Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How can I use a static or Elastic IP address for an Amazon ECS task on Fargate?
I want to use a static or Elastic IP address for an Amazon Elastic Container Service (Amazon ECS) task on AWS Fargate.
Short description
You can't add a static or Elastic IP address directly to a Fargate task. To use a static or Elastic IP address with Fargate tasks, first create a Fargate service with a Network Load Balancer. Then, use the static IP address of the load balancer as a fixed entry point for your tasks.
Resolution
To create a static IP address for a Fargate task for outbound traffic, create a NAT gateway. You must use a static IP address for the downstream consumer, and place your Fargate task in a private subnet. Then, use the NAT gateway IP address to create an IP address allowlist.
To create a static IP address for inbound traffic, complete the following steps.
Create a target group
Create a target group, and then for Choose a target type, select IP addresses, and for Protocol, select TCP.
Note: You can't use the Instances target type on Fargate.
Configure a Network Load Balancer to use your target group
Note: Your load balancer's security group rules must allow outbound traffic to communicate with registered targets on the traffic port and the health check port. The rules must also allow inbound traffic from clients on the listener ports.
Attach your target group to a Network Load Balancer in the same virtual private cloud (VPC). Load balancers distribute traffic between targets within the target group. When you associate a target group with an Amazon ECS service, Amazon ECS automatically registers and deregisters container instances with the target group. Because Amazon ECS handles target registration, you don't need to add targets to your target group.
Create an Amazon ECS service
Create an Amazon ECS service with Fargate launch type. Make sure that you specify the target group that you created in the service definition when you create your service. Also, the security group associated with the service must allow inbound traffic from the load balancer on the traffic port and health check port.
When each task for your service is started, Amazon ECS registers the container instance and port combination in the service definition with your target group. Then, the load balancer routes the traffic to that container instance.
Related information
Would it kill you to discuss static IPs for Ec2 tasks on ECS? Why is it always Fargate that gets officially documented?! Not everything can run on Fargate!
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I followed this tutorial but was having a lot of trouble. It turns out, if you have anything besides very open security group settings, your ELB and your ELS tasks will struggle to communicate. The solution is to set up two security groups, and allow the ELS group to accept inbound requests from the ELB group. More details from more trial and error here: https://stackoverflow.com/questions/78004237/setting-up-a-load-balancer-to-assign-an-elastic-ip-to-a-fargate-ecs-service-caus/78009797#78009797
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 3 months ago
