Fargate task networking - Amazon ECS

Fargate task networking

Important

If you are using Amazon ECS tasks hosted on Amazon EC2 instances, see Task networking in the Amazon Elastic Container Service Developer Guide.

By default, every Amazon ECS task on Fargate is provided an elastic network interface (ENI) with a primary private IP address. When using a public subnet, you may optionally assign a public IP address to the task's ENI. If your VPC is enabled for dual-stack mode and you use a subnet with an IPv6 CIDR block, your task's ENI will also receive an IPv6 address. A task can only have one ENI associated with it at a time. For more information about VPCs and subnets, see VPCs and subnets in the Amazon VPC User Guide.

For a task on Fargate to be able to pull a container image, the task must have a route to the internet. The following describes how to ensure your task has a route to the internet.

  • When using a public subnet, you can assign a public IP address to the task ENI.

  • When using a private subnet, the subnet can have a NAT gateway attached.

  • When using container images hosted in Amazon ECR, you can configure Amazon ECR to use an interface VPC endpoint and the image pull will occur over the task's private IPv4 address. For more information, see Amazon ECR interface VPC endpoints (AWS PrivateLink) in the Amazon Elastic Container Registry User Guide.

Because each task gets its own ENI, you can also take advantage of networking features like VPC Flow Logs so that you can monitor traffic to and from your tasks. Additionally, containers that belong to the same task can communicate over the localhost interface. For more information, see VPC Flow Logs in the Amazon VPC User Guide.

The ENIs that are created are fully managed by AWS Fargate and there is an associated IAM policy that is used to grant permissions for Fargate. For tasks using Fargate platform version 1.4.0 or later, the task receives a single ENI (referred to as the task ENI) and all network traffic flows through that ENI within your VPC and will be visible to you through your VPC flow logs. For tasks that use Fargate platform version 1.3.0 and earlier, in addition to the task ENI, the task also receives a separate Fargate-owned ENI which is used for some network traffic which is not visible in the VPC flow logs. The following describes the network traffic behavior as well as the required IAM policy for each platform version.

Action

Traffic flow with platform version 1.3.0 and earlier

Traffic flow with platform version 1.4.0

IAM permission

Retrieving Amazon ECR login credentials

Fargate-owned ENI

Task ENI

Task execution IAM role

Image pull

Task ENI

Task ENI

Task execution IAM role

Sending logs through a log driver

Task ENI

Task ENI

Task execution IAM role

Sending logs through FireLens for Amazon ECS

Task ENI

Task ENI

Task IAM role

Retrieving secrets from Secrets Manager or Systems Manager

Fargate-owned ENI

Task ENI

Task execution IAM role

Amazon EFS file system traffic

Not available

Task ENI

Task IAM role

Application traffic

Task ENI

Task ENI

Task IAM role

Fargate task networking considerations

There are several things to consider when using task networking.

  • The Amazon ECS service-linked role is required to provide Amazon ECS with the permissions to make calls to other AWS services on your behalf. This role is created for you automatically when you create a cluster, or if you create or update a service in the AWS Management Console. For more information, see Service-Linked Role for Amazon ECS. You can also create the service-linked role with the following AWS CLI command:

    aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
  • Amazon ECS populates the hostname of the task with an Amazon-provided (internal) DNS hostname when both the enableDnsHostnames and enableDnsSupport options are enabled on your VPC. If these options are not enabled, the DNS hostname of the task will be a random hostname. For more information on the DNS settings for a VPC, see Using DNS with Your VPC in the Amazon VPC User Guide.

  • There is a limit of 16 subnets and 5 security groups that can be specified in the awsvpcConfiguration. For more information, see AwsVpcConfiguration in the Amazon Elastic Container Service API Reference.

  • The ENIs that are created and attached by Fargate cannot be detached manually or modified by your account. This is to prevent the accidental deletion of an ENI that is associated with a running task. To release the ENIs for a task, stop the task.

  • If a VPC is updated, for example to change the DHCP options set it uses, and you want tasks using the VPC to pick up the changes, those tasks must be stopped and new tasks started.

  • Tasks launched in subnets with IPv6 CIDR blocks only receive an IPv6 address when using platform version 1.4.0 or later.

  • For tasks using platform version 1.4.0 or later, the task ENIs support jumbo frames. Network interfaces are configured with a maximum transmission unit (MTU), which is the size of the largest payload that fits within a single frame. The larger the MTU, the more application payload can fit within a single frame, which reduces per-frame overhead and increases efficiency. Supporting jumbo frames will reduce overhead when the network path between your task and the destination supports jumbo frames, such as all traffic that remains within your VPC.

  • Services with tasks that use the Fargate launch type only support Application Load Balancers and Network Load Balancers. Classic Load Balancers are not supported. Also, when you create any target groups, you must choose ip as the target type, not instance. For more information, see Service load balancing.

Using a VPC in dual-stack mode

When using a VPC in dual-stack mode, your tasks can communicate over IPv4 or IPv6, or both. IPv4 and IPv6 addresses are independent of each other and you must configure routing and security in your VPC separately for IPv4 and IPv6. For more information about configuring your VPC for dual-stack mode, see Migrating to IPv6 in the Amazon VPC User Guide.

Amazon ECS tasks on Fargate are assigned an IPv6 address if the following conditions are met:

  • Your VPC and subnet are enabled for IPv6. For more information about configuring your VPC for dual-stack mode, see Migrating to IPv6 in the Amazon VPC User Guide.

  • The task or sevice is using platform version 1.4.0 or later.

  • The dualStackIPv6 account setting is enabled. For more information, see Account settings.

Amazon ECS tasks on Fargate assigned an IPv6 address can access the internet as long as the VPC is configured with either an internet gateway or an egress-only internet gateway. NAT gateways are not needed. For more information, see Internet gateways and Egress-only internet gateways in the Amazon VPC User Guide.