DEV Community

Daniel Quackenbush
Daniel Quackenbush

Posted on • Updated on

Private Fargate Deployment with VPC Endpoints

VPC Endpoints allow you to have private containers, pulled from ECR repositories, with no external network ingress or egress. These containers can enhance your infrastructure security posture by utilizing AWS PrivateLink, restricting packets from going over the public internet.

Assumptions/Prereqs

  • You have a private ECR repository, with a tagged image created in your AWS Region.
  • The example code definitions will contain statically coded capacity metrics, as a low-cost deployment. If you are using this in your environment, it is recommended you variablize, or increase the static values.
  • The code will not restrict the endpoints, as it is expected the roles on your resources will preform that restriction, however, there will be linked AWS reference documentation, if you require.
  • The architecture will have zero public subnets or internet egress. You may require this additional infrastructure, but is outside the scope, and shouldn't impact the defined code.

Architecture

The environment will use a trimmed-down version of a common VPC configuration, with only 2 private subnets, and a Fargate instance. It will also include the respective VPC Endpoints needed for pulling an image and posting logs.

Architecture Diagram

Process

To enable containers to pull from ECR several steps are needed. Below broken down terraform code will walk through an end to end build, but this is the process that code will perform.

  1. Configure a VPC with 2 private subnets and allow DNS Hostname Resolve and Support
  2. Configure a VPC Endpoint Security Group to allow your VPC's CIDR as Ingress
    • This will be utilized for all internal addresses to communicate with the interfaces, as private DNS will resolve to an internal address.
  3. Create an ECR DKR Service Endpoint
  4. Create a S3 Endpoint, which will connect to the starport bucket

    • Service types: com.amazonaws.<region>.s3
    • Note from AWS Documentation:

    The gateway endpoint is required because Amazon ECR uses Amazon S3 to store Docker image layers... The gateway endpoint is required because Amazon ECR uses Amazon S3 to store Docker image layers:
    arn:aws:s3:::prod-<region>-starport-layer-bucket/*

  5. Create Logs endpoint to allow your container to log to CloudWatch

    • Service types: com.amazonaws.<region>.logs
  6. Configure your Fargate service with egress to the VPC and S3 private gateway

Terraform

Variable Declaration

Create a variables.tf file for the ECR Image you will pass in.

Provider and Account Data

Initialize the config with providers and data.

Security Groups

Provision the Security Groups for the VPC Endpoints and Fargate instance.

VPC Endpoints

Configure the VPC Endpoints for S3, DKR, and logging.

Fargate Service

Configure your IAM Role, task definition, and Fargate service.

Execution

terraform apply -var app_image=<your ECR image name>

References

Amazon ECR Interface VPC Endpoints

Updates

This post was written with Fargate 1.3. If having issues pulling from registry, ensure to check out this Stack Overflow solution.

Discussion (5)

Collapse
petedannemann profile image
Peter Dannemann • Edited

Thanks Dan. I've followed what you have here but am seeing ResourceInitializationError: unable to pull secrets or registry auth: pull command failed: : signal: killed when my task launches. Any ideas how to resolve this? I've been banging my head against this for long time now.

Collapse
danquack profile image
Daniel Quackenbush Author

@petedannemann looks like there were some modifications to how Fargate works since this article was written to when I published this. Not sure if you have solved this issue yet though? stackoverflow.com/questions/612651...

Collapse
avoidik profile image
Viacheslav Vasilyev

Thanks Dan, I hope AWS will be able to release EFS support for ECS and AWS Fargate soon

Collapse
danquack profile image
Daniel Quackenbush Author

It’s in preview for ECS! Not sure if you saw this: aws.amazon.com/about-aws/whats-new...

Collapse
avoidik profile image
Viacheslav Vasilyev

Yeah, unfortunately not compatible with Fargate, only EC2-type tasks