By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I remove public IP4 address from my ECS/Fargate Container, but still have it publicly available on internet?

0

I run a website on AWS that is accessible to the general public on the internet. I have my own domain that I registered using Route 53.

My webapp is deployed in ECS fargate container (using my docker image from ECR). I created an ALB that points to it. I also have an RDS that my web app uses to store data. My web app also needs to make outbound HTTP calls to other services.

I don't run any EC2 instances directly. I just use ECS/Fargate to run my container.

I created all this prior to Feb 2024. AWS automatically created public IP4 address for my the task (web app) that runs in fargate container. I am able to navigate to my website by typing the public IP address in the browser.

However, I don't want to incur the cost of 0.005 per hour for this public IP4 address.

Does my fargate container need to have a public IP address? Is there any way to remove public IP address from fargate container but still have my website be publicly available through my domain name?

Do I have to migrate to IP6 to achieve this? And does it have to be a public IP6 address? I still want my web app to make outbound HTTP calls.

Please guide me step by step on how (if possible) I can get rid of this billing component (public IP4) and still have my website be publicly available from the internet using my domain.

Thank you!

Topics
Networking & Content DeliveryServerlessContainers
Tags
Amazon VPCAWS FargateAmazon Elastic Container Service
Language
English
shuaybi
asked 2 months ago310 views
2 Answers
0
Accepted Answer

Hello Shuaybi,

Yes, it is possible to remove the public IP address from your Fargate container and still have your website publicly accessible through your domain name. Here's how you can achieve this:

  1. Create a Private Subnet: If you haven't already, create a private subnet within your VPC. This subnet should not have a direct route to the internet (IGW attached to your route table).

  2. Create a NAT Gateway: Create a NAT Gateway in a public subnet of your VPC. The NAT Gateway will allow your Fargate containers running in the private subnet to make outbound calls to other services.

  3. Update Routing Tables: Update the routing tables associated with your private subnet to route internet-bound traffic through the NAT Gateway. This will allow your containers to make outbound calls.

  4. Create a Load Balancer in a Public Subnet: Create an Application Load Balancer (ALB) in a public subnet of your VPC. This load balancer will be the entry point for internet traffic destined for your website.

  5. Create a Target Group: Create a target group and register your Fargate service as a target in the target group. Please find the steps to configure your service with Loadbalancer here

  6. Configure the Load Balancer Listener: Configure the load balancer listener to forward incoming traffic to the target group containing your Fargate service. More info here

  7. Update your DNS Records: Update your DNS records (in Route 53 or your domain registrar) to point your domain name to the DNS name of the load balancer.

With this setup, your Fargate containers will be running in a private subnet without public IP addresses, but your website will still be accessible to the public via your domain name through the load balancer. The load balancer, which has a public IP address, will forward incoming traffic to your Fargate containers in the private subnet.

As for the outbound HTTP calls, your containers will be able to make these calls through the NAT Gateway, which will provide internet access without the need for public IP addresses on the containers themselves.

This setup also provides an additional layer of security by isolating your containers from direct internet access.

Note: As commented by Riku, IPv6 is still not fully supported today by ECS (March 2024).

profile pictureAWS
Henrique Santana
answered 2 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • shuaybi
    2 months ago

    Thanks Henrique. I started to follow the steps you suggested. However I see that the NAT Gateway is not free and it is charged at the rate of 0.045 per hour. This is more expensive then the public IPv4 address in my existing solution - which is 0.005 per hour.

    My aim is cost reduction. Is there any solution where there are no additional costs?

  • Henrique Santana
    2 months ago

    Hey Shuaybi,

    Yes, we have a solution using VPC Endpoint. You can find here the implementation details: https://containersonaws.com/pattern/ecs-cluster-isolated-vpc-no-nat-gateway

    And this is the VPC Endpoint pricing page if you wanna take a look: https://aws.amazon.com/privatelink/pricing/

  • shuaybi
    2 months ago

    Thanks again Henrique. I forgot to mention - my container also connects to ECR to pull an image and also to S3. Can this be done if the container is in. a private subnet? Also the VPC Endpoint pricing looks more expensive (0.01/hour) than the cost of public IPv4 (0.005/hr).

  • Henrique Santana
    2 months ago

    You're welcome! Yes, the same concept would apply for ECR endpoint as well. The link shared explains about it. S3 would need a VPC Gateway endpoint to make it work with a full private subnet. Just a remind that it is not only about cost. Keep your workload on a private subnet is a security best practice recommendation. Hope this helps you! If so, please mark this answer as Accepted to help others with similar questions. Thanks!

  • shuaybi
    2 months ago

    Thanks Henrique. I accepted your answer.

0

Hello.

I think there is no problem even if the ECS container does not have public IPv4.
In other words, it is possible to save public IPv4 addresses by placing Fargate containers in private subnets and configuring them to access ECR etc. using NAT Gateway or VPC endpoints.
https://repost.aws/knowledge-center/ecs-fargate-tasks-private-subnet

Websites hosted on Fargate containers can be accessed via ALB, so there is no problem in placing the containers in private subnets.

However, please note that as of March 2024, IPv6-only settings cannot be used for ALB and ECS.
https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-support.html

profile picture
EXPERT
Riku_Kobayashi
answered 2 months ago
profile picture
EXPERT
Gary Mclean
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content