Skip to content

Create VPC endpoints for ECS services

This guide shows how to create VPC endpoints that can be used by your ECS services.

Why create VPC endpoints?

VPC endpoints enable your ECS services to connect directly to AWS services like Amazon Elastic Container Registry (ECR) and Amazon CloudWatch, bypassing the public internet. VPC endpoints limit the routes through which data can exit the network, reducing the risk of unauthorized traffic.

Reference implementation

See the VPC endpoints in pirates-iac.

Before you begin

Review your existing infrastructure to understand how introducing VPC endpoints might impact it. Which AWS services does your environment rely on? How might VPC endpoints affect these interactions? Most likely, there will be no impact, but it's important to consider this.

Step 1: Create VPC endpoints

Navigate to the stack where your VPC is created and download the VPC endpoints template:

ok get-template vpc_endpoints
ok get-template
ok get-template

Step 2: Apply the configuration

Initialize Terraform and apply the configuration:

terraform init
terraform apply

Step 3: Confirm that everything works

If you rely on any of the services listed in the configuration, you should confirm that everything works as expected.

Once the interface endpoints are created, AWS automatically generates DNS entries within the VPC. These DNS entries enable instances in your VPC to use private IP addresses to communicate with the service.

Next steps

You now have the option to tighten the security group rules for your ECS services. In most cases you need to configure a security group rule with a S3 prefix list.1 The traffic will then be re-routed through the VPC gateway endpoint.

Reference implementation

See the S3 prefix list security group rule in pirates-iac.

If you rely on public container images and want to use VPC endpoints, you need to create a ECR pull through cache rule.

  1. AWS-managed prefix lists are sets of IP address ranges for AWS services.