Post

Private Subnet Design for n8n on ECS

Posted
By Nathan Berg
2 min read
Private Subnet Design for n8n on ECS

An n8n task does not need a public IP to be useful. In most production ECS deployments, the safer pattern is to run tasks in private subnets, expose only the load balancer, and make outbound access explicit.

That design is especially important for security automation. If a workflow is compromised, the attacker should not inherit broad internet and internal network reach from the platform.

Context

Problem: Publicly reachable ECS tasks and broad egress make n8n a convenient pivot point. Approach: Put tasks in private subnets, expose ingress through ALB, and route outbound traffic through controlled paths. Outcome: n8n stays reachable for users and webhooks while its network blast radius is reduced.

Ingress pattern

Keep the Application Load Balancer in public subnets. Keep ECS tasks in private subnets. Security groups should allow:

  • Internet to ALB on approved ports.
  • ALB to n8n tasks on the container port.
  • n8n tasks to database and Redis on required ports.
  • n8n tasks to approved outbound destinations only.

The task security group should not allow inbound traffic from arbitrary sources. The ALB is the front door.

Egress pattern

Outbound design depends on workflow requirements:

  • Use VPC endpoints for AWS APIs where practical.
  • Use NAT for required internet APIs, with flow logging and review.
  • Use an egress proxy when destination allowlisting matters.
  • Block cloud metadata endpoints from workflow contexts that do not need them.
  • Split high-trust action workflows from low-trust enrichment workflows.

For example, a workflow that parses inbound email should not have the same network path as a workflow that disables users in an identity provider.

Blue team visibility

Private subnets do not create visibility by themselves. Enable enough telemetry to see:

  • New outbound destinations from n8n task ENIs.
  • Connections to internal address ranges.
  • Failed attempts to reach blocked destinations.
  • NAT gateway volume changes after workflow deployments.
  • Security group changes affecting n8n services.

VPC Flow Logs are especially useful when paired with workflow execution timestamps.

Validation checklist

  • Confirm ECS tasks do not have public IP addresses.
  • Confirm the editor is reachable only through the intended hostname.
  • Attempt direct task access from an untrusted source and verify it fails.
  • Attempt outbound access to an unapproved destination and verify it is denied or logged.
  • Confirm RDS and Redis security groups accept traffic only from approved task groups.

Takeaways

Private subnet design gives n8n a cleaner security boundary on ECS. The important step is not just moving tasks off the public internet; it is making every ingress and egress path deliberate.

blog
n8n aws ecs network-security blue-team
This post is licensed under CC BY 4.0 by the author.