1

I have a requirement where I was to call firewall-protected service from ecs container. IP can be added to the firewall white list however I am struggling to get static IP for my ecs service. Below are things that I tried

  1. Created NAT instances
  2. Provided static IP to NAT instance (Idea is to use this IP for whitelisting)
  3. Created a subnet with a route table to direct all outgoing traffic (0.0.0.0/0) to NAT instance (nat instance interface id)
  4. Attached by ecs to the subnet created in step 4

After this setup when I am trying to bring up by ecs task it fails to connect to S3, ecr, log etc. So I created vpc endpoint for these services (s3, log, ecr). After endpoint creation error is gone however now an error coming for appconfig. I tried finding appconfig service to create its endpoint but there is no service with name appconfig. Also this method of creating an endpoint for everything doesn't look feasible.

AWS experts please help in bringing up the ecs which have static IP for outbound traffic. So that it can be whitelisted.

Update : Steps I followed to setup Nat Instance

  1. created new instance with "Auto-assign Public IP" to ensure the instance gets a public IP address.
  2. Associated Elastic IP address" to instance
  3. Ran below commands in instance sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE edit the /etc/sysctl.conf file and add the following line: Copy code net.ipv4.ip_forward = 1 Save the changes and exit the editor.
  4. Disabled the source/destination check on the NAT instance
  5. edited route table of ecs task. In the "Destination" field, entered "0.0.0.0/0"(to route all internet-bound traffic). In the "Target" field, choose NAT instance
Rishi Saraf
  • 1,644
  • 2
  • 14
  • 27
  • It sounds like your NAT instance(s) are not working correctly. Why are you using NAT Instances instead of a NAT Gateway? – Mark B Mar 24 '23 at 19:17
  • Using Nat instance to save cost. My outgoing traffic is pretty less hence Nat instance will be much more economical – Rishi Saraf Mar 24 '23 at 19:19
  • Well a NAT Gateway would just work. As it is you need to debug your NAT instance and figure out why it isn't working. You would need to provide the details of how you created the NAT instance exactly for us to be able to help you. – Mark B Mar 24 '23 at 19:47
  • Disable source/destination checks on the NAT instance (see [here](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck)). – jarmod Mar 25 '23 at 00:27
  • @jarmod its already disabled – Rishi Saraf Mar 25 '23 at 04:37
  • As suggested I tried NAT gateway . This time task deployed successfully however Network LB target group is not able to reach service – Rishi Saraf Mar 25 '23 at 05:09
  • The NAT Gateway has nothing to do with the load balancer. They are not connected in any way. One is for inbound traffic, the other is for outbound traffic. If your target group is failing to reach your service, then you need to debug why your service is failing to respond to the target group's requests. – Mark B Mar 26 '23 at 14:44

0 Answers0