- 최신
- 최다 투표
- 가장 많은 댓글
Ok, but what about ECS task like REST API server that should be visible to Internet? For such tasks I also got "you should not have public IP addresses" warning. In my opinion there we have to suppress "ECS.2 ECS services should not have public IP addresses assigned to them automatically" warning.
Hi,
this is due to security reasons as a public IP is exploitable by anyone on the internet.
To mitigate this can follow "Use private subnet with Internet Access" section on this article: https://repost.aws/knowledge-center/ecs-fargate-tasks-private-subnet.
It is a pretty standard practice to place workloads on private subnets, and then use NAT Gateway to allow outbound internet.
Hope it clarifies ;)
ECS tasks can reside in private subnets that have a route to the internet via a NAT Gateway. This would allow outbound internet traffic without a direct inbound path. This would be the best practices method to reduce security risks associated with tasks having direct public IP addresses.
Here is a link that discussed VPCs with private subnets and NAT Gateway https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
Hope that helps.
In that case I think you should then front the api with an ALB or an public api gateway (protected with WAF, inspection of its the case, shield), which then is linked with a private backend in private subnet