I have created an ECS Cluster, an AWS ECS service with 1 ECS task definition that has a container that points to this simple docker image which is the Nginx hello image just for testing.
I now want to make this publicly available on the internet and I would like to use cloudfront.
How can I connect cloudfront to serve the content from the image?
First of all you need to create an Application Load Balancer (ALB) with a Listener and a Target Group. Then you register your ECS Service in the ALB Target Group. That will expose the Nginx container to the internet through the ALB.
The reasons for this are:
Containers in ECS Service can be terminated and restarted at which point they get a new IP address. The Service can register the newly started containers to ALB automatically.
You can terminate SSL (HTTPS) on the ALB with a certificate issued by Amazon Certificate Manager (ACM) without having to deal with SSL certificates on the container level.
You can run your containers with Private IP addresses in a Private subnet. Only the ALB needs to be in a Public subnet.
Once you have ALB + ECS set up and working you can add Cloud Front to the mix. This blog post has a couple of options on how to restrict access to ALB only from CloudFront, in particular I like Option 2 - setting a custom header on the CF side and checking it in ALB.
Hope that helps :)
