Fargate task networking - Amazon ECS

Fargate task networking

Amazon ECS tasks using Fargate require the awsvpc network mode, which provides each task with an elastic network interface (ENI) and a primary private IP address. When you run a task or create a service with this network mode, you must specify one or more subnets to attach the network interface to and one or more security groups to apply to the network interface. Because each task gets its own ENI, you can also take advantage of other Amazon EC2 networking features like VPC Flow Logs so that you can monitor traffic to and from your tasks. Additionally, containers that belong to the same task can communicate over the localhost interface. A task can only have one ENI associated with it at a given time.

If you are using public subnets, decide whether to provide a public IP address for the network interface. For a Fargate task in a public subnet to pull container images, a public IP address needs to be assigned to the task's elastic network interface, with a route to the internet or a NAT gateway that can route requests to the internet. For a Fargate task in a private subnet to pull container images, the private subnet requires a NAT gateway be attached to route requests to the internet.

The following is an example of the networkConfiguration section for a Fargate task or service:

"networkConfiguration": { "awsvpcConfiguration": { "assignPublicIp": "ENABLED", "securityGroups": [ "sg-12345678" ], "subnets": [ "subnet-12345678" ] } }

Services with tasks that use the Fargate launch type only support Application Load Balancers and Network Load Balancers. Classic Load Balancers are not supported. Also, when you create any target groups, you must choose ip as the target type, not instance. For more information, see Service load balancing.

The network interfaces that are created are fully managed by AWS Fargate and there is an associated IAM policy that is used to grant permissions for Fargate. For tasks using Fargate platform version 1.4 or later, the task receives a single ENI (referred to as the task ENI) and all network traffic flows through that ENI within your VPC and will be visible to you through your VPC flow logs. For tasks that use Fargate platform version 1.3 and earlier, in addition to the task ENI, the task also receives a separate Fargate-owned ENI which is used for some network traffic which is not visible in the VPC flow logs. The following describes the network traffic behavior as well as the required IAM policy for each platform version.

Action

Traffic flow with platform version 1.3 and earlier

Traffic flow with platform version 1.4

IAM permission

Retrieving Amazon ECR login credentials

Fargate-owned ENI

Task ENI

Task execution IAM role

Image pull

Task ENI

Task ENI

Task execution IAM role

Sending logs through a log driver

Task ENI

Task ENI

Task execution IAM role

Sending logs through FireLens for Amazon ECS

Task ENI

Task ENI

Task IAM role

Retrieving secrets from Secrets Manager or Systems Manager

Fargate-owned ENI

Task ENI

Task execution IAM role

Amazon EFS file system traffic

Not available

Task ENI

Task IAM role

Application traffic

Task ENI

Task ENI

Task IAM role

Fargate task networking considerations

There are several things to consider when using task networking.

  • The Amazon ECS service-linked role is required to provide Amazon ECS with the permissions to make calls to other AWS services on your behalf. This role is created for you automatically when you create a cluster, or if you create or update a service in the AWS Management Console. For more information, see Service-Linked Role for Amazon ECS. You can also create the service-linked role with the following AWS CLI command:

    aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
  • Amazon ECS populates the hostname of a task using task networking with an Amazon-provided (internal) DNS hostname when both the enableDnsHostnames and enableDnsSupport options are enabled on your VPC. If these options are not enabled, the DNS hostname of the task will be a random hostname. For more information on the DNS settings for a VPC, see Using DNS with Your VPC in the Amazon VPC User Guide.

  • There is a limit of 16 subnets and 5 security groups that are able to be specified in the awsvpcConfiguration. For more information, see AwsVpcConfiguration in the Amazon Elastic Container Service API Reference.

  • The ENIs that are created and attached by Fargate cannot be detached manually or modified by your account. This is to prevent the accidental deletion of an ENI that is associated with a running task. To release the ENIs for a task, stop the task.

  • If a VPC is updated, for example to change the DHCP options set it uses, and you want tasks using the VPC to pick up the changes, those tasks must be stopped and new tasks started.

  • For tasks using platform version 1.4 or later, the task ENIs support jumbo frames. Network interfaces are configured with a maximum transmission unit (MTU), which is the size of the largest payload that fits within a single frame. The larger the MTU, the more application payload can fit within a single frame, which reduces per-frame overhead and increases efficiency. Supporting jumbo frames will reduce overhead when the network path between your task and the destination supports jumbo frames, such as all traffic that remains within your VPC.