Amazon ECS task networking options for the Fargate launch type
By default, every Amazon ECS task on Fargate is provided an elastic network interface (ENI)
with a primary private IP address. When using a public subnet, you can optionally assign a
public IP address to the task's ENI. If your VPC is configured for dual-stack mode and you
use a subnet with an IPv6 CIDR block, your task's ENI also receives an IPv6 address. A task
can only have one ENI that's associated with it at a time. Containers that belong to the
same task can also communicate over the localhost
interface. For more
information about VPCs and subnets, see VPCs and subnets in the
Amazon VPC User Guide.
For a task on Fargate to pull a container image, the task must have a route to the internet. The following describes how you can verify that your task has a route to the internet.
-
When using a public subnet, you can assign a public IP address to the task ENI.
-
When using a private subnet, the subnet can have a NAT gateway attached.
-
When using container images that are hosted in Amazon ECR, you can configure Amazon ECR to use an interface VPC endpoint and the image pull occurs over the task's private IPv4 address. For more information, see Amazon ECR interface VPC endpoints (Amazon PrivateLink) in the Amazon Elastic Container Registry User Guide.
Because each task gets its own ENI, you can use networking features such as VPC Flow Logs, which you can use to monitor traffic to and from your tasks. For more information, see VPC Flow Logs in the Amazon VPC User Guide.
You can also take advantage of Amazon PrivateLink. You can configure a VPC interface endpoint so that you can access Amazon ECS APIs through private IP addresses. Amazon PrivateLink restricts all network traffic between your VPC and Amazon ECS to the Amazon network. You don't need an internet gateway, a NAT device, or a virtual private gateway. For more information, see Amazon PrivateLink in the Amazon ECS Best Practices Guide.
For examples of how to use the NetworkConfiguration
resource with Amazon CloudFormation, see
Creating Amazon ECS resources using separate
stacks.
The ENIs that are created are fully managed by Amazon Fargate. Moreover, there's an
associated IAM policy that's used to grant permissions for Fargate. For
tasks using Fargate platform version 1.4.0
or later, the task receives a
single ENI (referred to as the task ENI) and all network traffic flows through that ENI
within your VPC. This traffic is recorded in your VPC flow logs. For tasks that use
Fargate platform version 1.3.0
and earlier, in addition to the task ENI, the
task also receives a separate Fargate owned ENI, which is used for some network traffic
that isn't visible in the VPC flow logs. The following table describes the network traffic
behavior and the required IAM policy for each platform version.
Action |
Traffic flow with Linux platform version 1.3.0 and
earlier
|
Traffic flow with Linux platform version 1.4.0
|
Traffic flow with Windows platform version 1.0.0
|
IAM permission |
---|---|---|---|---|
Retrieving Amazon ECR login credentials | Fargate owned ENI | Task ENI | Task ENI | Task execution IAM role |
Image pull | Task ENI | Task ENI | Task ENI | Task execution IAM role |
Sending logs through a log driver | Task ENI | Task ENI | Task ENI | Task execution IAM role |
Sending logs through FireLens for Amazon ECS | Task ENI | Task ENI | Task ENI | Task IAM role |
Retrieving secrets from Secrets Manager or Systems Manager | Fargate owned ENI | Task ENI | Task ENI | Task execution IAM role |
Amazon EFS file system traffic | Not available | Task ENI | Task ENI | Task IAM role |
Application traffic | Task ENI | Task ENI | Task ENI | Task IAM role |
Considerations
Consider the following when using task networking.
-
The Amazon ECS service-linked role is required to provide Amazon ECS with the permissions to make calls to other Amazon services on your behalf. This role is created for you when you create a cluster or if you create or update a service in the Amazon Web Services Management Console. For more information, see Using service-linked roles for Amazon ECS. You can also create the service-linked role using the following Amazon CLI command.
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
-
Amazon ECS populates the hostname of the task with an Amazon provided DNS hostname when both the
enableDnsHostnames
andenableDnsSupport
options are enabled on your VPC. If these options aren't enabled, the DNS hostname of the task is set to a random hostname. For more information about the DNS settings for a VPC, see Using DNS with Your VPC in the Amazon VPC User Guide. -
You can only specify up to 16 subnets and 5 security groups for
awsVpcConfiguration
. For more information, see AwsVpcConfiguration in the Amazon Elastic Container Service API Reference. -
You can't manually detach or modify the ENIs that are created and attached by Fargate. This is to prevent the accidental deletion of an ENI that's associated with a running task. To release the ENIs for a task, stop the task.
-
If a VPC subnet is updated to change the DHCP options set it uses, you can't also apply these changes to existing tasks that use the VPC. Start new tasks, which will receive the new setting to smoothly migrate while testing the new change and then stop the old ones, if no rollback is required.
-
Tasks that are launched in subnets with IPv6 CIDR blocks only receive an IPv6 address when using Fargate platform version
1.4.0
or later for Linux or1.0.0
for Windows. -
For tasks that use platform version
1.4.0
or later for Linux or1.0.0
for Windows, the task ENIs support jumbo frames. Network interfaces are configured with a maximum transmission unit (MTU), which is the size of the largest payload that fits within a single frame. The larger the MTU, the more application payload can fit within a single frame, which reduces per-frame overhead and increases efficiency. Supporting jumbo frames reduces overhead when the network path between your task and the destination supports jumbo frames. -
Services with tasks that use the Fargate launch type only support Application Load Balancer and Network Load Balancer. Classic Load Balancer isn't supported. When you create any target groups, you must choose
ip
as the target type, notinstance
. For more information, see Use load balancing to distribute Amazon ECS service traffic.
Using a VPC in dual-stack mode
When using a VPC in dual-stack mode, your tasks can communicate over IPv4 or IPv6, or both. IPv4 and IPv6 addresses are independent of each other and you must configure routing and security in your VPC separately for IPv4 and IPv6. For more information about configuring your VPC for dual-stack mode, see Migrating to IPv6 in the Amazon VPC User Guide.
If the following conditions are met, Amazon ECS tasks on Fargate are assigned an IPv6 address:
-
Your Amazon ECS
dualStackIPv6
account setting is turned on (enabled
) for the IAM principal launching your tasks in the Region you're launching your tasks in. This setting can only be modified using the API or Amazon CLI. You have the option to turn this setting on for a specific IAM principal on your account or for your entire account by setting your account default setting. For more information, see Access Amazon ECS features with account settings. -
Your VPC and subnet are enabled for IPv6. For more information about how to configure your VPC for dual-stack mode, see Migrating to IPv6 in the Amazon VPC User Guide.
-
Your subnet is enabled for auto-assigning IPv6 addresses. For more information about how to configure your subnet, see Modify the IPv6 addressing attribute for your subnet in the Amazon VPC User Guide.
-
The task or service uses Fargate platform version
1.4.0
or later for Linux.
If you configure your VPC with an internet gateway or an outbound-only internet gateway, Amazon ECS tasks on Fargate that are assigned an IPv6 address can access the internet. NAT gateways aren't needed. For more information, see Internet gateways and Egress-only internet gateways in the Amazon VPC User Guide.