stackoom
  简体   繁体   中英

Static outbound IP for AWS ECS Fargate task

 原文  2019-09-15 02:09:36       amazon-web-services/ docker/ amazon-ecs/ aws-fargate

Question

I have a Docker container with a service which I want to run through AWS ECS with Fargate. Unfortunately the service I want to run needs to access an SFTP server of a partner where the IP needs to be whitelisted.

My question is now: How is it possible to assign a static IP (IPv4) to a AWS ECS Fargate Task? I've already setup a VPC, the subnets, internet and NAT gateway and assigned them to each other. But the biggest problem I see is that for each execution of the task with Fargate a new ENI with an different IP is assigned.

Would be great to get some help! :)

3 answers

solution1
 0  2019-09-15 02:41:43

There is interesting GitHub repo which explain the use case plus how to achieve the static IP for fargate service.

Why?

A third party may want to whitelist your application's IP. Most of the steps are covered using-static-ip-addresses-for-application-load-balancers

Create Fargate cluster

Using the wizard create the cluster.

Along with the cluster it will create a VPC and Security group. Find them and give them useful names.

In your security group for VPC set your inbound for HTTP and HTTPS.

Elastic IPs

Find it under EC2 > elastic IPs

Allocate two static IPs. One for each availability group.

Network Load Balancer

Find it under EC2 > Load Balancers

Create NLB. Under availability zones assign it the VPC and elastic IPs you created earlier.

Create a new target group with target type IP and protocal TCP.

Leave IP blank. Next.

Application Load Balancer

Add existing security group from the VPC.

Create a new target group. Type IP. Protocol TCP.

Leave IP blank. Next.

Fargate service

Create a new service in your cluster.

Choose application load balancer you created.

Choose existing ALB target group.

The architecture diagram will less or more likely this 在此处输入图片说明

solution2
 0  2019-09-17 15:38:17

We're currently having the same issue, the solution we found is to whitelist the whole subnets CIDR (eg 10.11.12.13/24) and it worked fine, but still we feel it's insecure.

I found a response suggesting using a NAT Gateway to nat your container's IP address. Here's the link for the use case with Lambda, still have to test it for fargate.

solution3
 0  2022-07-19 14:20:19

This worked for me:

  1. Create a subnet for the ECS tasks to run inside
  2. Add a NAT gateway (can be egress only) inside the subnet
  3. Assign an Elastic IP to the NAT gateway
  4. Observe that the external IP of the ECS task is the Elastic IP of the gateway

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS - Private static IP address for Fargate task Amazon AWS Fargate Task static IP adress AWS ECS Fargate task timezone AWS ECS Fargate - Task Not Running are fargate ECS task public IP addresses limited? AWS ECS Fargate task parallelization with SQS AWS ECS Fargate not creating task AmazonECSTaskExecutionRole error AWS ECS Fargate run task: Essential container in task exited Assing dynamic IP to a task running with AWS Fargate Set host IP as an environment variable in Dockerfile (AWS ECS Fargate)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM