I have an ECS Fargate container app that serves the API request over the public internet.
My understanding is that this API service container can be deployed on the public subnet and that is configured with ALB DNS and target group. As we can see target group redirects the traffic to private IP of the ECS task, I guess we don't need public IP to be enabled when launching the task. However when I attempt this on ECS task launch getting an error "Resourceinitializationerror: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "https://api.ecr.eu-west-2.amazonaws.com/": dial tcp 52.94.53.88:443: i/o timeout"
If this is not workable and we need to enable public ip on the task launch, I'd prefer to restrict the public IP port access only to web service ALB for best security practice. Could someone suggest me a workable approach on this use-case pls? Thanks.
"I'd prefer to restrict the public IP port access only to web service ALB for best security practice."
Have you tried doing that? It should work fine. Since security groups are stateful, as long as the outbound rules are open, you should be able to lock down the inbound rules on the security group.
If you want remove the public IP completely, then you will need to either deploy Fargate task to a private subnet, with a route to a NAT Gateway, or add VPC endpoints to your VPC for the AWS services that the task needs to access, like ECR.