Creating Gateways and Relays with Amazon Fargate

Amazon Fargate is a popular option for deploying containerized infrastructure. This document is a step-by-step guide to getting strongDM gateways up and running in Fargate. If you just need to set up relays, you can skip to Step 10.

  1. Environment
  2. NAT Gateway
  3. Network Load Balancer NLB
    1. Configure Load Balancer
    2. Configure Security Settings
    3. Configure Routing
    4. Configure Register Targets
    5. Review
  4. Generate SDM Gateway Token
  5. Fargate Task Definition
    1. Configure Task
    2. Add Container
    3. Review Task
  6. Create Cluster
  7. Discovery Service
    1. Configure Service
    2. Configure Network
    3. Set Auto Scaling
    4. Review Service
  8. Verify Gateway
  9. Redundant Gateways
  10. Standard Relays


"single gateway deployment"

The diagram above shows the essential components needed to deploy an SDM gateway as a Fargate task using AWS’ ECS. With the exception of the Fargate section everything else will be configured under the EC2 dashboard.

"EC2 Dashboard"

NAT Gateway

Network Load Balancer NLB

Deploy an NLB to match the diagram by using the following settings.

Configure Load Balancer

Configure Security Settings

Configure Routing

Configure Register Targets


Review settings and create NLB

Generate SDM Gateway Token

Input the DNS name and listener port from the NLB as the hostname and port number into the add gateway form. This will generate a unique SDM gateway token. New Gateway

Read Gateways for more information.

Fargate Task Definition

For the remaining sections switch to the ECS dashboard. "EC2 Dashboard"

Configure Task

Add Container

Review Task

Review settings and create

Create Cluster

Services are associated with an ECS cluster. Start by creating a cluster with type Network Only. After creating the cluster, create a service from the cluster menu.

Discovery Service

Configure Service

Configure Network

Set Auto Scaling

Review Service

Verify Gateway

It should take a couple of minutes for the IP address to show up in the target group associated with the NLB, after which the gateway should appear in the strongDM admin UI with an active heartbeat.

If any errors occur or if the gateway does not report “online” status, please contact for assistance.

Redundant Gateways

It is recommended to deploy gateways in pairs for redundency. SDM gateways automatically load balance and fail over when necessary. Because of this SDM gateways should not be behind the same load balancer.

"single gateway deployment"

Because each gateway requires a unique gateway token, a new Fargate task will need to be defined and associated with a new discovery service. However, both services can reside in the same ECS Cluster.

Standard Relays

Unlike the gateway a relay does not bind to an interface and port, so they will not need to be paired with a load balancer. Still each relay will need to be defined by its own Fargate task as the token is unique and cannot be active in more than one relay process. Read Standard Relays for more information.