Example:

For instance, suppose I have an ECS Fargate service that interacts with a third-party payment gateway. The payment gateway requires the IP addresses in the allowlist for incoming requests for security purposes. However, the ECS Fargate tasks receive different IP addresses each time they are deployed, leading to frequent updates in their IP allowlist on the payment gateway side.

2 Answers
1
Accepted Answer

From the security standpoint, you should not keep your ECS Fargate Service tasks inside public subnet.

Here is what you can do:

  1. Run your Amazon ECS task on Fargate in a private subnet. Refer this to learn how to do it.
  2. Putting ECS Task inside private subnet will not allocate them a public IP, and will block their internet access.
  3. Use NAT Gateway or NAT Instance in public subnet, update Route Table associated with Private Subnet to redirect internet traffic originating from private subnet to NAT GW or NAT Instance in public subnet. Refer this to learn how to do it.
  4. Attach Elastic IP to your NAT Gateway or NAT Instance. Refer this to learn how to do it.

This will not only solve your static IP purpose, but also enhance security for your containers as they will be running inside private subnet.

AWS
answered a year ago
  • We require internet access for the ECS service as it will be utilized in a client application. Consequently, we've integrated an ALB (Application Load Balancer) with an HTTPS listener into the ECS service. Our VPC is already established with a NAT gateway, but we could benefit from additional information regarding its usage.

  • I did not get to any point of conclusion from your recent comment. What is blocking you to run your containers inside private subnet and accessing internet via NAT Gateway?

1

You need to ensure your ECS services are attached to a Private Subnet with routes to a NAT Gateway. Ensure you have multiple NAT gateways spread across the region.

If in eu-west-2, create 3 NAT gateways, 1 on each of the 3 Public Subnets. Each public subnet has a route to the IGW.

NAT Gateways are assigned a public IP Address each. Supply the 3rd Party the 3 x NAT Gateway IP Addresses. Any traffic destined to the internet will come from one of the 3 NAT Gateway IP's

profile picture
EXPERT
answered a year ago
  • A NAT gateway provides internet access from ECS

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions