Skip to content

Instantly share code, notes, and snippets.

@artyom
Created April 19, 2022 19:44
Show Gist options
  • Save artyom/5c0c790268ee4d9f28413dd9601aae82 to your computer and use it in GitHub Desktop.
Save artyom/5c0c790268ee4d9f28413dd9601aae82 to your computer and use it in GitHub Desktop.
Running services on Fargate without giving them public Internet access

Running services on Fargate without giving them public Internet access

VPC Endpoints

Such setup depends on the following VPC endpoints:

  • ECR endpoints for Docker API, and ECR API;
  • S3 gateway endpoint (ECR images are backed by S3);
  • CloudWatch Logs endpoint;
  • (if your service needs access to secrets) Secrets Manager endpoint.

See https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html.

  S3Endpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VPC
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3"
      VpcEndpointType: Gateway
      RouteTableIds:
        - !Ref RouteTable

  ECRDockerEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VPC
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ecr.dkr"
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SubnetIds:
        - !Ref Subnet1
        - !Ref Subnet2
      SecurityGroupIds:
        - !Ref VPCEndpointSecurityGroup

  ECRAPIEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VPC
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ecr.api"
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SubnetIds:
        - !Ref Subnet1
        - !Ref Subnet2
      SecurityGroupIds:
        - !Ref VPCEndpointSecurityGroup

  CloudWatchLogsEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VPC
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.logs"
      VpcEndpointType: Interface
      PrivateDnsEnabled: true
      SubnetIds:
        - !Ref Subnet1
        - !Ref Subnet2
      SecurityGroupIds:
        - !Ref VPCEndpointSecurityGroup

  VPCEndpointSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: VPC endpoints
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: !GetAtt VPC.CidrBlock

ECS Execution Role

Service execution role must explicitly allow access to S3 bucket holding ECR data:

  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service: ecs-tasks.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      Policies:
        - PolicyName: ecr-s3-access
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: s3:GetObject
                Resource: !Sub "arn:aws:s3:::prod-${AWS::Region}-starport-layer-bucket/*"

Security Group

Service security group egress must allow access to VPC CIDR.

To allow S3 access via its VPC gateway endpoint (required to pull container images) security group has to permit access to AWS-managed prefix list for S3. This prefix list ID can be found in AWS VPC console under “Managed Prefix Lists” section.

  ServiceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Service without Internet access
      VpcId: !Ref VPC
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: !GetAtt VPC.CidrBlock
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          DestinationPrefixListId: pl-63a5400a # managed prefix list for s3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment