ECS Private Subnet to ECR 🛜
How do you get an ECR image to an ECS task in a private subnet?
tl;dr Use a NAT Gateway, route table entry to NAT In private subnet, and an EIP on the nat.
Problem ECS Can't Pull ECR Image ⎑
I think I've got everything set up, but boom, AWS Container Service (ECS)
can't reach AWS Elastic Container Registry (ECR) 🤔.
✅ I've got my ECS service, task, and container all set up
✅ I've got my ECR all set up
✅ I've got my VPC, subnets, and security groups all set up
ECS tasks are in a private subnet, whilst the ALB is in a public subnet 🔐; good. But, the ECS task can't pull the ECR image ‼️.
Turns out that ECS needs to go over the internet to pull the image. But, the private subnet doesn't have internet access 🌐.
Solution NAT Gateway 🌐
In order to get out to the internet from a private subnet I need a
Network Address Translation (NAT) Gateway.
Here's how to create that in terraform:
1 2 3 4 5 6 7 8 9 10 | |
Excellent ㊝
EIP on the NAT 📇
But, ECS still can't reach ECR 😕. The NAT needs that allocation_id
that at first I did not have. The terraform docs have it as optional, which is true, but for this use case I need it.
Here is the terraform for the Elastic IP (EIP):
1 2 3 4 | |
Route Table Entry to NAT 🚏
Still not quite there yet. Need to add an entry on the private subnets route table
in order to allow egress from the subnet to the NAT. Here is the terraform for that:
1 2 3 4 5 | |
Phew 😅.
Conclusion ⚫️
Now ECS can pull the ECR image ✨. Keeping the ECS tasks in a private subnet is a good security practice. Adding the NAT allows the private subnet egress to the internet, but no ingress from the internet. Now we can pull the ECR image(s) when the application is updated 🚀.
