AWS ECS Network ACL requirements
I currently have a set up in AWS with something like the following:
Image source from task networking in aws fargate.
I am using AWS ECR to store my docker image and in my task definition, as container image, I am using the provided URI of the repository. Everything is in the same region and they are working just fine.
However I want to strengthen the security on AWS by whitelisting specific ports only. From security groups point of view, I have updated them as needed and everything is still working as expected. However for Network ACL, I am having some issues with the Fargate task. In ACL section in the public subnet, for inbound rules, I want to allow access to only HTTPS and HTTP from the internet (0.0.0.0/0). Doing so is resulting into this issue with my fargate task: ResourceInitializationError: unable to pull secrets or registry auth: pull command failed: : signal: killed. It is to be noted that the outbound rules for both subnets (private and public) allows traffic to anywhere (0.0.0.0/0).
I understand that the Fargate task needs to connect to the internet to pull the docker image in ECR and the NAT helps do that. docker pull or docker push uses HTTPS and the private subnet has allowed all traffic from all source and the same for outbound.
NACLs for public subnets
Please advice on how to amend the Network ACL to whitelist specific ports only.
P.S: The last resort would be to use AWS PrivateLink to access the ECR repository, but I don't want to do that yet.
Your are only allowing ports 80 and 443 in your NACLs. This is not enough, as you need to also allow ephemeral ports.
This is because a request to ECR will come back to your container using ephemeral ports, not 80 and 443. These two ports are only used for your container to connect to ECR, not for return traffic from ECR to your container.
- HTTP requests not working on aws ec2
- Amazon EC2 and EBS disk space problem
- How do I enable Data API?
- CDK Pipelines - Migrating a database in the pipeline
- Do environment variables in ECS Fargate task definitions support interpolation?
- Upgrading AWS RDS aurora from serverless v1 to serverless v2 using terraform
- AWS IAM user not able to see Billing and Cost Management Dashboard
- Amazon S3 - How to fix 'The request signature we calculated does not match the signature' error?
- Deleting last element in a DynamoDB string set
- AWS CLI on Windows won't work though using double quotes and escapes
- How to resolve 'Step Functions State Machine is not authorized to create managed-rule'?
- Understanding SQS message receive amount
- AWS Glue JDBC Connection created using Cloud Formation is not setting the password
- CloudFront charges after you invalidate your distribution over 1,000 times, does the count reset each month?
- AWS Cognito federated user login not allowing to sign in as different user after log out
- AWS s3 V3 Javascript SDK stream file from bucket (GetObjectCommand)
- Provide AWS Lex response in Hyperlink format
- Fixing yaml indentation with python
- Generate S3 URL in "path-style" format
- Trying to find the ARN pattern for AWS WAF regional
- AWS cognito: What's the difference between Access and Identity tokens?
- virtually isolate the network in the same AWS Cloud Account
- AWS start sandbox from tutorial
- Can I stop a spot instance in aws just like I can stop and start an on demand ec2 instance
- FastAPI app works locally, but /blogs endpoint causes redirect loop on AWS Lambda deployment
- Get pdftotext Python module running on Lambda
- Kubernetes: how to set VolumeMount user group and file permissions
- Invalid arn error for terraform code with kms data resource
- Unable to import module 'src.main': No module named 'dependencies' when uploading FastAPI zipped project to AWS Lambda
- Unable to update AWS AppRunner VPC connector via CDK