By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Private subnets for ECS tasks or not?

0

If you were going to build an AWS ECS cluster (fargate)/services/tasks for a containerized web application, would you place the tasks in a private subnet or public subnet?

Keep in mind, you want to be as cost efficient as possible.

Would placing the tasks in a private subnet be worth the extra costs of the vpc endpoints? Feel free to provide your reasoning.

Edit: Also, is one method (placing tasks in private or public subnets) considered more industry standard?

2 Answers
1
Accepted Answer

Setting up an AWS ECS cluster (Fargate) for a containerized web application, deciding whether to place the tasks in a private or public subnet depends on various factors as mentioned below:

Cost Efficiency:

  • Private Subnet: While setting up VPC endpoints for accessing AWS services might incur extra costs, it also provides better security by restricting internet access to tasks. If the application doesn't heavily rely on accessing external services, the extra cost might not be significant.

  • Public Subnet: Placing tasks in a public subnet might initially seem more cost-efficient as there are no additional costs for VPC endpoints. However, it's important to weigh this against the security implications, especially if the application handles sensitive data or has strict security requirements.

Security:

  • Tasks in a private subnet are shielded from direct internet access, enhancing security. Access is controlled via security groups and NACLs.

  • Tasks in a public subnet are directly exposed to the internet, despite access restrictions via security groups, presenting a higher level of risk compared to private subnets.

Accessibility:

  • Internet access for tasks in a private subnet can be enabled through a NAT Gateway or NAT Instance, with inbound traffic regulated by VPC endpoints.

  • Tasks in a public subnet have immediate internet connectivity without extra configurations.

In conclusion, if security is a top priority and the application doesn't heavily rely on accessing external services, placing tasks in a private subnet might be worth the extra cost of setting up VPC endpoints. However, if cost efficiency is the primary concern and the application can operate securely in a public subnet, then that might be the preferable option. Ultimately, the decision should be based on the specific requirements and constraints of the application.

AWS
answered 8 months ago
profile picture
EXPERT
reviewed 8 months ago
profile pictureAWS
EXPERT
reviewed 8 months ago
  • Thank you for your insight. Both you and @Rama brought up excellent points for discussion. I'm guessing there is no industry standard, just what fits within the requirements of the project.

0

Hi,

It is all driven by security requirements. The questions I would ask that would influence my decision to place a workload in a public subnet will be:

  • Is it acceptable to use an instance in a public subnet with appropriate guardrails like diligently configured security groups, reverse proxy, nacl etc.
  • Is it acceptable to access AWS services routed over the internet with encryption in transit (https)

As a middle ground, there is also another pattern where you could deploy your workload to a private subnet to restrict the reachability of the outside world and use a NAT Gateway to access the AWS services via the internet.

Note: There is no additional charge for using gateway endpoints for S3 and DynamoDb, so if you only need to access those services, a private subnet could be a wise choice.

Thanks, Rama

profile pictureAWS
EXPERT
answered 8 months ago
profile pictureAWS
EXPERT
reviewed 8 months ago
  • Thank you for your feedback. Unfortunately in order to pull images from an ECR private repository, it requires quite a few interfaces in order to successfully authenticate and pull images the image into tasks in a private subnet (7 interfaces endpoint and 1 gateway endpoint). Your answer gave me great discussion points to the client. Thank you.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions