Setting Up AWS ECS Fargate and RDS PostgreSQL for NestJS Backend

Question

Title: Help with Setting Up AWS ECS Fargate and RDS PostgreSQL for NestJS Backend

Post:

Hi everyone!

I'm working on deploying a NestJS backend using AWS ECS Fargate with RDS PostgreSQL and could use some guidance.

I've already set up the following:

• ECS Fargate cluster and task definition.
• RDS PostgreSQL instance (created a database and credentials).
• Docker image for my app (stored in ECR).

I'm a bit stuck on configuring my environment variables to ensure proper connectivity between ECS and RDS, and setting up the task's networking/security. Specifically:

1. How do I securely manage database credentials for the ECS tasks using Secrets Manager?
2. What’s the best way to configure security groups so ECS Fargate can communicate with RDS securely?
3. Any recommended references or tutorials that walk through a similar setup (ECS + RDS)?

Any advice, resources, or best practices for this type of setup would be greatly appreciated! Thanks in advance.

What did you try?

• I set up an ECS Fargate cluster and a PostgreSQL RDS instance following AWS documentation.
• I created a Docker image for my NestJS app and pushed it to ECR.
• In my ECS task definition, I added environment variables for connecting to the RDS instance (e.g., DB host, port, username, and password).
• I configured security groups to allow traffic between ECS and RDS, ensuring that the ECS task can access the database.
• I attempted to manage my database credentials using AWS Secrets Manager by referencing secrets in the ECS task definition.

What was I expecting?

• I expected my ECS task (running my NestJS backend) to seamlessly connect to the RDS PostgreSQL instance and start working without connectivity issues.
• I was hoping that using Secrets Manager would securely inject my sensitive credentials into the environment without additional complications.
• I thought the security group configuration would allow the ECS tasks to communicate securely with RDS.

However, despite these steps, I am still facing connectivity and configuration issues that I can't seem to resolve.

Answer 1

How do I securely manage database credentials for the ECS tasks using Secrets Manager?

By configuring the ECS task to pull in the secret value as an environment variable, as documented here.

What’s the best way to configure security groups so ECS Fargate can communicate with RDS securely?

Create two security groups, one assigned to the RDS instance, and one assigned to the Fargate tasks.

For the security group assigned to the Fargate tasks, leave the default outbound rule that allows all outbound traffic.

For the security group assigned to the RDS PostgreSQL instance, add an inbound rule allowing traffic on port 5432, with the source value being the ID of the security group assigned to the Fargate tasks.