Change AWS ECS service's security groups

Question

I would like to be able to modify the network configuration of an AWS ECS service. The interface has "Allowed VPC", "Allowed subnets", "Security Groups", and "Auto-assign public IP" at the top of the "Configure network" screen. However they cannot be modified. We have been using a common security group for some of the services. When creating one of the services we missed assigning the security group so a new one was created. This seems like something I should be able to go back and correct.

Answer 1

You can change security group settings with console:

1. Update service and select awsvpc version of template (typically latest). If you select different template version you will not see networking step
2. Follow service update wizard to select network and security groups

Answer 2

You can change it if you use the AWS CLI.

aws ecs update-service --cluster ClusterName --service ServiceName --network-configuration file://c:\json\networkConfig.txt

Where your networkConfig.txt file contains

{
  "awsvpcConfiguration": {
    "subnets": ["subnet-***","subnet-***"],
    "securityGroups": ["sg-***"],
    "assignPublicIp": "ENABLED"
  }
}

Answer 3

No, You can not change the security group of the fargate type ECS task, as the security group attach with manages resources. Like in case of ECS EC2 type task where you manage instances for the ECS so you can change the security group for the resources, go to EC2 instance -> modify resources -> modify SG but here is the case is different you do not have to manage as AWS belief container as services (cas).

Workaround:

• Go to security group -> select associated fargate SG -> modify the rule

• Launch another new fargate task and associate the desired SG for the fargate service.