I've already answered this here, but copy-paste does not hurt.
The specification for creating a working NAT Gateway is lacking. At the GitHub issue Amazon technicians keep repeating you "just" need Private IP + NAT, however this is not true. I struggled with this myself a lot, but finally got it working properly without using a Public IP for my Fargate services.
To have Fargate services access internet without having a Public IP you need to set up a VPC which has 2 subnets:
- A public subnet with an Internet Gateway allowing bidirectional internet access
- A private subnet with a NAT Gateway allowing only outgoing internet access
You can create such a VPC in 2 ways: by going to Services
> VPC
> VPC Dashboard
, clicking on Launch VPC Wizard
and selecting "VPC with Public and Private Subnets"
; or manually:
NOTE: All of the following steps are performed in Services
> VPC
- Go to
Your VPCs
and Create a VPC
- Go to
Subnets
and Create subnet
2 times
private
subnet
- Attach it to the VPC in focus. Whatever CIDR block, whatever availability zone you like
public
subnet
- Attach it to the VPC in focus. Whatever CIDR block, whatever availability zone you like
- Go to
Internet Gateways
and Create internet gateway
- Name it however you want
- Select the newly created
Internet Gateway
, Actions
, Attach to VPC
and attach it to the VPC in focus
- Go to
NAT Gateways
and Create NAT Gateway
- Important: Select the
public
subnet
Create New EIP
or use an existing one given that you have one
- Wait for the gateway to become
Available
- Go to
Route Tables
and Create route table
2 times
private
route table
- Attach it to the VPC in focus
- Back at the list, select the route table
Routes
tab on the bottom, Edit routes
Add route
, destination: 0.0.0.0/0
, target the NAT Gateway created previously and Save routes
- Still having the route table selected,
Actions
and Set Main Route Table
(if not already)
public
route table
- Attach it to the VPC in focus
- Back at the list, select the route table
Routes
tab on the bottom, Edit routes
Add route
, destination: 0.0.0.0/0
, target the Internet Gateway created previously and Save routes
Subnet Associations
tab on the bottom, Edit subnet associations
- Select the
public
subnet, Save
- Put cucumber on eyes.
Every service you put in the public
subnet will have bidirectional internet access and every service you put in the private
subnet will have only outgoing internet access (yes, Fargate and EC2 services in the private
subnet without Public IPs will have internet access).