Register EC2 instance to ECS cluster without public ip

Question

I\'m having hard times adding instances that are created in my VPC and on a private subnet(no internet gateway attached to it) to ECS cluster.

Right now the only way I\

Answer 1

PrivateLinks is now available, for both ECS & ECR

With PrivateLinks you can register and operate your EC2 instance and Fargate to ECS cluster without public ip and can also access images from ECR.

Endpoint Required:

For ECS:

EC2 Launch type:

com.amazonaws.region.ecs-agent
com.amazonaws.region.ecs-telemetry
com.amazonaws.region.ecs

Fargate Launch Type:

Just needs ECR & cloudwatch endpoints (mentioned below)

For ECR:

EC2 Launch type:

com.amazonaws.region.ecr.dkr
com.amazonaws.region.ecr.api
com.amazonaws.region.s3 (S3 gateway endpoint)

Fargate Launch Type:

com.amazonaws.region.ecr.dkr 
com.amazonaws.region.s3 (S3 gateway endpoint)

Additionally if you use awslogs driver, you have add cloudwatch endpoint as well. com.amazonaws.Region.logs.

Answer 2

A VPC endpoint for ECS is now available. It's not officially announced, yet (in state "Coming soon" on AWS' public container roadmap).

It will cost minimum around 22$/month (PrivateLink costs for 3 availability zones in us-east, without traffic costs), if they don't state it otherwise.

Answer 3

This question is hard to answer. ECS just literally launches Ec2 instances to your configuration. If you launch them in a subnet with no public IPs they won't have them. You have to have infrastructure in place to reach them such as NAT, VPN, etc. There's no special configuration for ECS clusters. If you can reach your EC2 instances you should be able to reach the ECS instances.

Answer 4

I Was also trying to block public requests to the ECS instances by deploying the cluster into a private subnet, and later found out I need a NAT server/gateway, which costs about 1 dollar a day.

If you just want to block the dodgy sniffing requests to your ECS instances, you can update the security group for your ECS instances while keeping them in a public subnet. That will save you $30/day.

Answer 5

For registering your instance on ECS, you need external connectivity from the instances.

NAT is needed for outgoing connections from the instances on private subnet, but Public IP is not needed.

ECS launches a container in each of your servers which needs to connect to a service for managing state, and for this your instances on your private subnet need connectivity to outer world through NAT.

Answer 6

Symptom

• How can I get my Amazon ECS container instance to register with my cluster in a private subnet?

I created an Amazon Elastic Container Service (Amazon ECS) cluster in a private subnet through the Amazon ECS console using the cluster creation wizard. However, my container instances aren't registered to the ECS cluster. How can I resolve this issue?

• Launch Amazon ECS Cluster in a private subnet with extra care!

an unusual behavior I got to see while launching an ECS Cluster in a private subnet through the ECS Console. The instance launched in this cluster was still having a public IP instead of residing in the private subnet.

---

Cause

• How can I get my Amazon ECS container instance to register with my cluster in a private subnet?

If you created a cluster with the Amazon ECS console using the cluster creation wizard in a private subnet, your container instances are launched with a public IP address. As result, the container instances can't register to the ECS cluster, because they can't communicate with the ECS endpoint.

• Launch Amazon ECS Cluster in a private subnet with extra care!

when an ECS Cluster is launched it creates a CloudFormation stack to create a AutoScaling Group and AutoScaling LaunchConfiguration, which by default has the following property set: associatePublicIpAddress. This forces your Instance to have a Public IP associated on launch.

To reconfigure the environment to launch container instances without a public IP address, complete the following steps.

---

Solutions

• Launch Amazon ECS Cluster in a private subnet with extra care!

There are two ways of doing this —

1. Create an empty cluster using the ECS Console and then manually create Auto Scaling Group and Launch Configuration to attach with the empty cluster. But it may seem a lengthy approach to some people(like me!) for the cluster creation. No worries, there is a simpler way of doing the same with the use of few commands. Here’s the second alternative-

2. Use the ecs-cli to create the cluster which provides an option —no-associate-public-ip-address with ecs-cli up command. If you haven’t used the ecs-cli before then you can get stared in three simple steps-

• How can I get my Amazon ECS container instance to register with my cluster in a private subnet?

1. Open the AWS CloudFormation console.
2. In the Stack Name column, select the stack that includes the cluster that you previously created.
3. Choose the Template tab.
4. Copy the template, and then paste it into a code editor.
5. In the AWS::AutoScaling::LaunchConfiguration section of the template, change the AssociatePublicIpAddress property to false.

• Launching an Amazon ECS Container Instance

...
6. On the Configure Instance Details page, complete the following steps:
...
e. Set the Auto-assign Public IP field depending on whether you want your instance to be accessible from the public internet. If your instance should be accessible from the internet, verify that the Auto-assign Public IP field is set to Enable. If not, set this field to Disable.

VPC Endpoints

Do not forget to create VPC endpoints to ECR, S3, ECS, and Cloudwatch for ECS task awslogs log-driver (if you use it).

• Setting up AWS PrivateLink for Amazon ECS, and Amazon ECR
• Amazon ECR Interface VPC Endpoints (AWS PrivateLink)
• Amazon ECS Interface VPC Endpoints (AWS PrivateLink)

Avoid NAT if possible

NAT can cost you a lot just having them without using it as AWS charges you per hour plus per GB usage. If having one in each AZ for high-availability, it costs multiple times.