35

I have a Docker container with a service which I want to run through AWS ECS with Fargate. Unfortunately the service I want to run needs to access an SFTP server of a partner where the IP needs to be whitelisted.

My question is now: How is it possible to assign a static IP (IPv4) to a AWS ECS Fargate Task? I've already setup a VPC, the subnets, internet and NAT gateway and assigned them to each other. But the biggest problem I see is that for each execution of the task with Fargate a new ENI with an different IP is assigned.

Would be great to get some help! :)

Florian Nitschmann
  • 351
  • 1
  • 3
  • 3

4 Answers4

6

This worked for me:

  1. Create a subnet for the ECS tasks to run inside
  2. Add a NAT gateway (can be egress only) inside the subnet
  3. Assign an Elastic IP to the NAT gateway
  4. Observe that the external IP of the ECS task is the Elastic IP of the gateway
sdgfsdh
  • 33,689
  • 26
  • 132
  • 245
3

We're currently having the same issue, the solution we found is to whitelist the whole subnets CIDR (eg 10.11.12.13/24) and it worked fine, but still we feel it's insecure.

I found a response suggesting using a NAT Gateway to nat your container's IP address. Here's the link for the use case with Lambda, still have to test it for fargate.

Diego T. P.
  • 43
  • 2
  • 1
    The subnets CIDRs are the private IPs, so not the one seen from outside like an SFTP server, so I don't see how it can work. – sechstein Aug 30 '21 at 13:00
  • I'm assuming that the ECS Fargate wants to access the SFTP server through a VPN or Direct connect, in that case the private IPs work fine. In case OP wants to whitelist a static output public IP he just needs to whitelist the NAT Gateway IP, which i've done and tested in the past. – Diego T. P. Sep 01 '21 at 02:01
0

You can't add a static IP address or Elastic IP address directly to a Fargate task

To use a static IP or Elastic IP with Fargate tasks,

  1. create a Fargate Service with a Network Load Balancer. 2
  2. attach the Elastic IP address of the task to the Load Balancer.

Create a network load balancer, and then configure routing for your target group

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Load Balancing, choose Load Balancers.
  3. Choose Create Load Balancer.
  4. On the Select load balancer type page, choose Create for Network Load Balancer.
  5. On the Create Network Load Balancer page, for Load balancer name, enter a name for your load balancer.
  6. For Scheme, select either Internet-facing or internal.
  7. For IP address type, select IPv4.
  8. In the Network mapping section, for VPC, select the Amazon Virtual Private Cloud (Amazon VPC) for your Fargate task.
  9. For Mappings, select at least one Availability Zone and one subnet for each Availability Zone.
  10. In the Listeners and routing section, keep the default listener or add another listener.
  11. For Protocol, select your protocol.
  12. For Port, select your port.
  13. Under Default action, choose Create target group.
  14. On the Specify group details page, for Choose a target type, select IP addresses.
  15. For Target group name, enter a name for your target group.
  16. In the Health checks section, keep the default settings.
  17. Choose Next.
  18. On the Register targets page, choose Create target group.
  19. Navigate to the Create Network Load Balancer page.
  20. In the Listeners and routing section, for Forward to, select the target group that you created
  21. Choose Create load balancer.

Source : https://repost.aws/knowledge-center/ecs-fargate-static-elastic-ip-address

Umanda
  • 4,737
  • 3
  • 23
  • 28
0
  1. Follow the instructions in the "Create the VPC" section except choose only 1 NAT gateway in step 6 instead of "1 per AZ."
  2. Create a new ECS cluster and select the VPC you created and unselect the public subnets in the Networking section
  3. Create/run task and make sure you use your private subnets and unselect the option to assign public IP.
grantr
  • 878
  • 8
  • 16