How can I run an Amazon ECS task on Fargate in a private subnet?

Last updated: 2020-12-18

I want to run an Amazon Elastic Container Service (Amazon ECS) task on AWS Fargate in a private subnet.

Short description

You can run Fargate tasks in private subnets. However, Fargate tasks might require internet access for certain operations, such as pulling an image from a public repository or sourcing secrets. You can provision your NAT gateway in public subnets to provide outbound internet access to Fargate tasks that don't require a public IP address.


Create a VPC

Create a NAT gateway

Create a NAT gateway.

When you create your NAT gateway, be sure that you:

  • Place your NAT gateway inside the public subnet.
  • Update the route table of the private subnet. For Destination, enter For Target, select the ID of your NAT gateway.

Create an Amazon ECS cluster and service

  1. Create an Amazon ECS cluster using the Networking only template (powered by Fargate).
  2. Create an Amazon ECS service.

When you configure the network for the service, be sure that you:

  1. Choose the cluster that you created in step 1 for your cluster VPC.
  2. Choose the private subnet from your NAT gateway.

Now, your new tasks will be launched in the private subnet.

