I'm working on a Vault deployment using Fargate with three replicas for the nodes, and I have a Network Load Balancer (NLB) in front of the ECS service. I want to ensure TLS is used for security both on the load balancer and for each Vault node. The challenge I'm facing is that certificates for these services typically require hostnames, like vault.company.com for the load balancer or vault-1.company.com for the nodes. However, since Fargate uses IP addresses that can change frequently as containers are created and destroyed, I'm unsure how to set up the TLS certificates or the deployment for proper TLS termination with these ephemeral IP addresses.
1 Answer
Have you thought about using wildcard certificates? That way, regardless of the specific node, the certificate would still be valid. For managing DNS with those IPs, consider setting up a sidecar that can update the DNS using the task metadata endpoint. Just keep in mind that you don't necessarily need the correct IP for TLS termination; as long as the container has the wildcard certificate, it should work just fine!
That makes sense! So I could use either the IPs directly or their AWS-hosted names for the certificates. Just to clarify though, would I need to actually map the DNS to the IPs or is it fine to just use the IPs with the certificates?