Skip to content

Move ECS tasks to private subnets with VPC endpoints#3

Merged
keithataylor merged 1 commit into
mainfrom
infra/private-ecs-networking
May 20, 2026
Merged

Move ECS tasks to private subnets with VPC endpoints#3
keithataylor merged 1 commit into
mainfrom
infra/private-ecs-networking

Conversation

@keithataylor
Copy link
Copy Markdown
Owner

@keithataylor keithataylor commented May 20, 2026

Summary

  • Move ECS/Fargate app service from public subnets to private app subnets
  • Disable public IP assignment for ECS app tasks
  • Add VPC endpoints for ECR API, ECR Docker registry, CloudWatch Logs, Secrets Manager, and S3
  • Add explicit private app route table for S3 gateway endpoint routing
  • Tighten app task HTTPS egress from broad 0.0.0.0/0 to AWS service endpoints
  • Add/update AWS deployment and operator documentation

Verified

  • terraform fmt
  • terraform validate
  • terraform plan
  • Applied Terraform changes successfully
  • ECS service reports assignPublicIp = DISABLED
  • Running ECS task ENI has no public IP
  • VPC endpoints are available
  • /health through the ALB returns {"status":"ok"}
  • Final Terraform plan reports no changes

@keithataylor keithataylor merged commit b2c459b into main May 20, 2026
2 checks passed
@keithataylor keithataylor deleted the infra/private-ecs-networking branch May 20, 2026 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@keithataylor