By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cost-Effective Internet Access Strategy for ECS Tasks Pulling GitHub Data

0

I have an AWS ECS setup in a VPC, and my ECS tasks need to access both a public GitHub repository and Amazon ECR for container images. However, the cost of using NAT Gateways for internet access from my ECS tasks, especially for GitHub data pulls, is quite high. I'm looking for alternative solutions to reduce this cost while still allowing my ECS tasks to perform actions like 'git clone' which require internet access for GitHub. Additionally, I've set up VPC endpoints for Amazon ECR, so I'd like to ensure that ECS tasks can use the VPC endpoint for ECR access when available and switch to NAT Gateway when they need broader internet connectivity. Currently, I'm using an NT gateway, and my ECS is in a VPC. What strategies or methods would you recommend to optimize internet access for my ECS tasks in this scenario and reduce costs?

Topics
Networking & Content DeliveryContainers
Tags
Amazon VPCAmazon Elastic Container Service
Language
English
rePost-User-1506060
asked 7 months ago174 views
1 Answer
0

Hi,

I would suggest to have Lambdas outside your VPC and have those Lambdas do the repository accesses over the Internet based on their default configuration:

see https://docs.aws.amazon.com/lambda/latest/operatorguide/networking-vpc.html

**By default, Lambda functions have access to the public internet. **

This is not the case after they have been configured with access to one of your VPCs. If you continue to need access to resources on the internet, set up a NAT instance or Amazon NAT Gateway. Alternatively, you can also use VPC endpoints to enable private communications between your VPC and supported AWS services.

They will act as a proxy to your ECS containers: those containers will use the Lambda invoke() API to request access to a given repo. The Lambda will store the content of the repo in a S3 bucket that your ECS instances can access securely via an additional service endpoint.

If this is your only use of NAT, you can then suppress use of NAT and Internet Gateway to reduce your costs as expected.

Additional benefit: better security posture since your VPC is now fully closed.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 7 months ago
  • rePost-User-1506060
    7 months ago

    Hi, Thank you for sharing the approach, but it will add complexity in my arch.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content