Create VPC endpoints for ECS services
This guide shows how to create VPC endpoints that can be used by your ECS services.
Why create VPC endpoints?
VPC endpoints enable your ECS services to connect directly to AWS services like Amazon Elastic Container Registry (ECR) and Amazon CloudWatch, bypassing the public internet. VPC endpoints limit the routes through which data can exit the network, reducing the risk of unauthorized traffic.
Reference implementation
See the VPC endpoints in pirates-iac.
Before you begin
Review your existing infrastructure to understand how introducing VPC endpoints might impact it. Which AWS services does your environment rely on? How might VPC endpoints affect these interactions? Most likely, there will be no impact, but it's important to consider this.
Step 1: Create VPC endpoints
Navigate to the stack where your VPC is created and download the VPC endpoints template:
ok get-template vpc_endpoints
ok get-template _variables_vpc_endpoints.tf
ok get-template _config_vpc_endpoints.auto.tfvars.json
Step 2: Apply the configuration
Initialize Terraform and apply the configuration:
Step 3: Confirm that everything works
If you rely on any of the services listed in the configuration, you should confirm that everything works as expected.
Once the interface endpoints are created, AWS automatically generates DNS entries within the VPC. These DNS entries enable instances in your VPC to use private IP addresses to communicate with the service.
Next steps
You now have the option to tighten the security group rules for your ECS services. In most cases you need to configure a security group rule with a S3 prefix list.1 The traffic will then be re-routed through the VPC gateway endpoint.
Reference implementation
If you rely on public container images and want to use VPC endpoints, you need to create a ECR pull through cache rule.
-
AWS-managed prefix lists are sets of IP address ranges for AWS services. ↩