amazon-web-servicesamazon-ecsnetwork-load-balancerelastic-container-registry

How to make sure every ECS container I start can always access my network load balancer?


I am currently trying to use ECS to spin up various docker containers. The app inside these docker containers makes an api request to an IP address that is assigned to a network load balancer I have. However, the request doesn't work straight away as the public IP of the ecs task is NOT in the inbound rules. As soon as I add the public IP of the ecs task to the inbound rules, the api request works as expected as it can now contact the load balancer.

The problem I have is that I want to be able to make sure that any task I start can always be allowed to access the network load balancer without me adding the public IP manually. Is this something that can be done? Is there something I can add to the inbound rules that will ensure any task I start has access?


Solution

  • You need to place all the ECS tasks in private subnets with a route to a NAT Gateway. Then you will only need to add the IP of the NAT Gateway to the load balancer's inbound rules.

    If your load balancer was private instead of public, then you could simply add your ECS task's security group ID, or your VPC's CIDR block (or some specific subnet CIDR blocks) to the load balancer's inbound rules.

    As long as your load balancer is public, there is no other way to do this without using a NAT Gateway to provide a static outgoing IP for your ECS tasks.