- Newest
- Most votes
- Most comments
Hi, Indeed as Carl said, you want to use ECS Execute Command, not SSH for containers in ECS. Much more secure, easier to audit, and far less faffing around to get it working.
On the public access side, did you put your service in a public subnet ? That'd be a subnet with the internet gateway as the default route. Did you enable granting an EIP to the container (not enabled by default)? You most likely already have opened the Security Group accordingly to do all that.
Note thought that, unless there is a very, very good reason for that, I wouldn't recommend to expose your services directly, and keep them behind an ALB (or NLB), for the simple reason that this enables a wealth of other features: ACM for TLS, WAF, audit logs, etc.
An acquaintance of mine who's using ECS Compose-X needed only to have egress to the internet access, to retrieve data, and publish it back elsewhere. So we put his service on a public subnet, with a VPC without NAT or anything (so no VPC costs incurred) and his service gets an EIP automatically. But there is no ingress to that service needed, which more or less makes it a Lambda function running via ECS ^^
Thank you for detail explanation! I think that thhis problem is my mistake
Well no. I want a bastion to jump to the RDS. For this I need a container that accepts SSH and redirects to the RDS.
Fargate not being able to do this just means I need to spin up a EC2.
Relevant content
- asked 2 years ago
- asked 7 months ago
- Accepted Answerasked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a month ago
Hello,
Fargate connects just fine to a public IP, so you should be able to access the container directly if you verify:
That it has a public IP? (If you run it in a private subnet, it will not have a public IP, then you need to be on VPN)
Are you using the correct port? (I know you said you checked this, but it's worth another look because the ALB often reroutes from 443 to 80 after SSL resolution, which confuses a lot of people)
Regarding ssh, I'm sure it's possible (you need to install SSH on the container image and add public keys to it), but you probably don't want to.
Instead, use ECS Exec:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html
I also recommend using the AWS session manager plugin:
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html
Good luck! :)