# ECS Fargate Gateway Deployment Guide ### Overview AWS Fargate, a serverless compute engine, is a popular option for deploying containerized infrastructure with Amazon Elastic Container Service (ECS). This guide provides step-by-step instructions on how to get StrongDM nodes (gateways and relays) up and running in Fargate. Our instructions will show you how to set up your environment as shown. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-e896c32726dcc681af14b8ef3cabaaa05dedf99f%2Fsingle-fargate-gateway%20\(1\).png?alt=media) The diagram shows the following essential components needed to deploy a gateway as a Fargate task using ECS: * Virtual Private Cloud (VPC) with internet gateway * Private subnet routing traffic through a NAT gateway in a public subnet to connect to the internet * Network Load Balancer (NLB) distributing incoming traffic from the internet to a Fargate task in the private subnet {% hint style="info" %} When deploying your Fargate task in a private subnet without internet access, you need to [set up a NAT gateway](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-fargate-tasks-private-subnet/) that reaches out to the internet to acquire the StrongDM gateway image and connect to StrongDM. {% endhint %} ### Steps These instructions explain how to configure an NLB, task definition, cluster, task, and service in the EC2 Console, as well as how to generate a token from the StrongDM Admin UI. We recommend that you keep both the EC2 Console and the Admin UI open in your browser so you can easily tab between them. {% hint style="info" %} See these steps in action in our [ECS Fargate installation video tutorial](https://www.youtube.com/watch?v=UKjNvyKqmfA). {% endhint %} #### Create an NLB in the EC2 Console {% hint style="info" %} If you are deploying a relay instead of gateway, please skip this step and don't create an NLB. Unlike gateways, a relay does not bind to an interface and port, so relays don't need to be paired with a load balancer. Each relay must be defined by its own Fargate task, as the token is unique and cannot be active in more than one relay process. {% endhint %} {% hint style="info" %} An Application Load Balancer (ALB) only works on the application layer. StrongDM requires support for the network layer and transport layer for gateways to work properly. Due to this requirement, an ALB should not be used with gateways. Instead, use a Network Load Balancer (NLB). {% endhint %} 1. Go to the EC2 Console in AWS. 2. From the left-hand menu, expand **Load Balancing** and select **Load balancers**. 3. Click **Create Load balancer**, and under **Network Load Balancer**, click **Create**. 4. Set the **Basic configuration** properties: * **Load Balancer Name**: Enter a name for the load balancer. * **Scheme**: Select **Internet-facing**. * **IP address type**: Select **IPv4**. Note that an elastic IP is not required. 5. Set the **Network mapping**: * **VPC**: Select the VPC where this ECS gateway will be hosted. * **Mappings**: Select the availability zone where you want the load balancer to be hosted (that is, where the public subnet resides). 6. Set the **Listeners and routing** properties: * **Port:** Select TCP port **5000**. Note that 5000 is the default TCP port specified for SDM gateways, but you can modify it for your environment. * **Create target group**: Click the link, which opens a new tab. 7. On the **Specify group details** page that opens: * **Target type**: Select **IP Addresses** as the target group. * **Target group name**: Set the name of the target group. * **Port**: Set TCP port **5000** for the listener. This port needs to match the port you plan to expose on the Fargate container. * Click **Next**. 8. On the next page, leave the options blank and click **Create target group**. Note that a target will be set later once the ECS container is created. 9. Go back to the **Load Balancers** properties page, and click the refresh button next to **Target group**. 10. Select the target group that was just created. 11. Click **Create load balancer**. 12. Click **View load balancers**, and copy the **NLB DNS name** of the NLB that you just created. #### Create a token in StrongDM To create a gateway token, follow these steps. 1. Log in to the Admin UI at [app.strongdm.com](https://app.strongdm.com). 2. Go to **Networking** > **Gateways**. 3. Click **Add gateway**. 4. For **Name**, enter a name for the gateway. 5. For **Advertised Host**, enter the NLB DNS name that was created in the EC2 Console. 6. For **Advertised Port**, set **5000**. 7. Click **Create gateway**. The token appears in a modal. Copy the token and keep it in a secure place. To create a relay token, follow these steps. 1. Log in to the Admin UI at [app.strongdm.com](https://app.strongdm.com). 2. Go to **Networking** > **Relays**. 3. Click **Add relay**. 4. For **Name**, enter a name for the relay. 