Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Get AWS Batch working without assigning a public IP to the job definition

0

Hello,

I have a container image hosted in a private repository that I would like to use as the container image for an AWS Batch job running on Fargate. This image needs to access a REST web service hosted outside AWS but does not need to be accessible from the Internet at large.

I tried to use the unmodified default VPC but the image could not be pulled from the registry. I tried setting up an IPv6 only VPC with an egress gateway, but the same issue happened again.

Only when I assign a public IP to the job definition (networkConfiguration.assignPublicIp: "ENABLED") can the image be pulled from the private repository. After that, it runs just fine.

The container does not publish any port so it should not be reachable via the public IP anyway, but it does not feel proper practice to have to rely on this parameter.

Is there a way to have all this work without assigning a public IP? Or should I just leave with it as other solutions would be way more complex and costly?

Topics
ServerlessComputeContainers
Tags
AWS FargateAWS Batch
Language
English
asked 2 years ago899 views
2 Answers
1

Hi,

As soon you as you need "to access a REST web service hosted outside AWS", your container will need to obtain an IP address (either dedicated or shared) one way or another (own address, NAT gateway on the VPC. Otherwise the REST traffic won't be able to return to the container.

Additionally, yes, it's a must to pull the ECR image: https://docs.aws.amazon.com/batch/latest/APIReference/API_NetworkConfiguration.html

See the doc:

assignPublicIp:
Indicates whether the job has a public IP address. For a job that's running on Fargate resources 
in a private subnet to send outbound traffic to the internet (for example, to pull container images), 
the private subnet requires a NAT gateway be attached to route requests to the internet. 
For more information, see Amazon ECS task networking in the Amazon Elastic Container Service 
Developer Guide. The default value is "DISABLED".

Best,

Didier

EXPERT
answered 2 years ago
AWS
EXPERT
reviewed 2 years ago
  • olivier
    2 years ago

    Thanks.

    So if I get things correctly, I can do either of two things:

    1. Use the public IP v4 auto assigned and get charged for it around .005$ per hour for the duration of my batch run
    2. Setup a VPC with a NAT gateway (.045$ per hour) with a public IP as well, and make sure it gets "turned off" once the batch job has finished.

    Am I correct? To me, the second one is much more complex and error prone, along with the fact that my container does not publish any listening port, I guess I'll stick with the first solution.

    Thanks for your help

1

Hello.

I think you can use a method to route to the public internet using NAT Gateway.
However, if the batch job is running for a short time, I think it will be cheaper to assign a public IP directly to the container (networkConfiguration.assignPublicIp: "ENABLED").
https://docs.aws.amazon.com/batch/latest/userguide/create-compute-environment.html

Compute resources need access to communicate with the Amazon ECS service endpoint. This can be through an interface VPC endpoint or through your compute resources having public IP addresses.
For more information about interface VPC endpoints, see Amazon ECS Interface VPC Endpoints (AWS PrivateLink) in the Amazon Elastic Container Service Developer Guide.
If you do not have an interface VPC endpoint configured and your compute resources do not have public IP addresses, then they must use network address translation (NAT) to provide this access. For more information, see NAT gateways in the Amazon VPC User Guide. For more information, see Create a VPC.

Also, as of July 2024, ECR does not seem to support IPv6-only, so IPv4 is required for access.
https://github.com/aws/containers-roadmap/issues/1340

EXPERT
answered 2 years ago
AWS
EXPERT
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content