amazon-web-servicesamazon-ecsaws-fargateaws-security-groupaws-cloudmap

ECS Fargate service discovery


I am using AWS ECS Fargate, I am currently using service discovery to allow my tasks to communicate with eachother. I have an issue where my tasks can only communicate if I place this security group on them

resource "aws_security_group" "ecs_config_service" {
  name        = "staging-ecs-config-service"
  description = "We need this so our services can communicate"
  vpc_id      = module.vpc.vpc_id

  ingress {
    from_port = 0
    to_port   = 0
    protocol  = "-1"
    cidr_blocks = [
      "0.0.0.0/0"
    ]
  }
}

If I remove this security group and only allow traffic from my load balancer the containers can't communicate. This feels like a bit of a security risk allowing traffic from anywhere but I'm not sure how else I can allow my tasks to communicate.

My ECS cluster sits within a private subnet in my VPC.

Is there something I am missing with my setup?


Solution

  • Instead of whitelisting IP addresses, you should try whitelisting security groups. For example if you have two separate services running in ECS, you could assign Security Group A to the first service, and Security Group B to the second service, and create a rule in Security Group A that allows ingress from Security Group B.


    Alternatively, you could at least restrict the IP range to the CIDR block of your VPC so that nothing outside the VPC would be able to access your services.