Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(ECS): VPC by default created with NAT

See original GitHub issue

link to reference doc page

https://docs.aws.amazon.com/cdk/v2/guide/ecs_example.html

Describe your issue?

Folks, you are doing a great job. I really enjoy CDK and the direction it takes. I’ve been using CDK quite happily for building my app using Fargate until I noticed that my AWS bill was ~90$ instead of the expected ~8$ for this project. I started digging into it, and it was NAT Gateway created by CDK when I deployed my container. I followed mostly official documentation

This part, in particular, I believe caused this:

Vpc vpc = Vpc.Builder.create(this, "MyVpc")
    .maxAzs(3)  // Default is all AZs in region
    .build();

If I understood correctly, the default behavior is to create NAT Gateway and put service behind it. While I understand the reasoning behind it, I believe most people don’t need it. For sure, no one wants unexpected bills. Please consider changing this default behavior. At the very least, there should be some disclaimer.

Btw, I’m still trying to figure out how to get rid of NAT. Simply adding .natGateways(0) doesn’t work, causing some subnet conflicts when I try to update the existing stack. Seems like I have to learn how VPC works in AWS.

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:4
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

2reactions
sergekukharevcommented, Jan 28, 2022

This might be helpful. To get rid of NAT Gateway in Fargate setup, something like this should be used:

Vpc vpc = Vpc.Builder
      .create(this, "MyVpc")
      .natGateways(0)
      .enableDnsHostnames(true)
      .enableDnsSupport(true)
      .subnetConfiguration(List.of(
          SubnetConfiguration.builder().mapPublicIpOnLaunch(true).cidrMask(24).subnetType(SubnetType.PUBLIC).name("public-one").build()
      ))
      .maxAzs(3)
      .build();
      
//...

ApplicationLoadBalancedFargateService.Builder.create(this, "MyFargateService")
       .cluster(cluster) 
       .assignPublicIp(true) // Since we have no NAT, ECS service needs public IP to be able to pull image from ECR through Internet Gateway
       .publicLoadBalancer(true) 
       .taskImageOptions(
               ApplicationLoadBalancedTaskImageOptions.builder()
                       .image(ContainerImage.fromRegistry("amazon/amazon-ecs-sample"))
                       .build())
       .cpu(512) 
       .memoryLimitMiB(2048) 
       .build();
1reaction
madeline-kcommented, Mar 22, 2022

@kylerjensen thank you for sharing your detailed perspective on this one! The mission of the aws-cdk is to simplify AWS for builders. This often comes into conflict with the goal of reducing AWS costs.

Customers can always see the CloudFormation templates created by their CDK apps. But it’s not always easy to tell what is going to be charged once deployed. Some additional transparency in the docs, and an easier way in the L2 and L3 ecs service APIs to remove the NAT Gateways should also help customers to avoid unintentionally incurring these charges.

Cloudformation also has a feature for estimating the cost of Cloudformation stacks. We could also integrate this into the CDK CLI to help customers get a sense of how much they will be charged after deploying their CDK apps.

(Not saying we should not change the default behavior with a feature flag. That is a pretty big decision, and I’m interested to hear more perspectives on it still.)

Read more comments on GitHub >

github_iconTop Results From Across the Web

Step 2: Configure a network - Amazon Elastic Container Service
For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the...
Read more >
What is a VPC NAT gateway? - Alibaba Cloud
Virtual Private Cloud (VPC) NAT gateways provide private NAT services to Elastic Compute Service (ECS) instances in a VPC.
Read more >
How to create private link for ECR to ECS containers to reduce ...
Either Internet gateway, VPN connection , NAT device, or AWS Direct Connect connection is required by VPC endpoint. Public IP is not required...
Read more >
terraform-aws-vpc module
Name Type Default Required amazon_side_asn string "64512" no apigw_endpoint_private_dns_enabled bool false no apigw_endpoint_security_group_ids list(string) no
Read more >
Overview - Amazon ECS Workshop
Note: If you create an ECS task defintion in the AWS console and choose EC2 launch type there is a “Network Mode: <default>...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(lambda): EFS and Lambda create cyclic reference when deployed in separate stacks

Next page

(lambda-python): arm64 architecture is not respected