I'm having hard times adding instances that are created in my VPC and on a private subnet(no internet gateway attached to it) to ECS cluster.
Right now the only way I've managed to do this was by adding a public IP and have a NAT instance/gateway configured.
How do you use ECS clusters with private subnets?
I guess I've found the answer on the AWS documentation and it seems I need to use a NAT instance/Gateway :(
Another source and also the official documentaion
"...Container instances need external network access to communicate with the Amazon ECS service endpoint, so if your container instances are running in a private VPC, they need a network address translation (NAT) instance to provide this access. For more information, see NAT Instances in the Amazon VPC User Guide."
PrivateLinks is now available, for both ECS & ECR
With PrivateLinks you can register and operate your EC2 instance and Fargate to ECS cluster without public ip and can also access images from ECR.
Endpoint Required:
EC2 Launch type:
com.amazonaws.region.ecs-agent
com.amazonaws.region.ecs-telemetry
com.amazonaws.region.ecs
Fargate Launch Type:
Just needs ECR & cloudwatch endpoints (mentioned below)
EC2 Launch type:
com.amazonaws.region.ecr.dkr
com.amazonaws.region.ecr.api
com.amazonaws.region.s3 (S3 gateway endpoint)
Fargate Launch Type:
com.amazonaws.region.ecr.dkr
com.amazonaws.region.s3 (S3 gateway endpoint)
Additionally if you use awslogs driver, you have add cloudwatch endpoint as well.
com.amazonaws.Region.logs.
For registering your instance on ECS, you need external connectivity from the instances.
NAT is needed for outgoing connections from the instances on private subnet, but Public IP is not needed.
ECS launches a container in each of your servers which needs to connect to a service for managing state, and for this your instances on your private subnet need connectivity to outer world through NAT.
A VPC endpoint for ECS is now available. It's not officially announced, yet (in state "Coming soon" on AWS' public container roadmap).
It will cost minimum around 22$/month (PrivateLink costs for 3 availability zones in us-east, without traffic costs), if they don't state it otherwise.
I created an Amazon Elastic Container Service (Amazon ECS) cluster in a private subnet through the Amazon ECS console using the cluster creation wizard. However, my container instances aren't registered to the ECS cluster. How can I resolve this issue?
an unusual behavior I got to see while launching an ECS Cluster in a private subnet through the ECS Console. The instance launched in this cluster was still having a public IP instead of residing in the private subnet.
If you created a cluster with the Amazon ECS console using the cluster creation wizard in a private subnet, your container instances are launched with a public IP address. As result, the container instances can't register to the ECS cluster, because they can't communicate with the ECS endpoint.
when an ECS Cluster is launched it creates a CloudFormation stack to create a AutoScaling Group and AutoScaling LaunchConfiguration, which by default has the following property set: associatePublicIpAddress. This forces your Instance to have a Public IP associated on launch.
To reconfigure the environment to launch container instances without a public IP address, complete the following steps.
There are two ways of doing this —
1. Create an empty cluster using the ECS Console and then manually create Auto Scaling Group and Launch Configuration to attach with the empty cluster. But it may seem a lengthy approach to some people(like me!) for the cluster creation. No worries, there is a simpler way of doing the same with the use of few commands. Here’s the second alternative-
2. Use the ecs-cli to create the cluster which provides an option—no-associate-public-ip-addresswithecs-cli upcommand. If you haven’t used the ecs-cli before then you can get stared in three simple steps-
1. Open the AWS CloudFormation console.
2. In the Stack Name column, select the stack that includes the cluster that you previously created.
3. Choose the Template tab.
4. Copy the template, and then paste it into a code editor.
5. In the AWS::AutoScaling::LaunchConfiguration section of the template, change the AssociatePublicIpAddress property to false.
...
6. On the Configure Instance Details page, complete the following steps:
...
e. Set the Auto-assign Public IP field depending on whether you want your instance to be accessible from the public internet. If your instance should be accessible from the internet, verify that the Auto-assign Public IP field is set to Enable. If not, set this field to Disable.
Do not forget to create VPC endpoints to ECR, S3, ECS, and Cloudwatch for ECS task awslogs log-driver (if you use it).
NAT can cost you a lot just having them without using it as AWS charges you per hour plus per GB usage. If having one in each AZ for high-availability, it costs multiple times.
This question is hard to answer. ECS just literally launches Ec2 instances to your configuration. If you launch them in a subnet with no public IPs they won't have them. You have to have infrastructure in place to reach them such as NAT, VPN, etc. There's no special configuration for ECS clusters. If you can reach your EC2 instances you should be able to reach the ECS instances.
I Was also trying to block public requests to the ECS instances by deploying the cluster into a private subnet, and later found out I need a NAT server/gateway, which costs about 1 dollar a day.
If you just want to block the dodgy sniffing requests to your ECS instances, you can update the security group for your ECS instances while keeping them in a public subnet. That will save you $30/day.
