A step by step guide to create VPC endpoint for Amazon ECS
Let’s start with some VPC endpoint basics and why we need VPC endpoint for Amazon ECS. Followed by step by step procedure to create the VPC endpoints for ECS along with screenshots.
What is VPC endpoint?
The VPC endpoint is your gateway for communicating with AWS services public endpoints from resources having no internet access at all. Services like S3, ECS, API Gateway has public endpoints. So when you access them, your request will route through the internet to those service endpoints.
In a secure environment, where instances or resources in the private subnet have absolutely no access to the internet not even via NAT gateway etc., they will not be able to communicate with public AWS endpoints. In such cases, we can leverage VPC endpoints to communicate with such services using Amazon’s internal network (Amazon PrivateLink).
Even with internet access, since traffic is going out to the internet and then reaching AWS services it will have some delay. Using VPC Endpoint makes your access pretty fast using Amazon PrivateLink!
Our Amazon ECS articles –
For this tutorial please refer below architecture –
Creating VPC endpoint for Amazon ECS
For this exercise, I will be using a custom VPC and ECS cluster I created in previous tutorials.
- Login to VPC dashboard
- On the left navigation panel, click Endpoints
- On the endpoint page displayed on right, click Create Endpoint
- 3 endpoints need to be created for ECS.
- com.amazonaws.region.ecs-agent
- com.amazonaws.region.ecs-telemetry
- com.amazonaws.region.ecs
- where the region is a region where the ECS cluster is running. In my case its us-east-1
Here list of fields to be set –
- Service category: AWS services
- Service Name: All 3 provided above.
- VPC: Select VPC where ECS cluster is running
- Subnets: Select subnets to associate endpoints with. I selected private subnets only.
- Enable DNS name: Recommended to enable so that ECS agents can communicate with ECS service without any trouble.
- Security Group: Security group to be attached to the ENI of this gateway. Make sure port 443 inbound traffic is allowed from above subnets
- Tags: For identification
Finally, click the Create endpoint button. Repeat the same process to create 3 endpoints for the services mentioned above.
3 Endpoints should goto available status from pending.
It is clear that each endpoint is having 2 ENIs in 2 subnets. i.e. one interface in each subnet.
This completes VPC Endpoint creation for ECS service. Now, ECS instances can make use of these interfaces when they spun up. If instances are already running then you need to restart the ECS agent on them using the below command and it will start using VPC Endpoints.
[ec2-user@ip-10-0-0-14 ~]$ sudo docker restart ecs-agent
ecs-agent
For testing, I just terminated existing ECS instances and the ECS autoscaling group spun up new ECS instances in a private zone (which does not have a NAT gateway so no internet). Both got registered to the ECS cluster successfully via VPC endpoint!
Troubleshooting:
In case ECS instances are not getting registered to the ECS cluster using VPC endpoints then the below points needs to be validated –
- The instance is running ECS agent version 1.25.1 or higher
- Security group of endpoints is allowing 443 traffic from instances
- Endpoints are created in the same region as the ECS cluster
- ECS agents are restarted on ECS instances after endpoints creation.
If ECS instances are registered but Agent connected is being shown as False. In such scenario below points needs to be validated –
- Docker and ECS agent services are running on the server. (
systemctl status docker/ecs
) - The proper instance role (ecsInstanceRole) is attached to ECS instances. (
curl http://169.254.169.254/latest/meta-data/iam/info
) - Inspect logfile at location :
/var/log/ecs/ecs-agent.log
on ECS instances.