Search code examples
amazon-web-servicesamazon-ec2amazon-ecsaws-security-groupamazon-alb

Securing Amazon ECS cluster instances with dynamic port mapping behind an ALB

I'm trying to work out how I can tighten up the security group which I have assigned to container instances in AWS ECS.

  • I have a fairly simple Express.js web service running in a service on ECS
  • I'm running an Application Load Balancer in front of ECS
  • My Express.js container exposes and listens on port 8080
  • I'm using dynamic port mapping to allow container instances to run multiple containers on the same port (8080)

I have found that in order for ALB to forward requests on to containers running in the ECS cluster, I need the security group which is assigned to the container instances to allow all traffic. Bearing in mind that these instances (for reasons I don't know) are assigned public IPv4 addresses - regardless of the fact that I've configured the cluster to place instances in my private subnets - so I'm not comfortable with these instances essentially being wide open, just to ALB can pass requests so them inside the VPC.

I understand that with dynamic port mapping, my containers or not running on one single port on the underlying Docker host that's running them. I also understand that there's no single IP that requests may arrive at the EC2 instances from the ALB, so it seems to me that I can't lock this down if I'm using dynamic port mapping, because there's no single point of origin or destination for the traffic that's coming into the EC2 instances. I feel like I'm missing something here, but I can't for the life of me work out how to do this.

How should I configure ECS or my EC2 security group to allow me to only allow access to the container instances from ALB and not from the rest of the internet?

I've tried to include as much info as is necessary without swamping the question with unnecessary details. If there's any details that would be useful that I've not included, please leave a comment and I'll be happy to provide them.

Solution

  • 1) There is no reason why you have to have public ip addresses on your container instances. Just don't set the option at launch, see this page particularly step "e" http://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html?shortFooter=true

    If the instances are in a private subnet, then the routing should not allow ingres anyway...

    2) It is possible to lock down the security using security groups. Using the "security group id" instead of the IP address means that you do not have to know the exact address of the ALB. See this page for instructions on ALB configuration in this way

    http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html