I have the following cloudformation stack which defines an ECS Service:
ApiService:
Type: AWS::ECS::Service
DependsOn:
- LoadBalancerListener80
- LoadBalancerListener443
Properties:
Cluster: !Ref EcsClusterArn
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
DeploymentController:
Type: ECS
DesiredCount: 1
HealthCheckGracePeriodSeconds: 10
LaunchType: FARGATE
LoadBalancers:
- ContainerName: !Join ['-', ['container', !Ref AWS::StackName]]
ContainerPort: !Ref Port
TargetGroupArn: !Ref LoadBalancerTargetGroup
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED # <-- if disabled, pulling from ecr registry fails
SecurityGroups:
- !Ref ApiServiceContainerSecurityGroup
Subnets: !Ref Subnets
SchedulingStrategy: REPLICA
ServiceName: !Ref AWS::StackName
TaskDefinition: !Ref ApiServiceTaskDefinition
I've noticed that without enabling public IP auto-assign, service tasks are unable to pull docker image from the ECR registry. I don't understand why do I need containers to have public ip to pull images from the registry...the service security group allows all the outbound traffic, the subnets can access the internet through an internet gateway and the IAM role allows pulling from ECR...so why the need for a public ip? I don't want my containers to have a public ip, they should be reachable only inside the VPC. Or I misunderstood and it's only the task that will receive a public ip (for whatever reason) while containers will still be private inside the VPC?
"the IAM role allows pulling from ECR"
The IAM role just gives it permission, it doesn't provide a network connection.
"the subnets can access the internet through an internet gateway"
I think you'll find that the Internet Gateway only provides Internet Access to resources with a public IP assigned to them.
ECR is a service that exists outside your VPC, so you need one of the following for the network connection to ECR to be established:
Public IP.
NAT Gateway, with a route to the NAT Gateway in the subnet.
ECR Interface VPC Endpoint, with a route to the endpoint in the subnet.