Why do we need NAT gateways in module 2

Question

Why do we need NAT gateways in module 2

dharani1990 opened this issue 4 years ago · 5 comments

dharani1990 commented 4 years ago

Hi,

Can someone please tell me why the containers hosted in private subnet need to talk to internet? It is hosted behind NLB and the internet traffic comes via nlb only. Can i exclude NAT gateways from module 2?

Answer 1 · 2020-09-02T23:02:33.000Z

Good question! I understand that internet access is required so that updates can be downloaded, but I wonder if this functionality is required for this lab.

Answer 2 · 2020-09-02T23:06:24.000Z

The CDK variant of the lab makes it much easier to tear down the environment and recreate it, thus helping to minimize unexpected charges.

Answer 3 · 2020-09-03T14:21:18.000Z

Good question! I understand that internet access is required so that updates can be downloaded, but I wonder if this functionality is required for this lab.

Exactly my point! Only way to understand is by trying without NAT gateway and see what happens.

Answer 4 · 2020-09-05T13:34:25.000Z

Container instances need access to communicate with the Amazon ECS service endpoint. This can be through an interface VPC endpoint or through container instances having public IP addresses.

In our case we do not have interface VPC endpoint configured and the container instances do not have public IP addresses, then we must use network address translation (NAT) to provide this access.

Same logic goes with with Fargate also,
Fargate(without internet access in private subnet) can’t make a network request to Amazon ECR to download the container image, or communicate with Amazon CloudWatch to store container metrics. To run a Fargate task in a private subnet, we must add this NAT gateway

I experimented this by launching fargate cluster and task without a NAT gateway. The task was never moved to running state as it was not able to download the container image from ECR because there is no internet access in private subnet. I then launched a NAT gateway and added it to private routing table and then immediately my task status moved to running state and private IP of my container is successfully registered to my target group of ALB.

I then deleted the NAT gateway immediately as i don't need it afterwards. :)

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html
https://aws.amazon.com/blogs/compute/task-networking-in-aws-fargate/

Answer 5 · 2021-04-20T23:50:19.000Z

It's possible to set up Fargate with public subnets only, and application load balancer. I had to change the python application to expose port 80.
In this setup, you actually don't need the API Gateway (or else you have to modify its integrations).