5. Click **Create relay**. The token appears in a modal. Copy the token and keep it in a secure place. #### Create an ECS task definition 1. In the AWS ECS Console, go to **Task Definitions** and create a new task definition. 2. Select **Fargate** as the launch type compatibility, and click **Next step**. 3. On the **Configure task and container definitions** page, set the following: * **Task Definition Name**: Enter a task name. * **Task Role**: Select **None**. * **Task memory (GB)**: Select **4GB**. * **Task CPU (vCPU)**: Select **2 vCPU**. 4. Under **Container Definitions**, click **Add container** and then set the following: * **Container name**: Enter a name for the container. * **Image**: Set `public.ecr.aws/strongdm/relay` as the image URL. * **Memory Limits (MiB)**: Set a **soft limit of 2048**. * **Port mappings**: Add a TCP port map to **5000**. This port needs to match the BIND port specified for the StrongDM token. * **Environmental Variables**: For **Key**, set `SDM_RELAY_TOKEN`. For **Value**, set the token value created in the Admin UI. Then click **Add**. 5. Back on the **Configure task and container definitions** page, scroll down and click **Create**. #### Create an ECS cluster 1. In the ECS Console, go to the **Clusters** section and click **Create Cluster**. 2. Services are associated with an ECS cluster. On the **Select cluster template** page, select **Networking Only Powered by AWS Fargate**, and click **Next step**. 3. On the **Configure cluster** page, enter the **cluster name**, and click **Create**. 4. Click **View Cluster**, which will open the **Clusters Management** page. #### Create a new ECS service 1. On the **Clusters Management** page, click your cluster name. On that page, click the **Services** tab and then click **Create**. 2. On the **Create Service** page that opens, set the following: * **Launch type**: Select **FARGATE**. * **Task Definition**: Select the task definition created earlier. * **Service name**: Enter a name for this service. * **Number of tasks**: Set **1**. * **Minimum healthy percent**: Set **0**. * **Maximum healthy percent**: Set **100**. * **Deployment type**: Set **Rolling update**. * Click **Next step**. 3. On the **Configure network** page, set the following: * **Cluster VPC:** Select the Fargate VPC where the cluster is hosted. * **Subnets:** Select a private subnet. Without this, the NLB will not be able to reach the container (for example, `10.0.7.0/24`). 4. For **Security Groups**, click **Edit** and do the following: * Click **Create a new security group**. * In **Basic details:** * **Security group name:** Name the group. * **Description:** Describe what the group is for. * **VPC:** Select the VPC. * Under **Inbound rules:** * **Type:** Choose **Custom TCP**. * **Port range:** Choose the port (for example, "5000") you are mapping from the load balancer to the service. * **Source**: Choose **Anywhere**. Please note: The load balancer is only open on the ports you forward, and the service is on a private network. You can, however, specify the IP address or range of the load balancer if you prefer. We recommend starting with an open security group for testing; you can modify it later. * Click **Create security group**. * **Auto-assign public IP:** Set to **DISABLED**. * **Load balancer type:** Select **Network Load Balancer**. * **Load balancer name:** Select the NLB that you created earlier. * Click **Add to load balancer**. * **Production listener port:** Select **5000 TCP**. * These steps also enable the **Health check grace period** field. Scroll up and enter a value of **600** (seconds), for a 10-minute grace period. * Click **Next step**. 5. On the **Set Auto Scaling** page: * Make sure that **Auto-scaling** is set to **Do not adjust the service’s desired count**. * Click **Next step**. * Click **Create Service**. * Click **View Service**. #### Verify the node Refresh the page to see that the ECS gateway or relay is online and running. It should take a couple of minutes for the IP address to show up in the target group associated with the NLB, after which the node should appear in the Admin UI with an active heartbeat. In the Admin UI’s **Gateways** or **Relays** page, you’ll see that your ECS gateway or relay is **online**. ### Additional Information #### Redundant gateways We recommend deploying gateways in pairs for redundancy. Gateways automatically load balance and fail over when necessary. Because of this, gateways should not be behind the same load balancer. Because each gateway requires a unique gateway token, a new Fargate task needs to be defined and associated with a new discovery service. Both services, however, can reside in the same ECS cluster. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/networking/gateways-and-relays/ecs-nodes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.