# Deploy ECS Fargate Proxy Cluster

### Overview

AWS Fargate, a serverless compute engine, is a popular option for deploying containerized infrastructure with Amazon Elastic Container Service (ECS). This guide provides step-by-step instructions on how to deploy a StrongDM proxy cluster in Fargate.

Our instructions will show you how to set up your environment as shown.

![](/files/Me5AWXVW31DKbuoRh5le)

The diagram shows the following essential components needed to deploy a proxy cluster as a Fargate service using ECS:

* Virtual Private Cloud (VPC) with internet gateway
* Private subnet routing traffic through a NAT gateway in a public subnet to connect to the internet
* Network Load Balancer (NLB) distributing incoming traffic from the internet to a Fargate service in the private subnet

{% hint style="info" %}
When deploying your Fargate service in a private subnet without internet access, you need to [set up a NAT gateway](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-fargate-tasks-private-subnet/) that reaches out to the internet to acquire the StrongDM proxy worker image and connect to StrongDM.
{% endhint %}

### Steps

These instructions explain how to configure an NLB, task definition, cluster, and service in the EC2 Console, as well as how to generate an authentication key from the StrongDM Admin UI. We recommend that you keep both the EC2 Console and the Admin UI open in your browser so you can easily tab between them.

#### Create an NLB in the EC2 Console

{% hint style="info" %}
Application Load Balancers (ALBs) are not compatible with StrongDM proxies. Use a Network Load Balancer (NLB) instead.
{% endhint %}

We recommend having the load balancer listen on port 443 and forward traffic to the individual proxies on port 8443.

1. Go to the EC2 Console in AWS.
2. From the left-hand menu, expand **Load Balancing** and select **Load balancers**.
3. Click **Create load balancer**, and under **Network Load Balancer**, click **Create**.
4. Set the **Basic configuration** properties:
   * **Load Balancer Name**: Enter a name for the load balancer.
   * **Scheme**: Select **Internet-facing**.
   * **IP address type**: Select **IPv4**. Note that an elastic IP is not required.
5. Set the **Network mapping** properties:
   * **VPC**: Select the VPC where this proxy cluster will be hosted.
   * **Mappings**: Select the availability zone where you want the load balancer to be hosted (that is, where the public subnet resides).
6. Set the **Listeners and routing** properties:
   * **Port:** Select TCP port **443**. Note that 443 is the default TCP port specified for SDM proxies, but you can modify it for your environment.
   * **Create target group**: Click the link, which opens a new tab.
7. On the **Specify group details** page that opens:
   * **Target type**: Select **IP Addresses** as the target group.
   * **Target group name**: Set the name of the target group.
   * **Port**: Set TCP port **8443**. This port needs to match the port you plan to expose on the Fargate container. The default is 8443.
   * Click **Next**.
8. On the next page, leave the options blank and click **Create target group**. Note that a target will be set later once the ECS container is created.
9. Go back to the **Load Balancers** properties page, and click the refresh button next to **Target group**.
10. Select the target group that was just created.
11. Click **Create load balancer**.
12. Click **View load balancers**, and copy the **NLB DNS name** of the NLB that you just created.
13. Select the name of the load balancer to open its details page.
14. On the **Attributes** tab, choose **Edit**.
15. On the **Edit load balancer attributes** page, turn **Cross-zone load balancing** on.
16. Choose **Save changes**.

#### Create a proxy cluster in StrongDM

To create a proxy cluster, follow these steps.

1. Log in to the StrongDM Admin UI.
2. Go to **Networking** > **Proxy Clusters**.
3. Click **Add proxy cluster**.
4. For **Name**, enter a name for the cluster.
5. For **Advertised Address**, enter the NLB DNS name that was created in the EC2 Console, and the port number (we recommend port 443; for example, `my-sdm-proxy.elb.us-east-2.amazonaws.com:443`).
6. Click **Create proxy cluster**.
7. Click **Add authentication key**. The key appears in a modal. Copy the key and keep it in a secure place.

