Deploy ECS Fargate Proxy Cluster

Last modified on March 25, 2025

Overview

AWS Fargate, a serverless compute engine, is a popular option for deploying containerized infrastructure with Amazon Elastic Container Service (ECS). This guide provides step-by-step instructions on how to deploy a StrongDM proxy cluster in Fargate.

Our instructions will show you how to set up your environment as shown.

Fargate Proxy Cluster
Fargate Proxy Cluster

The diagram shows the following essential components needed to deploy a proxy cluster as a Fargate service using ECS:

  • Virtual Private Cloud (VPC) with internet gateway
  • Private subnet routing traffic through a NAT gateway in a public subnet to connect to the internet
  • Network Load Balancer (NLB) distributing incoming traffic from the internet to a Fargate service in the private subnet

Steps

These instructions explain how to configure an NLB, task definition, cluster, and service in the EC2 Console, as well as how to generate an authentication key from the StrongDM Admin UI. We recommend that you keep both the EC2 Console and the Admin UI open in your browser so you can easily tab between them.

Create an NLB in the EC2 Console

We recommend having the load balancer listen on port 443 and forward traffic to the individual proxies on port 8443.

  1. Go to the EC2 Console in AWS.
  2. From the left-hand menu, expand Load Balancing and select Load balancers.
  3. Click Create load balancer, and under Network Load Balancer, click Create.
  4. Set the Basic configuration properties:
    • Load Balancer Name: Enter a name for the load balancer.
    • Scheme: Select Internet-facing.
    • IP address type: Select IPv4. Note that an elastic IP is not required.
  5. Set the Network mapping properties:
    • VPC: Select the VPC where this proxy cluster will be hosted.
    • Mappings: Select the availability zone where you want the load balancer to be hosted (that is, where the public subnet resides).
  6. Set the Listeners and routing properties:
    • Port: Select TCP port 443. Note that 443 is the default TCP port specified for SDM proxies, but you can modify it for your environment.
    • Create target group: Click the link, which opens a new tab.
  7. On the Specify group details page that opens:
    • Target type: Select IP Addresses as the target group.
    • Target group name: Set the name of the target group.
    • Port: Set TCP port 8443. This port needs to match the port you plan to expose on the Fargate container. The default is 8443.
    • Click Next.
  8. On the next page, leave the options blank and click Create target group. Note that a target will be set later once the ECS container is created.
  9. Go back to the Load Balancers properties page, and click the refresh button next to Target group.
  10. Select the target group that was just created.
  11. Click Create load balancer.
  12. Click View load balancers, and copy the NLB DNS name of the NLB that you just created.
  13. Select the name of the load balancer to open its details page.
  14. On the Attributes tab, choose Edit.
  15. On the Edit load balancer attributes page, turn Cross-zone load balancing on.
  16. Choose Save changes.

Create a proxy cluster in StrongDM

To create a proxy cluster, follow these steps.

  1. Log in to the StrongDM Admin UI.
  2. Go to Networking > Proxy Clusters.
  3. Click Add proxy cluster.
  4. For Name, enter a name for the cluster.
  5. For Advertised Address, enter the NLB DNS name that was created in the EC2 Console, and the port number (we recommend port 443; for example, my-sdm-proxy.elb.us-east-2.amazonaws.com:443).
  6. Click Create proxy cluster.
  7. Click Add authentication key. The key appears in a modal. Copy the key and keep it in a secure place.

Create an ECS task definition

  1. In the AWS ECS Console, go to Task Definitions and create a new task definition.
  2. Select Fargate as the launch type compatibility, and click Next step.
  3. On the Configure task and container definitions page, set the following:
    • Task Definition Name: Enter a task name.
    • Task Role: Select None.
    • Task memory (GB): Select 4GB.
    • Task CPU (vCPU): Select 2 vCPU.
  4. Under Container Definitions, click Add container and then set the following:
    • Container name: Enter a name for the container.
    • Image: Set public.ecr.aws/strongdm/relay as the image URL.
    • Memory Limits (MiB): Set a soft limit of 2048.
    • Port mappings: Add a TCP port map to 8443.
    • Environmental Variables: For Key, set SDM_PROXY_CLUSTER_ACCESS_KEY. For Value, paste the access key created in the Admin UI. Then click Add. Repeat this process for SDM_PROXY_CLUSTER_SECRET_KEY.
  5. Back on the Configure task and container definitions page, scroll down and click Create.

Create an ECS cluster

  1. In the ECS Console, go to the Clusters section and click Create Cluster.
  2. Services are associated with an ECS cluster. On the Select cluster template page, select Networking Only Powered by AWS Fargate, and click Next step.
  3. On the Configure cluster page, enter the cluster name, and click Create.
  4. Click View Cluster, which will open the Clusters Management page.

Create a new ECS service

  1. On the Clusters Management page, click your cluster name. On that page, click the Services tab and then click Create.
  2. On the Create Service page that opens, set the following:
    • Launch type: Select FARGATE.
    • Task Definition: Select the task definition created earlier.
    • Service name: Enter a name for this service.
    • Number of tasks: Set 2.
    • Minimum healthy percent: Set 100.
    • Maximum healthy percent: Set 200.
    • Deployment type: Set Rolling update.
    • Click Next step.
  3. On the Configure network page, set the following:
    • Cluster VPC: Select the Fargate VPC where the cluster is hosted.
    • Subnets: Select a private subnet. Without this, the NLB will not be able to reach the container (for example, 10.0.7.0/24).
  4. For Security Groups, click Edit and do the following:
    • Click Create a new security group.
    • In Basic details:
      • Security group name: Name the group.
      • Description: Describe what the group is for.
      • VPC: Select the VPC.
    • Under Inbound rules:
      • Type: Choose Custom TCP.
      • Port range: Choose the port (for example, “8443”) you are mapping from the load balancer to the service.
      • Source: Choose Anywhere. Please note: The load balancer is only open on the ports you forward, and the service is on a private network. You can, however, specify the IP address or range of the load balancer if you prefer. We recommend starting with an open security group for testing; you can modify it later.
      • Click Create security group.
    • Auto-assign public IP: Set to DISABLED.
    • Load balancer type: Select Network Load Balancer.
    • Load balancer name: Select the NLB that you created earlier.
    • Click Add to load balancer.
    • Production listener port: Select the listener port you created earlier.
    • These steps also enable the Health check grace period field. Scroll up and enter a value of 600 (seconds), for a 10-minute grace period.
    • Click Next step.
    • Click Next step.
    • Click Create Service.
    • Click View Service.

Verify the proxy cluster

Refresh the page to see that the proxy worker tasks are online and running. It should take a couple of minutes for the IP addresses to show up in the target group associated with the NLB.

Top