diff --git a/docs/configuration/backends/ecs.md b/docs/configuration/backends/ecs.md
index 50219978f..29b3d9248 100644
--- a/docs/configuration/backends/ecs.md
+++ b/docs/configuration/backends/ecs.md
@@ -102,6 +102,8 @@ If `accessKeyID`/`secretAccessKey` is not given credentials will be resolved in
 - Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
 - EC2 instance role or ECS task role
 
+To enable constraints see [provider-specific constraints section](/configuration/commons/#provider-specific).
+
 ## Policy
 
 Træfik needs the following policy to read ECS information:
diff --git a/docs/configuration/commons.md b/docs/configuration/commons.md
index 481843362..b75db1974 100644
--- a/docs/configuration/commons.md
+++ b/docs/configuration/commons.md
@@ -144,6 +144,7 @@ Supported Providers:
 - Consul K/V
 - BoltDB
 - Zookeeper
+- ECS
 - Etcd
 - Consul Catalog
 - Rancher
diff --git a/provider/ecs/config.go b/provider/ecs/config.go
index 46d2da9b8..2f602da2d 100644
--- a/provider/ecs/config.go
+++ b/provider/ecs/config.go
@@ -87,6 +87,14 @@ func (p *Provider) filterInstance(i ecsInstance) bool {
 		return false
 	}
 
+	constraintTags := label.GetSliceStringValue(i.TraefikLabels, label.TraefikTags)
+	if ok, failingConstraint := p.MatchConstraints(constraintTags); !ok {
+		if failingConstraint != nil {
+			log.Debugf("Filtering ecs instance pruned by constraint %s (%s) (constraint = %q)", i.Name, i.ID, failingConstraint.String())
+		}
+		return false
+	}
+
 	return true
 }
 
diff --git a/provider/ecs/config_test.go b/provider/ecs/config_test.go
index f2ce11913..26ba8931a 100644
--- a/provider/ecs/config_test.go
+++ b/provider/ecs/config_test.go
@@ -372,6 +372,7 @@ func TestFilterInstance(t *testing.T) {
 		instanceInfo     ecsInstance
 		exposedByDefault bool
 		expected         bool
+		constrain        bool
 	}{
 		{
 			desc:             "Instance without enable label and exposed by default enabled should be not filtered",
@@ -455,6 +456,24 @@ func TestFilterInstance(t *testing.T) {
 			exposedByDefault: true,
 			expected:         true,
 		},
+		{
+			desc: "Instance with failing constraint should be filtered",
+			instanceInfo: simpleEcsInstance(map[string]*string{
+				label.TraefikTags: aws.String("private"),
+			}),
+			exposedByDefault: true,
+			expected:         false,
+			constrain:        true,
+		},
+		{
+			desc: "Instance with passing constraint should not be filtered",
+			instanceInfo: simpleEcsInstance(map[string]*string{
+				label.TraefikTags: aws.String("public"),
+			}),
+			exposedByDefault: true,
+			expected:         true,
+			constrain:        true,
+		},
 	}
 
 	for _, test := range testCases {
@@ -465,6 +484,11 @@ func TestFilterInstance(t *testing.T) {
 			prov := &Provider{
 				ExposedByDefault: test.exposedByDefault,
 			}
+			if test.constrain {
+				constraints := types.Constraints{}
+				assert.NoError(t, constraints.Set("tag==public"))
+				prov.Constraints = constraints
+			}
 
 			actual := prov.filterInstance(test.instanceInfo)
 			assert.Equal(t, test.expected, actual)