#### Create an ECS task definition

1. In the AWS ECS Console, go to **Task Definitions** and create a new task definition.
2. Select **Fargate** as the launch type compatibility, and click **Next step**.
3. On the **Configure task and container definitions** page, set the following:
   * **Task Definition Name**: Enter a task name.
   * **Task Role**: Select **None**.
   * **Task memory (GB)**: Select **4GB**.
   * **Task CPU (vCPU)**: Select **2 vCPU**.
4. Under **Container Definitions**, click **Add container** and then set the following:
   * **Container name**: Enter a name for the container.
   * **Image**: Set `public.ecr.aws/strongdm/relay` as the image URL.
   * **Memory Limits (MiB)**: Set a **soft limit of 2048**.
   * **Port mappings**: Add a TCP port map to **8443**.
   * **Environmental Variables**: For **Key**, set `SDM_PROXY_CLUSTER_ACCESS_KEY`. For **Value**, paste the access key created in the Admin UI. Then click **Add**. Repeat this process for `SDM_PROXY_CLUSTER_SECRET_KEY`.
5. Back on the **Configure task and container definitions** page, scroll down and click **Create**.

#### Create an ECS cluster

1. In the ECS Console, go to the **Clusters** section and click **Create Cluster**.
2. Services are associated with an ECS cluster. On the **Select cluster template** page, select **Networking Only Powered by AWS Fargate**, and click **Next step**.
3. On the **Configure cluster** page, enter the **cluster name**, and click **Create**.
4. Click **View Cluster**, which will open the **Clusters Management** page.

#### Create a new ECS service

1. On the **Clusters Management** page, click your cluster name. On that page, click the **Services** tab and then click **Create**.
2. On the **Create Service** page that opens, set the following:
   * **Launch type**: Select **FARGATE**.
   * **Task Definition**: Select the task definition created earlier.
   * **Service name**: Enter a name for this service.
   * **Number of tasks**: Set **2**.
   * **Minimum healthy percent**: Set **100**.
   * **Maximum healthy percent**: Set **200**.
   * **Deployment type**: Set **Rolling update**.
   * Click **Next step**.
3. On the **Configure network** page, set the following:
   * **Cluster VPC:** Select the Fargate VPC where the cluster is hosted.
   * **Subnets:** Select a private subnet. Without this, the NLB will not be able to reach the container (for example, `10.0.7.0/24`).
4. For **Security Groups**, click **Edit** and do the following:
   * Click **Create a new security group**.
   * In **Basic details:**
     * **Security group name:** Name the group.
     * **Description:** Describe what the group is for.
     * **VPC:** Select the VPC.
   * Under **Inbound rules:**
     * **Type:** Choose **Custom TCP**.
     * **Port range:** Choose the port (for example, "8443") you are mapping from the load balancer to the service.
     * **Source**: Choose **Anywhere**. Please note: The load balancer is only open on the ports you forward, and the service is on a private network. You can, however, specify the IP address or range of the load balancer if you prefer. We recommend starting with an open security group for testing; you can modify it later.
     * Click **Create security group**.
   * **Auto-assign public IP:** Set to **DISABLED**.
   * **Load balancer type:** Select **Network Load Balancer**.
   * **Load balancer name:** Select the NLB that you created earlier.
   * Click **Add to load balancer**.
   * **Production listener port:** Select the listener port you created earlier.
   * These steps also enable the **Health check grace period** field. Scroll up and enter a value of **600** (seconds), for a 10-minute grace period.
   * Click **Next step**.
   * Click **Next step**.
   * Click **Create Service**.
   * Click **View Service**.

#### Verify the proxy cluster

Refresh the page to see that the proxy worker tasks are online and running. It should take a couple of minutes for the IP addresses to show up in the target group associated with the NLB.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.strongdm.com/admin/networking/proxy-clusters/ecs-proxy-clusters.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.