Amazon ECS interface VPC endpoints (AWS PrivateLink) - Amazon Elastic Container Service

Amazon ECS interface VPC endpoints (AWS PrivateLink)

You can improve the security posture of your VPC by configuring Amazon ECS to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access Amazon ECS APIs by using private IP addresses. AWS PrivateLink restricts all network traffic between your VPC and Amazon ECS to the Amazon network. You don't need an internet gateway, a NAT device, or a virtual private gateway.

For more information about AWS PrivateLink and VPC endpoints, see VPC Endpoints in the Amazon VPC User Guide.

Considerations for Amazon ECS VPC endpoints

Before you set up interface VPC endpoints for Amazon ECS, be aware of the following considerations:

  • Tasks using the Fargate launch type don't require the interface VPC endpoints for Amazon ECS, but you might need interface VPC endpoints for Amazon ECR, Secrets Manager, or Amazon CloudWatch Logs described in the following points.

  • Tasks using the EC2 launch type require that the container instances that they're launched on to run version 1.25.1 or later of the Amazon ECS container agent. For more information, see Amazon ECS container agent versions.

  • VPC endpoints currently don't support cross-Region requests. Ensure that you create your endpoint in the same Region where you plan to issue your API calls to Amazon ECS.

  • VPC endpoints only support Amazon-provided DNS through Amazon Route 53. If you want to use your own DNS, you can use conditional DNS forwarding. For more information, see DHCP Options Sets in the Amazon VPC User Guide.

  • The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the VPC.

Creating the VPC Endpoints for Amazon ECS

To create the VPC endpoint for the Amazon ECS service, use the Creating an Interface Endpoint procedure in the Amazon VPC User Guide to create the following endpoints. If you have existing container instances within your VPC, you should create the endpoints in the order that they're listed. If you plan on creating your container instances after your VPC endpoint is created, the order doesn't matter.

  • com.amazonaws.region.ecs-agent

  • com.amazonaws.region.ecs-telemetry

  • com.amazonaws.region.ecs

Note

region represents the Region identifier for an AWS Region supported by Amazon ECS, such as us-east-2 for the US East (Ohio) Region.

If you have existing tasks that are using the EC2 launch type, after you have created the VPC endpoints, each container instance needs to pick up the new configuration. For this to happen, you must either reboot each container instance or restart the Amazon ECS container agent on each container instance. To restart the container agent, do the following.

To restart the Amazon ECS container agent

  1. Log in to your container instance via SSH. For more information, see Connect to your container instance.

  2. Stop the container agent.

    sudo docker stop ecs-agent
  3. Start the container agent.

    sudo docker start ecs-agent

After you have created the VPC endpoints and restarted the Amazon ECS container agent on each container instance, all newly launched tasks pick up the new configuration.

Create the Secrets Manager and Systems Manager endpoints

If you are referencing either Secrets Manager secrets or Systems Manager Parameter Store parameters in your task definitions to inject sensitive data into your containers, you need to create the interface VPC endpoints for Secrets Manager or Systems Manager so those tasks can reach those services. You only need to create the endpoints from the specific service your sensitive data is hosted in. For more information, see Specifying sensitive data.

For more information about Secrets Manager VPC endpoints, see Using Secrets Manager with VPC endpoints in the AWS Secrets Manager User Guide.

For more information about Systems Manager VPC endpoints, see Using Systems Manager with VPC endpoints in the AWS Systems Manager User Guide.

Create the Systems Manager endpoints

If you use the ECS Exec feature, you need to create the interface VPC endpoints for Systems Manager Session Manager. For more information, see Using Amazon ECS Exec for debugging.

For more information about Systems Manager Session Manager VPC endpoints, see Use AWS PrivateLink to set up a VPC endpoint for Session Manager in the AWS Systems Manager User Guide.

Creating a VPC endpoint policy for Amazon ECS

You can attach an endpoint policy to your VPC endpoint that controls access to Amazon ECS. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for Amazon ECS actions

The following is an example of an endpoint policy for Amazon ECS. When attached to an endpoint, this policy grants access to the listed Amazon ECS actions for all principals on all resources.

{ "Statement":[ { "Principal":"*", "Effect":"Allow", "Action":[ "ecs:action-1", "ecs:action-2", "ecs:action-2" ], "Resource":"*" } ] }