Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Static outbound IP for AWS ECS Fargate task

I have a Docker container with a service which I want to run through AWS ECS with Fargate. Unfortunately the service I want to run needs to access an SFTP server of a partner where the IP needs to be whitelisted.

My question is now: How is it possible to assign a static IP (IPv4) to a AWS ECS Fargate Task? I've already setup a VPC, the subnets, internet and NAT gateway and assigned them to each other. But the biggest problem I see is that for each execution of the task with Fargate a new ENI with an different IP is assigned.

Would be great to get some help! :)

like image 220
Florian Nitschmann Avatar asked Sep 15 '19 02:09

Florian Nitschmann


People also ask

Does fargate need public IP?

Short description. You can run Fargate tasks in private subnets. However, based on your use case, you might require internet access for certain operations, such as pulling an image from a public repository. Or, you might want to prevent any internet access for your tasks.

Does ECS need public IP?

You can configure an VPC interface endpoint so that you can access Amazon ECS APIs through private IP addresses. AWS PrivateLink restricts all network traffic between your VPC and Amazon ECS to the Amazon network. You don't need an internet gateway, a NAT device, or a virtual private gateway.

Can you SSH into fargate task?

Furthermore, ECS users deploying tasks on Fargate did not even have this option because with Fargate there are no EC2 instances you can ssh into.


3 Answers

update:

You can't add a static IP address or Elastic IP address directly to a Fargate task. To use a static IP or Elastic IP with Fargate tasks you must first create a Fargate Service with an Application or Network Load Balancer. You can then attach the Elastic IP address of the task to the Load Balancer.

Choose one of the following options:

To create a static IP address for a Fargate task for inbound traffic, complete the following steps in the Resolution section. To create a static IP address for a Fargate task for outbound traffic, create a NAT gateway. In this scenario, a static IP address is required by the downstream consumer. You must place your Fargate task on a private subnet. You can use the NAT gateway IP address for an IP allow list.

https://aws.amazon.com/premiumsupport/knowledge-center/ecs-fargate-static-elastic-ip-address/

like image 163
Adiii Avatar answered Oct 17 '22 10:10

Adiii


We're currently having the same issue, the solution we found is to whitelist the whole subnets CIDR (eg 10.11.12.13/24) and it worked fine, but still we feel it's insecure.

I found a response suggesting using a NAT Gateway to nat your container's IP address. Here's the link for the use case with Lambda, still have to test it for fargate.

like image 40
Diego T. P. Avatar answered Oct 17 '22 08:10

Diego T. P.


This worked for me:

  1. Create a subnet for the ECS tasks to run inside
  2. Add a NAT gateway (can be egress only) inside the subnet
  3. Assign an Elastic IP to the NAT gateway
  4. Observe that the external IP of the ECS task is the Elastic IP of the gateway
like image 2
sdgfsdh Avatar answered Oct 17 '22 10:10

sdgfsdh