Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Step function state machine with ECS TASK

0

Want to orchestrate ECS TAKS using aws step function, I have requirement to attache my ECS Margate task to as VPC and security group, and didn't find configuration for VPC network for task definition

Topics
Application IntegrationServerlessNetworking & Content DeliveryContainers
Tags
Amazon VPCECS Service DiscoveryAWS Step Functions
Language
English
asked 17 days ago54 views
2 Answers
1
Accepted Answer

Hello.

You can specify subnets and security groups by specifying RunTask API parameters in the following format:
If the subnet is a private subnet and a route to the NAT Gateway is configured, it will still work even if you remove "AssignPublicIp".
https://docs.aws.amazon.com/ja_jp/AmazonECS/latest/APIReference/API_RunTask.html

{
  "Comment": "execute an ECS task",
  "StartAt": "Run an ECS Task",
  "States": {
    "Run an ECS Task": {
      "Type": "Task",
      "Resource": "arn:aws:states:::ecs:runTask.sync",
      "Parameters": {
        "LaunchType": "FARGATE",
        "Cluster": "arn:aws:ecs:ap-northeast-1:<AWS Account ID>:cluster/<ECS Cluster Name>",
        "TaskDefinition": "arn:aws:ecs:ap-northeast-1:<AWS Account ID>:task-definition/<Task Definition Name>:<Revision Number>",
        "NetworkConfiguration": {
          "AwsvpcConfiguration": {
            "Subnets": [
              "<Subnet ID>"
            ],
            "SecurityGroups": [
              "<Security Group ID>"
            ],
            "AssignPublicIp": "ENABLED"
          }
        }
      },
      "Overrides": {
          "ContainerOverrides": [
            {
              "Name": "<Container Name>",
              "Command.$": "$.commands"
            }
          ]
        }
      },
      "Retry": [
        {
          "ErrorEquals": [
            "States.ALL"
          ],
          "IntervalSeconds": 1,
          "MaxAttempts": 2,
          "BackoffRate": 3
        }
      ],
      "End": true
    }
  }
}
EXPERT
answered 17 days ago
EXPERT
reviewed 17 days ago
1

When orchestrating ECS tasks using AWS Step Functions, you can configure VPC and security group settings through the NetworkConfiguration parameter in your state machine definition. This is not configured in the task definition itself, but rather when you invoke the ECS RunTask action from Step Functions.

In your Step Functions state machine, you can specify the network configuration using the NetworkConfiguration field with the following structure:

  • Use AwsvpcConfiguration to specify your VPC settings
  • Include Subnets to define which subnets your Fargate task should run in
  • Include SecurityGroups to attach the appropriate security groups
  • Optionally set AssignPublicIp to "ENABLED" or "DISABLED" depending on whether your task needs a public IP address

This network configuration is passed as part of the Overrides or directly in the ECS RunTask parameters when Step Functions calls the ECS API. The VPC and security group configuration is applied at task runtime rather than being defined in the task definition itself, which allows you to use the same task definition across different network environments.

For Fargate tasks specifically, the awsvpc network mode is required, and you must specify the network configuration when running the task through Step Functions.
Sources
Run Amazon ECS or Fargate tasks with Step Functions - AWS Step Functions
aws-fargate-stepfunctions - AWS Solutions Constructs

answered 17 days ago
EXPERT
reviewed 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content