By using AWS re:Post, you agree to the AWS re:Post Terms of Use

ECS Task with public ip connect permanent

0

I have an ECS task/service that I can access via a public IP. However, I would like to access the ECS task/service via a DNS because the public IP is constantly changing. How can I create this connection? Ideally with Cognito authentication.

asked a month ago30 views
2 Answers
0

To create a more stable connection to your ECS task/service without relying on the changing public IP, you have several options:

  1. Use an Application Load Balancer (ALB):

    • Deploy your ECS service behind an internet-facing ALB.
    • The ALB will provide a fixed DNS name for accessing your service.
    • This solution offers better scalability and management of incoming traffic.
    • You can configure the ALB to work with Amazon Cognito for authentication.
  2. Implement ECS Service Discovery:

    • Use AWS Cloud Map to manage HTTP and DNS namespaces for your ECS services.
    • This allows you to reference services by logical names within your VPC.
    • However, note that DNS records created by service discovery always use private IP addresses, even for public namespaces.
  3. Utilize ECS Service Connect:

    • This feature allows you to define endpoints for your services and communicate through them.
    • It eliminates the need to directly manage service addresses and port numbers.
    • Service Connect works well for communication between ECS tasks but is not directly accessible from outside the VPC.

For public access with Cognito authentication, the ALB approach is likely your best option. You can set up the ALB to handle HTTPS traffic, integrate it with Amazon Cognito for user authentication, and then route requests to your ECS tasks. This provides a stable DNS name for access, handles authentication, and allows your ECS tasks to remain in private subnets for enhanced security.

Remember to configure your security groups, NACLs, and VPC settings appropriately to allow the necessary traffic flow while maintaining security.

Sources
Connect ECS Fargate Service/Task from public | AWS re:Post
Access ECS Service from outside ECS (Public internet) | AWS re:Post
Connect to a container via ECS Service connect | AWS re:Post
Use service discovery to connect Amazon ECS services with DNS names - Amazon Elastic Container Service
make connection from service running in one ECS cluster to another ECS cluster | AWS re:Post

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

The generated response is actually really good. Using a LB allows for a lot of great alternative options especially if you use the ALB and its capabilities around authentication. I use that constantly to fence off any bots and such as the LB will simply not pass on packets to the backend unless all the requirements are met. Think NGINX as a service, on steroids. This also eleviates the management of TLS certs if you let the LB deal with that, using ACM for you. Now, depending on your application, that might not apply.

Otherwise ECS With Cloud Map (service discovery) using a public zone works, as ECS will automatically update Route53 zone with A & SRV records for your clients.

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions