7

I currently have a set up in AWS with something like the following:

enter image description here

Image source from task networking in aws fargate.

I am using AWS ECR to store my docker image and in my task definition, as container image, I am using the provided URI of the repository. Everything is in the same region and they are working just fine.

However I want to strengthen the security on AWS by whitelisting specific ports only. From security groups point of view, I have updated them as needed and everything is still working as expected. However for Network ACL, I am having some issues with the Fargate task. In ACL section in the public subnet, for inbound rules, I want to allow access to only HTTPS and HTTP from the internet (0.0.0.0/0). Doing so is resulting into this issue with my fargate task: ResourceInitializationError: unable to pull secrets or registry auth: pull command failed: : signal: killed. It is to be noted that the outbound rules for both subnets (private and public) allows traffic to anywhere (0.0.0.0/0).

I understand that the Fargate task needs to connect to the internet to pull the docker image in ECR and the NAT helps do that. docker pull or docker push uses HTTPS and the private subnet has allowed all traffic from all source and the same for outbound.

NACLs for public subnets enter image description here

Please advice on how to amend the Network ACL to whitelist specific ports only.

P.S: The last resort would be to use AWS PrivateLink to access the ECR repository, but I don't want to do that yet.

atish.s
  • 1,534
  • 11
  • 19
  • Can you provide/screenshot exactly what are yor NACLs? Also I understand that everything works as expected if you use default NACLs? – Marcin Apr 14 '21 at 10:53
  • Post updated with NACLs applied for public subnets. Yes, everything works fine with default NACLs – atish.s Apr 14 '21 at 12:02

1 Answers1

10

Your are only allowing ports 80 and 443 in your NACLs. This is not enough, as you need to also allow ephemeral ports.

This is because a request to ECR will come back to your container using ephemeral ports, not 80 and 443. These two ports are only used for your container to connect to ECR, not for return traffic from ECR to your container.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • 1
    thank you so much man, it is working as expected after whitelisting the ephemeral ports. – atish.s Apr 14 '21 at 19:36
  • I'm running into the same issue if I allow all ingress through ACL and restrict egress to the vpc cidr, https (443) and the ephermal ports (1024-65535). When all egress is allowed things work but we need to restrict it. Do you know what could be missing? – Dragolis Aug 17 '22 at 16:44