Is it possible to connect aws fargate with task ip instead of load balancer DNS?


I implemented a web server in fargate.

The web server connection through the application load balancer DNS went well.

However, when I connected to the task public ip, I couldn't connect.

I checked that the ip and port are set properly in the service security group.

In my opinion, fargate doesn't directly connect to public ip like ssh can't access. Am I right?

1 Answer
Accepted Answer

Hi, Indeed as Carl said, you want to use ECS Execute Command, not SSH for containers in ECS. Much more secure, easier to audit, and far less faffing around to get it working.

On the public access side, did you put your service in a public subnet ? That'd be a subnet with the internet gateway as the default route. Did you enable granting an EIP to the container (not enabled by default)? You most likely already have opened the Security Group accordingly to do all that.

Note thought that, unless there is a very, very good reason for that, I wouldn't recommend to expose your services directly, and keep them behind an ALB (or NLB), for the simple reason that this enables a wealth of other features: ACM for TLS, WAF, audit logs, etc.

An acquaintance of mine who's using ECS Compose-X needed only to have egress to the internet access, to retrieve data, and publish it back elsewhere. So we put his service on a public subnet, with a VPC without NAT or anything (so no VPC costs incurred) and his service gets an EIP automatically. But there is no ingress to that service needed, which more or less makes it a Lambda function running via ECS ^^

profile picture
answered 4 months ago
  • Thank you for detail explanation! I think that thhis problem is my mistake

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions