The architectural diagram shown below is taken from an AWS blog titled Task Networking in AWS Fargate. The blog was posted in January 2018.
The description that comes with the image states that:
This configuration allows your tasks in Fargate to be safely isolated from the rest of the internet. They can still initiate network communication with external resources via the NAT gateway, and still receive traffic from the public via the Application Load Balancer that is in the public subnet.
One problem that I have while trying to recreate the architecture is that the same IP address (which I assume is an Elastic IP) is used for both the NAT Gateway and the Application Load Balancer (ALB). I am not able to create an Elastic IP that is usable by both the NAT Gateway and the ALB. Is the diagram flawed, or am I missing something?
Best Answer
The diagram is fine. The important thing to understand here is the nature of the ALB, which does by itself NAT.
That consequences that the NAT gateway in the diagram is is only used for outbound connections initiated from the fargate task to the internet. All inbound connections through the ALB will be responded through the ALB, as the ALB sets its own IP as the source address in the TCP header before forwarding the packet to the fargate task.
Therefore it is not required to have the same IP on the ALB and the NAT gateway, which is anyways a requirement that cannot be met.