How can I run an Amazon ECS task on Fargate in a private subnet?

Last updated: 2020-12-18

You can run Fargate tasks in private subnets. However, Fargate tasks might require internet access for certain operations, such as pulling an image from a public repository or sourcing secrets. You can provision your NAT gateway in public subnets to provide outbound internet access to Fargate tasks that don't require a public IP address.

Create an Amazon Virtual Private Cloud (Amazon VPC) with a public and private subnet.

Create a NAT gateway.

When you create your NAT gateway, be sure that you:

• Place your NAT gateway inside the public subnet.
• Update the route table of the private subnet. For Destination, enter 0.0.0.0/0. For Target, select the ID of your NAT gateway.

1. Create an Amazon ECS cluster using the Networking only template (powered by Fargate).
2. Create an Amazon ECS service.

When you configure the network for the service, be sure that you:

1. Choose the cluster that you created in step 1 for your cluster VPC.
2. Choose the private subnet from your NAT gateway.

Now, your new tasks will be launched in the private subnet.