1

Here is my simple question: I have a dockerized app that I want to host on ECS.

  • This app does not need to be accessible from the outside world
  • however it needs to communicate with the outside world.

For some cost reasons, I want to run it on an EC2 instance (EC2 Autoscaling Group and not Fargate) + I would like to avoid using a NAT Gateway.

Is it possible, given the setup I described above, to have:

  • My app communicating with the outside world (egress ip)
  • But do not use a NAT Gateway?

I tried to use public subnets + associate public ip on the EC2 instance. But that did not work.

Alexis Darnat
  • 581
  • 6
  • 13
  • 1
    You only need a NAT gateway if your instance doesn't have a public IP, but you always need an internet gateway – jordanm May 19 '21 at 18:55
  • @jordanm my EC2 instance does have a public ip, but my task does not – Alexis Darnat May 19 '21 at 18:58
  • @AlexisDarnat how about blocking traffic on Network ACL? [docs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) – Yupik May 19 '21 at 19:16
  • @Yupik I have all traffic open on Inbound/outbound for all my subnets – Alexis Darnat May 19 '21 at 19:22
  • Are you running into a specific problem, or just asking if something is possible? You can certainly run this on servers with public IPs to give it direct Internet access, while blocking inbound access at the security group level to prevent it from being accessible from the outside world. – Mark B May 19 '21 at 19:34
  • @MarkB Here is my configuration rn: ECS (EC2 autoscaling group) with `associate_public_ip_address=true` VPC with subnets that are link to an IGW + Allow All inbound/outbound traffic Now when I run my ecs task, the app in my container can not access the outside world, `ping google.com` would result in that error message `ping: cannot resolve google.com: Unknown host` – Alexis Darnat May 19 '21 at 19:46
  • 1
    You should post a new question, with those specific details. Also include your ECS task configuration, especially the `network mode`, include if that ping works from an SSH connection on the EC2 instance, and include your VPC DNS settings. You've made an assumption that this is related to NAT gateways and asked a question that isn't directly relevant to the issue you are encountering. – Mark B May 19 '21 at 20:15

0 Answers0