Fargate task networking - Amazon ECS

Fargate task networking

Important

If you're using Amazon ECS tasks that are hosted on Amazon EC2 instances, see Task networking in the Amazon Elastic Container Service Developer Guide for networking information that's relevant to your instances.

By default, every Amazon ECS task on Fargate is provided an elastic network interface (ENI) with a primary private IP address. When using a public subnet, you can optionally assign a public IP address to the task's ENI. If your VPC is enabled for dual-stack mode and you use a subnet with an IPv6 CIDR block, your task's ENI also receives an IPv6 address. A task can only have one ENI that's associated with it at a time. For more information about VPCs and subnets, see VPCs and subnets in the Amazon VPC User Guide.

For a task on Fargate to pull a container image, the task must have a route to the internet. The following describes how you can verify that your task has a route to the internet.

  • When using a public subnet, you can assign a public IP address to the task ENI.

  • When using a private subnet, the subnet can have a NAT gateway attached.

  • When using container images that are hosted in Amazon ECR, you can configure Amazon ECR to use an interface VPC endpoint and the image pull occurs over the task's private IPv4 address. For more information, see Amazon ECR interface VPC endpoints (AWS PrivateLink) in the Amazon Elastic Container Registry User Guide.

Because each task gets its own ENI, you can use networking features such as VPC Flow Logs, which you can use to monitor traffic to and from your tasks. Containers that belong to the same task can also communicate over the localhost interface. For more information, see VPC Flow Logs in the Amazon VPC User Guide.

Because each task gets its own ENI, you can also take advantage of AWS PrivateLink. You can configure an VPC interface endpoint so that you can access Amazon ECS APIs through private IP addresses. AWS PrivateLink restricts all network traffic between your VPC and Amazon ECS to the Amazon network. You don't need an internet gateway, a NAT device, or a virtual private gateway. For more information, see AWS PrivateLink in the Amazon ECS Best Practices Guide.

The ENIs that are created are fully managed by AWS Fargate. Moreover, there's an associated IAM policy that's used to grant permissions for Fargate. For tasks using Fargate platform version 1.4.0 or later, the task receives a single ENI (referred to as the task ENI) and all network traffic flows through that ENI within your VPC. This traffic is recorded in your VPC flow logs. For tasks that use Fargate platform version 1.3.0 and earlier, in addition to the task ENI, the task also receives a separate Fargate owned ENI, which is used for some network traffic that isn't visible in the VPC flow logs. The following table describes the network traffic behavior and the required IAM policy for each platform version.

Action

Traffic flow with Linux platform version 1.3.0 and earlier

Traffic flow with Linux platform version 1.4.0

Traffic flow with Windows platform version 1.0.0

IAM permission

Retrieving Amazon ECR login credentials

Fargate owned ENI

Task ENI

Task ENI

Task execution IAM role

Image pull

Task ENI

Task ENI

Task ENI

Task execution IAM role

Sending logs through a log driver

Task ENI

Task ENI

Task ENI

Task execution IAM role

Sending logs through FireLens for Amazon ECS

Task ENI

Task ENI

Task ENI

Task IAM role

Retrieving secrets from Secrets Manager or Systems Manager

Fargate owned ENI

Task ENI

Task ENI

Task execution IAM role

Amazon EFS file system traffic

Not available

Task ENI

Task ENI

Task IAM role

Application traffic

Task ENI

Task ENI

Task ENI

Task IAM role

Fargate task networking considerations

Consider the following when using task networking.

  • The Amazon ECS service-linked role is required to provide Amazon ECS with the permissions to make calls to other AWS services on your behalf. This role is created for you when you create a cluster or if you create or update a service in the AWS Management Console. For more information, see Service-linked role for Amazon ECS. You can also create the service-linked role using the following AWS CLI command.

    aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
  • Amazon ECS populates the hostname of the task with an Amazon provided DNS hostname when both the enableDnsHostnames and enableDnsSupport options are enabled on your VPC. If these options aren't enabled, the DNS hostname of the task is set to a random hostname. For more information about the DNS settings for a VPC, see Using DNS with Your VPC in the Amazon VPC User Guide.

  • You can only specify up to 16 subnets and 5 security groups for awsvpcConfiguration. For more information, see AwsVpcConfiguration in the Amazon Elastic Container Service API Reference.

  • You can't manually detach or modify the ENIs that are created and attached by Fargate. This is to prevent the accidental deletion of an ENI that's associated with a running task. To release the ENIs for a task, stop the task.

  • If a VPC subnet is updated to change the DHCP options set it uses, you can't also apply these changes to existing tasks that use the VPC. Start new tasks, which will receive the new setting to smoothly migrate while testing the new change and then stop the old ones, if no rollback is required.

  • Tasks that are launched in subnets with IPv6 CIDR blocks only receive an IPv6 address when using Fargate platform version 1.4.0 or later for Linux or 1.0.0 for Windows.

  • For tasks that use platform version 1.4.0 or later for Linux or 1.0.0 for Windows, the task ENIs support jumbo frames. Network interfaces are configured with a maximum transmission unit (MTU), which is the size of the largest payload that fits within a single frame. The larger the MTU, the more application payload can fit within a single frame, which reduces per-frame overhead and increases efficiency. Supporting jumbo frames reduces overhead when the network path between your task and the destination supports jumbo frames.

  • Services with tasks that use the Fargate launch type only support Application Load Balancer and Network Load Balancer. Classic Load Balancer isn't supported. When you create any target groups, you must choose ip as the target type, not instance. For more information, see Service load balancing.

Using a VPC in dual-stack mode

When using a VPC in dual-stack mode, your tasks can communicate over IPv4 or IPv6, or both. IPv4 and IPv6 addresses are independent of each other and you must configure routing and security in your VPC separately for IPv4 and IPv6. For more information about configuring your VPC for dual-stack mode, see Migrating to IPv6 in the Amazon VPC User Guide.

If the following conditions are met, Amazon ECS tasks on Fargate are assigned an IPv6 address:

  • Your VPC and subnet are enabled for IPv6. For more information about how to configure your VPC for dual-stack mode, see Migrating to IPv6 in the Amazon VPC User Guide.

  • The task or service uses Fargate platform version 1.4.0 or later for Linux or 1.0.0 for Windows.

  • The dualStackIPv6 account setting is enabled. For more information, see Account settings.

If you configure your VPC with an internet gateway or an outbound-only internet gateway, Amazon ECS tasks on Fargate that are assigned an IPv6 address can access the internet. NAT gateways aren't needed. For more information, see Internet gateways and Egress-only internet gateways in the Amazon VPC User Guide.