← Week 3: Container Orchestration

Day 16: ECS with Fargate

Phase 5 · Aug 27, 2026

← Week 3: Container Orchestration

Agenda (2–3 hours)

  • Read (45 min): AWS Fargate documentation; VPC networking for ECS tasks; ECR authentication documentation
  • Study (45 min): Trace the network path from an ALB to a Fargate task; where do security groups apply?
  • Practice (45 min): Deploy a Fargate service in a private subnet; pull image from ECR; expose via ALB
  • Challenge (30 min): A Fargate task needs to call DynamoDB and SQS. Design the VPC networking and IAM to avoid a NAT gateway while maintaining security
← Week 3: Container Orchestration

Fargate Networking (awsvpc mode)

VPC
├── Public subnet
│   └── ALB (SG: 443 from 0.0.0.0/0)
└── Private subnet
    └── Fargate task ENI (SG: 8080 from ALB SG)
        └── Container: 0.0.0.0:8080

Each task gets its own ENI — fully isolated network stack:

  • Private IP assigned from the subnet
  • Security group applied at the ENI level (not the instance)
  • No port mapping conflicts between tasks
← Week 3: Container Orchestration

ECR Image Pull

Task execution role must have ecr:GetAuthorizationToken and ecr:BatchGetImage.

VPC endpoint for ECR avoids NAT gateway costs:

Fargate task → VPC Endpoint (com.amazonaws.us-east-1.ecr.api)
            → VPC Endpoint (com.amazonaws.us-east-1.ecr.dkr)
            → S3 Gateway Endpoint (for layer storage)

# Authenticate Docker to ECR (CI/CD pipeline)
aws ecr get-login-password --region us-east-1 \
  | docker login --username AWS \
    --password-stdin 123456.dkr.ecr.us-east-1.amazonaws.com

docker push 123456.dkr.ecr.us-east-1.amazonaws.com/my-rust-api:v1.2.3
← Week 3: Container Orchestration

Health Checks

Two independent health checks:

  1. ECS health check (container-level): exit code 0 = healthy
  2. ALB health check (HTTP): GET /health → 200
"healthCheck": {
  "command": ["CMD-SHELL", "curl -sf http://localhost:8080/health || exit 1"],
  "interval": 30,
  "timeout": 5,
  "retries": 3,
  "startPeriod": 60
}

startPeriod: grace period for slow-starting containers — ECS won't count health check failures during this window.

← Week 3: Container Orchestration

Key Takeaways

  • Fargate tasks run in private subnets; ALB in public subnet bridges inbound traffic
  • VPC endpoints for ECR and S3 eliminate NAT gateway cost for image pulls
  • startPeriod prevents crash loops during container startup
  • Security groups apply at the ENI level; scope ALB SG → task SG, not 0.0.0.0/0

Tomorrow: EKS architecture — control plane, managed node groups, and Kubernetes add-ons.