- Newest
- Most votes
- Most comments
Hello Shuaybi,
Yes, it is possible to remove the public IP address from your Fargate container and still have your website publicly accessible through your domain name. Here's how you can achieve this:
-
Create a Private Subnet: If you haven't already, create a private subnet within your VPC. This subnet should not have a direct route to the internet (IGW attached to your route table).
-
Create a NAT Gateway: Create a NAT Gateway in a public subnet of your VPC. The NAT Gateway will allow your Fargate containers running in the private subnet to make outbound calls to other services.
-
Update Routing Tables: Update the routing tables associated with your private subnet to route internet-bound traffic through the NAT Gateway. This will allow your containers to make outbound calls.
-
Create a Load Balancer in a Public Subnet: Create an Application Load Balancer (ALB) in a public subnet of your VPC. This load balancer will be the entry point for internet traffic destined for your website.
-
Create a Target Group: Create a target group and register your Fargate service as a target in the target group. Please find the steps to configure your service with Loadbalancer here
-
Configure the Load Balancer Listener: Configure the load balancer listener to forward incoming traffic to the target group containing your Fargate service. More info here
-
Update your DNS Records: Update your DNS records (in Route 53 or your domain registrar) to point your domain name to the DNS name of the load balancer.
With this setup, your Fargate containers will be running in a private subnet without public IP addresses, but your website will still be accessible to the public via your domain name through the load balancer. The load balancer, which has a public IP address, will forward incoming traffic to your Fargate containers in the private subnet.
As for the outbound HTTP calls, your containers will be able to make these calls through the NAT Gateway, which will provide internet access without the need for public IP addresses on the containers themselves.
This setup also provides an additional layer of security by isolating your containers from direct internet access.
Note: As commented by Riku, IPv6 is still not fully supported today by ECS (March 2024).
Hello.
I think there is no problem even if the ECS container does not have public IPv4.
In other words, it is possible to save public IPv4 addresses by placing Fargate containers in private subnets and configuring them to access ECR etc. using NAT Gateway or VPC endpoints.
https://repost.aws/knowledge-center/ecs-fargate-tasks-private-subnet
Websites hosted on Fargate containers can be accessed via ALB, so there is no problem in placing the containers in private subnets.
However, please note that as of March 2024, IPv6-only settings cannot be used for ALB and ECS.
https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-support.html
Relevant content
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thanks Henrique. I started to follow the steps you suggested. However I see that the NAT Gateway is not free and it is charged at the rate of 0.045 per hour. This is more expensive then the public IPv4 address in my existing solution - which is 0.005 per hour.
My aim is cost reduction. Is there any solution where there are no additional costs?
Hey Shuaybi,
Yes, we have a solution using VPC Endpoint. You can find here the implementation details: https://containersonaws.com/pattern/ecs-cluster-isolated-vpc-no-nat-gateway
And this is the VPC Endpoint pricing page if you wanna take a look: https://aws.amazon.com/privatelink/pricing/
Thanks again Henrique. I forgot to mention - my container also connects to ECR to pull an image and also to S3. Can this be done if the container is in. a private subnet? Also the VPC Endpoint pricing looks more expensive (0.01/hour) than the cost of public IPv4 (0.005/hr).
You're welcome! Yes, the same concept would apply for ECR endpoint as well. The link shared explains about it. S3 would need a VPC Gateway endpoint to make it work with a full private subnet. Just a remind that it is not only about cost. Keep your workload on a private subnet is a security best practice recommendation. Hope this helps you! If so, please mark this answer as Accepted to help others with similar questions. Thanks!
Thanks Henrique. I accepted your answer.