Limit public access to AWS ECS Fargate Service

Question

I have a service on AWS ECS deployed using Fargate.
This service uses a Network Load Balancer (NLB) to allow an Elastic IP to be associated with the service.
This is not an http service and is using port 5060 (SIP), hence the choice of an NLB.

I am not quite understanding something in regards to the health checks. If I limit access in the Security Group associated with the service to just a few /32 (single IPs) for the traffic port, the service is marked unhealthy. If I allow access to the world to the traffic port the service is marked healthy. If I allow access to just the internal CIDR block including the NLB, the service is marked healthy -- BUT that also allows world access to the port.

I tried making the health check use another port on the container, but this is less than ideal and I didn't get that working successfully. While I'd welcome an answer that detailed how to set that up properly given my Fargate/NLB/Elastic IP requirement, I'd rather have the traffic port just be the health check port, but I need to understand a way to deny world access to the port.

My approach here would be to work out what is doing the health check (NLB I assume), the port(s) it uses, and the source IP range of the health check, permit those IPs in. I have seen this information online, but I can't locate it right now. — Tim, Dec 06 '18 at 17:54
Thanks Tim. It's a reasonable approach but the service is running a container with little ability to do debug like that. I may try adding in a service with a container more suited to debugging if I can't find the info. — Brett Tofel, Dec 06 '18 at 18:04

score 0 · Accepted Answer · answered Dec 07 '18 at 00:55

You'll have to figure out where do the health checks come from and whitelist those IPs. Since it's a Fargate container and you presumably don't have SSH access to it you can try one of these avenues:

Does the SIP service log incoming connections? If it does and if the logs are forwarded to e.g. CloudWatch Logs (and they should be!) you can have a look there.
Use VPC Flow Logs to figure out what IPs are connecting to your service. It's best to know the ENI ID (elastic network interface ID) of your container - it is displayed in the Fargate Task details.

You also mention that when you whitelist the internal VPC IP range the service gets open to the world. That doesn't sound right - can you post a screenshot of your Security Group settings in that case?

Hope that helps :)

I used the VPC Flow Logs to figure it out. Thanks, wasn't aware of that service. — Brett Tofel, Dec 11 '18 at 22:07

Limit public access to AWS ECS Fargate Service

1 Answers1