0

Initially asked this question on StackOverflow but this should be the right place...

I have an architecture similar to https://github.com/aws-samples/ecs-refarch-cloudformation

I would like to know if I can have an AutoScalingGroup with instances in private subnets without using NAT Gateway?

I was experimenting with removing the NATs and adding VPC endpoints but I always end up with problem like this:

2022-08-21 10:55:07 UTC+1000  <MY_ECS_TEMPLATE> CREATE_FAILED The following resource(s) failed to create: [ECSAutoScalingGroup].
2022-08-21 10:55:07 UTC+1000  ECSAutoScalingGroup CREATE_FAILED Received 0 SUCCESS signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement
user2134216
  • 43
  • 3
  • Please edit your question to describe your setup rather than point at a large page which doesn't explain it well. "ECS communicate with ASG" doesn't really make sense to me. If you want an autoscaling group in front of ECS then yes, you can, if you set it up properly. – Tim Aug 21 '22 at 05:16
  • Thanks for the feedback. – user2134216 Aug 21 '22 at 05:32
  • It will be a bit tricky to add the actual setup. I need to sanitize it first. Not impossible though. I hoped someone could point me to an existing template which achieves autoscaling for docker services in private subnets without using NATs (if this is possible at all). – user2134216 Aug 21 '22 at 05:39
  • NAT has nothing to do with autoscaling. NAT such as a NAT gateway is to allow resources in a private subnet to access the internet. To autoscale to docker containers in a private subnet you have an internet gateway, an ALB in a public subnet, then docker containers in the private subnet. – Tim Aug 21 '22 at 09:38
  • My setup is almost identical to the link I provided in the original question (this is the official AWS reference implementation for deploying dockerized services). Two of the nested stacks in the ref implementation are the ecs-cluster (https://github.com/aws-samples/ecs-refarch-cloudformation/blob/master/infrastructure/ecs-cluster.yaml) and lifecycle (https://github.com/aws-samples/ecs-refarch-cloudformation/blob/master/infrastructure/lifecyclehook.yaml). I have identical files in my setup. To achieve autoscaling the instances created depend on various AWS services (see the two files) – user2134216 Aug 21 '22 at 10:09
  • NAT plays role in achieving autoscaling by allowing the instances in private subnets to invoke these AWS services. The alternative is to use VPC Endpoints instead of NATs which in some scenarios could lead to smaller AWS bills. This is what I want to explore - minimize AWS expenses. I tried adding a long list of VPC endpoints (I am sure I don't need all of them but I just wanted to get to the point where everything works and then remove the not needed ones). I couldn't achieve this. The error I get is the one in the original question – user2134216 Aug 21 '22 at 10:09
  • Ok, I haven't used containers for a while. Last project I did I recall I needed two ECS endpoints, that's where the containers were stored, and we used Fargate so not sure if we needed the other endpoints. VPC endpoints can get expensive. To avoid the need for NAT gateway you could put the docker containers in a public subnet (ie have a public IP) but set the security group to only allow egress, no ingress. That's probably not best practice / defense in depth but it should work and be somewhat secure. – Tim Aug 21 '22 at 10:21

0 Answers0