AWS Fargate connection to RDS in a different VPC

Question

I have following setup:

• ECS (Fargate) cluster in VPC-1
• RDS in VPC-2

My application running in ECS uses DNS name to connect to RDS however instead of private IP DNS resolves public IP address.

In RDS I want to configure strict security rules to prevent connections from the outside world - I would like to limit it to only accept connections from VPC-1.

I tried following things:

• peering both VPC-1 and VPC-2 - doesn't help, app running in ECS still resolves public IP
• routing all outbound traffic (0.0.0.0/0) from ECS cluster to a NAT gateway (instead internet gateway) and configuring security group in RDS to accept connections from elastic IP configured for NAT gateway - in this case my app doesn't even want to start, I suspect this is due to the fact that provisioning process fails due to the fact that outbound traffic is routed via NAT
• all VPCs have "DNS resolution" and "DNS hostnames" set to "yes"

I'm running out of ideas how to configure it correctly. As soon as I allow all inbound traffic (0.0.0.0/0) for my RDS everything starts to work fine but I don't want that.

What am I missing here? Maybe I should use entirely different approach to secure access to my RDS?

Answer 1

I managed to solve the problem by using approach with NAT gateway - I'm not sure why it did not work earlier, I changed approach to first create VPC and then create ECS cluster and associate it with previously created VPC.

1. Created Elastic IP, NAT gateway, VPC with private and public subnets as described in this article: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-public-private-vpc.html

2. NAT gateway is associated with private subnet

3. Created ECS cluster in private subnet

4. Created load balancer and associated it with public network

5. Modified security group for RDS to allow traffic from Elastic IP configured on previously created NAT gateway.

With this setup any traffic from application to RDS goes via NAT so I can setup security group rules to allow for this traffic. On another hand, load balancer in public subnet is able to communicate with cluster that sits in private network.