ECS Fargate Gateways

Amazon Fargate is a popular option for deploying containerized infrastructure. This document is a step-by-step guide to getting strongDM gateways up and running in Fargate. If you just need to set up relays, you can use the table of contents and skip to the Standard Relays step.


Add Gateway
Add Gateway

The diagram above shows the essential components needed to deploy an SDM gateway as a Fargate task using AWS' ECS. With the exception of the Fargate section everything else will be configured under the EC2 dashboard.

VPC with internet gateway

  • Public Subnet
    • Routed to Internet gateway
    • => IGW
    • NAT Gateway
    • NLB
  • Private Subnet
    • Routed to NAT gateway
    • => NAT
    • Fargate task
    • Public IP disabled
    • NLB => Discovery service

NAT Gateway

  • Assign to the public subnet
  • Route traffic from the private subnet to this gateway

Network Load Balancer NLB

Deploy an NLB to match the diagram by using the following settings.

Configure Load Balancer

  • Internet Facing
    • yes
  • Listener
    • TCP:5000
    • 5000 is the default TCP port specified for SDM gateways but can be modified for your environment
  • Availability Zone
    • Link to zone where public subnet resides
    • Assign to the public subnet
  • IPv4 Address
    • An elastic IP is not required
    • If selecting assigned by AWS use the DNS name when creatign the gateway token.

Configure Security Settings

  • bypass

Configure Routing

  • Target Group
    • Target type IP
    • Protocol TCP
    • Port 5000
    • This port needs to match the port you plan to expose on the Fargate container.
  • Health Check
    • Protocol TCP

Configure Register Targets

  • bypass


Review settings and create NLB

Generate SDM Gateway Token

Input the DNS name and listener port from the NLB as the hostname and port number into the add gateway form. This will generate a unique SDM gateway token.

Read Gateways for more information.

Fargate Task Definition

For the remaining sections switch to the ECS dashboard.

Configure Task

  • launch type: Fargate
  • Task Role: None
  • Network Mode: awsvpc
  • Task Execution Role: ecsTaskExecutionRole
    • Any role with permission to download docker images.
  • Task memory: 1GB
  • Task CPU: 0.5 vCPU

Add Container

  • Image:
  • Memory limit, soft limit 1024
  • Port mappings
  • Protocol: TCP
  • Container port: 5000
    • Needs to match the BIND port specified for the SDM token
  • Environment Variable
  • Value: xxxxSDMxxxGATEWAYxxxTOKENxxx

Review Task

Review settings and create

Create Cluster

Services are associated with an ECS cluster. Start by creating a cluster with type Network Only. After creating the cluster, create a service from the cluster menu.

Discovery Service

Configure Service

  • Launch type: Fargate
  • Task definition: Use the task definition created in the previous step
  • Cluster: Should already be associated
  • Service name: Choose a unique name
  • Number of tasks: 1
    • Only one task is allowed as the gateway token cannot be active on more than one gateway.
  • Minimum healthy percentage: 0
  • Maximum healthy percentage: 100
  • Deployment type: Rolling update

Configure Network

  • Cluster VPC: Fargate VPC
  • Subnet: Private subnet created earlier
    • Without this the NLB will not be able to reach the container e.g.
  • Security groups:
    • Allow inbound: The port specified during the token creation from the VPC CIDR
    • e.g. inbound TCP:5000 from source
  • Auto-assigned public IP: DISABLED
  • Load Balancer: Network Load Balancer
  • Load Balancer Name: NLB created earlier
  • Add the container name from the Fargate task created earlier
    • This automatically assigns the IP assigned to the container during creation to the NLB

Set Auto Scaling

  • do not autoscale

Review Service

  • Verify details and create.

Verify Gateway

It should take a couple of minutes for the IP address to show up in the target group associated with the NLB, after which the gateway should appear in the strongDM admin UI with an active heartbeat.

If any errors occur or if the gateway does not report "online" status, please contact for assistance.

Redundant Gateways

It is recommended to deploy gateways in pairs for redundency. SDM gateways automatically load balance and fail over when necessary. Because of this SDM gateways should not be behind the same load balancer.

Because each gateway requires a unique gateway token, a new Fargate task will need to be defined and associated with a new discovery service. However, both services can reside in the same ECS Cluster.

Standard Relays

Unlike the gateway a relay does not bind to an interface and port, so they will not need to be paired with a load balancer. Still each relay will need to be defined by its own Fargate task as the token is unique and cannot be active in more than one relay process. Read Standard Relays for more information.

Installation — Previous
EC2 Gateways
Next — Installation
Docker Gateways