I have a Docker container with a service which I want to run through AWS ECS with Fargate. Unfortunately the service I want to run needs to access an SFTP server of a partner where the IP needs to be whitelisted.
My question is now: How is it possible to assign a static IP (IPv4) to a AWS ECS Fargate Task? I've already setup a VPC, the subnets, internet and NAT gateway and assigned them to each other. But the biggest problem I see is that for each execution of the task with Fargate a new ENI with an different IP is assigned.
Would be great to get some help! :)
Short description. You can run Fargate tasks in private subnets. However, based on your use case, you might require internet access for certain operations, such as pulling an image from a public repository. Or, you might want to prevent any internet access for your tasks.
You can configure an VPC interface endpoint so that you can access Amazon ECS APIs through private IP addresses. AWS PrivateLink restricts all network traffic between your VPC and Amazon ECS to the Amazon network. You don't need an internet gateway, a NAT device, or a virtual private gateway.
Furthermore, ECS users deploying tasks on Fargate did not even have this option because with Fargate there are no EC2 instances you can ssh into.
update:
You can't add a static IP address or Elastic IP address directly to a Fargate task. To use a static IP or Elastic IP with Fargate tasks you must first create a Fargate Service with an Application or Network Load Balancer. You can then attach the Elastic IP address of the task to the Load Balancer.
Choose one of the following options:
To create a static IP address for a Fargate task for inbound traffic, complete the following steps in the Resolution section. To create a static IP address for a Fargate task for outbound traffic, create a NAT gateway. In this scenario, a static IP address is required by the downstream consumer. You must place your Fargate task on a private subnet. You can use the NAT gateway IP address for an IP allow list.
https://aws.amazon.com/premiumsupport/knowledge-center/ecs-fargate-static-elastic-ip-address/
We're currently having the same issue, the solution we found is to whitelist the whole subnets CIDR (eg 10.11.12.13/24) and it worked fine, but still we feel it's insecure.
I found a response suggesting using a NAT Gateway to nat your container's IP address. Here's the link for the use case with Lambda, still have to test it for fargate.
This worked for me:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With