I have a container running as a Service on AWS ECS Fargate. It is running in a Public subnet. The Service's associated Security Group allows for Egress on all ports and IPs. i.e. outbound rules are unrestricted. For its AwsvpcConfiguration, I intentionally have AssignPublicIp:
set to DISABLED
. I have no issues with internet connectivity when it's set to ENABLED
, but I don't want that in order to comply with my organization's security requirements. I am concerned about having a public IP exposed to the internet; I'd rather have all inbound traffic only flow through my ALB.
What am I missing here in order to get my container to make an outbound call to the internet?
You have to place your ECS tasks/service in a private subnet with routes to a NAT gateway. NAT gateway should be in a public subnet.