Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable Auto-assign public IPv4 address on the public subnets #5194

Closed
WillGibson opened this issue Aug 15, 2023 · 4 comments
Closed

Disable Auto-assign public IPv4 address on the public subnets #5194

WillGibson opened this issue Aug 15, 2023 · 4 comments

Comments

@WillGibson
Copy link

We are trying to remediate the "[ECS.2] ECS services should not have public IP addresses assigned to them automatically" failed check which is being reported by AWS Trusted Adviser.

I cannot find a documented way to disable "Auto-assign public IPv4 address" from the environment manifest.

Is this possible at all?

If not, maybe this is a feature request?
@WillGibson
Copy link
Author

It seems we can disable the assignment of the public IP on the service using...

network:
  vpc:
    placement: private

...but this results in the creation of NAT Gateways which we do not want or need.

This option...

network:
  vpc:
    placement:
      subnets: [ "subnet-123", "subnet-456", "subnet-789" ]

...give us no public IPs without the creation of NAT Gateways, but it seems brittle having to hard code the subnet ids and the task then cannot connect to Secrets Manager to retrieve a secret unless (by the looks of things) we create an interface VPC endpoint for Secrets Manager.

@WillGibson
Copy link
Author

Ignore this. On further chatting with a colleague, we are happy with the NAT Gateways.

@KollaAdithya
Copy link
Contributor

KollaAdithya commented Aug 16, 2023
edited
Loading

Hello @WillGibson !
I listed couple of possible options!

For a task on Fargate to pull a container image, the task must have a route to the internet. ECS has following options for the network configuration of the tasks. (doc)

  1. When using a public subnet, you can assign a public IP address to the task ENI.
  2. When using a private subnet, the subnet can have a NAT gateway attached.
  3. When using container images that are hosted in Amazon ECR, you can configure Amazon ECR to use an interface VPC
    endpoint and the image pull occurs over the task’s private IPv4 address. For more information, see Amazon ECR interface VPC endpoints (AWS PrivateLink) in the Amazon Elastic Container Registry User Guide.

So there are two options for disabling the AssignPublicIp
Option1: Using PrivateSubnets for task placement
In your workload manifest you can modify placement to be private

step1:

network:
  vpc:
     placement: private

also use the below yaml patches for svc overrides to disable the AssignPublicIp
step2:

- op: replace
  path: /Resources/Service/Properties/NetworkConfiguration/AwsvpcConfiguration/AssignPublicIp
  value: DISABLED

Note: When placing tasks on private subnets, Copilot provisions NatGateway , so be cautious about the extra costs for the NatGateway.

Option2: Using Env Addons to create VPC endpoints for ECR,S3 and Cloudwatch on private subnets.
step1:

Parameters:
  App:
    Type: String
  Env:
    Type: String

Resources:
  VpcEndpointSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "securitygroup for vpc endpoint"
      VpcId:
        Fn::ImportValue: !Sub "${App}-${Env}-VpcId"
  VpcEndpointSecurityGroupIngressFromEnvironment:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      Description: Ingress from services in the environment
      GroupId: !Ref VpcEndpointSecurityGroup
      IpProtocol: -1
      SourceSecurityGroupId:
        Fn::ImportValue: !Sub "${App}-${Env}-EnvironmentSecurityGroup"
  VPCEndpointForECR:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcEndpointType: Interface
      VpcId: 
        Fn::ImportValue: !Sub "${App}-${Env}-VpcId"
      SecurityGroupIds:
        - !Ref VpcEndpointSecurityGroup
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.dkr'
      PrivateDnsEnabled: true
      SubnetIds:
        !Split [",", { "Fn::ImportValue": !Sub "${App}-${Env}-PrivateSubnets" }]
          
  VPCEndpointForECRAPI:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcEndpointType: Interface
      VpcId: 
        Fn::ImportValue: !Sub "${App}-${Env}-VpcId"
      SecurityGroupIds:
        - !Ref VpcEndpointSecurityGroup
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.api'
      PrivateDnsEnabled: true
      SubnetIds:
        !Split [",", { "Fn::ImportValue": !Sub "${App}-${Env}-PrivateSubnets" }]
    
  VPCEndpointForS3:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcEndpointType: Gateway
      VpcId: 
        Fn::ImportValue: !Sub "${App}-${Env}-VpcId"
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
      RouteTableIds: 
        - Fn::ImportValue: !Sub "${App}-${Env}-PublicRouteTableID"

  VPCEndpointForCloudWatch:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcEndpointType: Interface
      VpcId: 
        Fn::ImportValue: !Sub "${App}-${Env}-VpcId"
      SecurityGroupIds:
        - !Ref VpcEndpointSecurityGroup
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs'
      PrivateDnsEnabled: true
      SubnetIds:
        !Split [",", { "Fn::ImportValue": !Sub "${App}-${Env}-PrivateSubnets" }]

Step2:
Also add yaml patches for svc overrides to disable AssignPublicIp

- op: replace
  path: /Resources/Service/Properties/NetworkConfiguration/AwsvpcConfiguration/AssignPublicIp
  value: DISABLED

Points to be noted for option2:

  1. Be careful about adding an S3 gateway to your VPC if your application is actively using S3. With gateway endpoints, your application’s existing connections to S3 may be briefly interrupted while the gateway is being added.
  2. Also should take note of the costs for VPC endpoints.
  3. With VPC endpoints ECS can only pull docker images from the ECR repository but it can not pull images from outside the AWS Cloud such as dockerhub because the traffic flow will be with in the VPC.

Reference Docs:

@iamhopaul123 iamhopaul123 pinned this issue Feb 21, 2024
@iamhopaul123 iamhopaul123 mentioned this issue Mar 5, 2024
Open
@richardgavel-ordinaryexperts
Copy link

  1. With VPC endpoints ECS can only pull docker images from the ECR repository but it can not pull images from outside the AWS Cloud such as dockerhub because the traffic flow will be with in the VPC.

Unless you make use of ECR pull thru caching, which is not a bad idea anyway with dockerhub to avoid issues with throttling pulls by source IP on it.

@iamhopaul123 iamhopaul123 mentioned this issue Aug 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WillGibson @KollaAdithya @richardgavel-ordinaryexperts