ECS Fargate Gateway Deployment Guide

Last modified on October 4, 2023

AWS Fargate, a serverless compute engine, is a popular option for deploying containerized infrastructure with Amazon Elastic Container Service (ECS). This guide provides step-by-step instructions on how to get StrongDM Gateways up and running in Fargate.

Our instructions will show you how to set up your environment as shown.

Add Gateway
Add Gateway

The diagram shows the following essential components needed to deploy a StrongDM Gateway as a Fargate task using ECS:

  • Virtual Private Cloud (VPC) with internet gateway
  • Private subnet routing traffic through a NAT gateway in a public subnet to connect to the internet
  • Network Load Balancer (NLB) distributing incoming traffic from the internet to a Fargate task in the private subnet

Steps

These instructions explain how to configure an NLB, task definition, cluster, task, and service in the EC2 Console, as well as how to generate a token from the StrongDM Admin UI. We recommend that you keep both the EC2 Console and the Admin UI open in your browser so you can easily tab between them.

Create an NLB in the EC2 Console

  1. Go to the EC2 Console in AWS.
  2. From the left-hand menu, expand Load Balancing and select Load balancers.
  3. Click Create Load balancer, and under Network Load Balancer, click Create.
  4. Set the Basic configuration properties:
    1. Load Balancer Name: Enter a name for the load balancer.
    2. Scheme: Select Internet-facing.
    3. IP address type: Select IPv4. Note that an elastic IP is not required. If you select assigned by AWS, use the DNS name when creating the gateway token.
  5. Set the Network Mapping properties:
    1. VPC: Select the VPC where this ECS gateway will be hosted.
    2. Mappings: Select the availability zone where you want the load balancer to be hosted (i.e., where the public subnet resides).
  6. Set the Listeners and routing properties:
    1. Port: Select TCP port 5000. Note that 5000 is the default TCP port specified for SDM gateways, but you can modify it for your environment.
    2. Create target group: Click the link, which will open a new tab.
  7. On the Specify group details page that opens:
    1. Target type: Select IP Addresses as the target group.
    2. Target group name: Set the name of the target group.
    3. Port: Set TCP port 5000 for the listener. This port needs to match the port you plan to expose on the Fargate container.
    4. Click Next.
  8. On the next page, leave the options blank and click Create target group. Note that a target will be set later once the ECS container is created.
  9. Go back to the Load Balancers properties page, and click the refresh button next to Target group.
  10. Select the target group that was just created.
  11. Click Create load balancer.
  12. Click View load balancers, and copy the NLB DNS name of the NLB that you just created.

Create a gateway token in StrongDM

  1. Log in to the StrongDM Admin UI at app.strongdm.com.
  2. In the main navigation, click Network and then Gateways.
  3. Click add gateway and set the following:
    1. Name: Enter the name of the Gateway.
    2. Hostname: Enter the NLB DNS name that was created in the EC2 Console.
    3. Port: Set 5000.
  4. Click Create.
  5. Save the generated key and keep it in a secure place.

Create an ECS task definition

  1. In the AWS ECS Console, go to Task Definitions and then click Create new Task Definition.
  2. Select Fargate as the launch type compatibility, and click Next step.
  3. On the Configure task and container definitions page:
    1. Task Definition Name: Enter a task name.
    2. Task Role: Select None.
    3. Task memory (GB): Select 4GB.
    4. Task CPU (vCPU): Select 2 vCPU.
  4. Under Container Definitions, click Add container and then set the following:
    1. Container name: Enter a name for the container.
    2. Image: Set quay.io/sdmrepo/relay as the image URL.
    3. Memory Limits (MiB): Set a soft limit of 2048.
    4. Port mappings: Add a TCP port map to 5000. This port needs to match the BIND port specified for the SDM token.
    5. In the Environmental Variables section:
      1. Key: Set SDM_RELAY_TOKEN.
      2. Value: Set the token value created in the Admin UI.
      3. Click Add.
  5. Back on the Configure task and container definitions page, scroll down and click Create.

Create an ECS cluster

  1. In the ECS Console, go to the Clusters section and click Create Cluster.
  2. Services are associated with an ECS cluster. On the Select cluster template page, select Networking Only Powered by AWS Fargate, and click Next step.
  3. On the Configure cluster page, enter the cluster name, and click Create.
  4. Click View Cluster, which will open the Clusters Management page.

Create a new ECS service

  1. On the Clusters Management page, click your cluster name. On that page, click the Services tab and then click Create.
  2. On the Create Service page that opens:
    1. Launch type: Select FARGATE.
    2. Task Definition: Select the task definition created earlier.
    3. Service name: Enter a name for this service.
    4. Number of tasks: Set 1.
    5. Minimum healthy percent: Set 0.
    6. Maximum healthy percent: Set 100.
    7. Deployment type: Set Rolling update.
    8. Click Next step.
  3. On the Configure network page:
    1. Cluster VPC: Select the Fargate VPC where the cluster is hosted.
    2. Subnets: Select a private subnet. Without this, the NLB will not be able to reach the container (e.g., 10.0.7.0/24).
    3. Security Groups: Click Edit and do the following:
      1. Click Create a new security group.
      2. In Basic details:
        1. Security group name: Name the group.
        2. Description: Describe what the group is for.
        3. VPC: Select the VPC.
      3. Under Inbound rules:
        1. Type: Choose Custom TCP.
        2. Port range: Choose the port (e.g., “5000”) you are mapping from the load balancer to the service.
        3. Source: Choose Anywhere. Please note: The load balancer is only open on the ports you forward, and the service is on a private network. You can, however, specify the IP address or range of the load balancer if you prefer. We recommend starting with an open security group for testing; you can modify it later.
      4. Click Create security group.
    4. Auto-assign public IP: Set to DISABLED.
    5. Load balancer type: Select Network Load Balancer.
    6. Load balancer name: Select the NLB that you created earlier.
    7. Click Add to load balancer.
    8. Production listener port: Select 5000 TCP.
    9. These steps also enable the Health check grace period field. Scroll up and enter a value of 600 (seconds), for a 10-minute grace period.
    10. Click Next step.
  4. On the Set Auto Scaling page:
    1. Make sure that Auto-scaling is set to Do not adjust the service’s desired count.
    2. Click Next step.
    3. Click Create Service.
    4. Click View Service.

Verify Gateway

Refresh the page to see that the ECS Gateway is online and running. It should take a couple of minutes for the IP address to show up in the target group associated with the NLB, after which the Gateway should appear in the StrongDM Admin UI with an active heartbeat.

In the StrongDM Admin UI’s Gateways section, you’ll see that your ECS Gateway is online.

Additional Information

Redundant Gateways

We recommend deploying gateways in pairs for redundancy. StrongDM Gateways automatically load balance and fail over when necessary. Because of this, StrongDM Gateways should not be behind the same load balancer.

Because each Gateway requires a unique gateway token, a new Fargate task will need to be defined and associated with a new discovery service. Both services, however, can reside in the same ECS cluster.

Standard Relays

You have the option to use this guide to get StrongDM Relays up and running in Fargate as well. Follow all the steps given, but don’t create an NLB.

Unlike the Gateway, a Relay does not bind to an interface and port, so Relays will not need to be paired with a load balancer. Each Relay will need to be defined by its own Fargate task, as the token is unique and cannot be active in more than one relay process.