diff --git a/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts b/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts
index b9a0acef5d314..bc8200ef16d18 100644
--- a/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts
+++ b/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts
@@ -586,7 +586,7 @@ export abstract class BaseService extends Resource
   // tslint:disable-next-line:max-line-length
   protected configureAwsVpcNetworking(vpc: ec2.IVpc, assignPublicIp?: boolean, vpcSubnets?: ec2.SubnetSelection, securityGroup?: ec2.ISecurityGroup) {
     if (vpcSubnets === undefined) {
-      vpcSubnets = { subnetType: assignPublicIp ? ec2.SubnetType.PUBLIC : ec2.SubnetType.PRIVATE };
+      vpcSubnets = assignPublicIp ? { subnetType: ec2.SubnetType.PUBLIC } : {};
     }
     if (securityGroup === undefined) {
       securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc });
diff --git a/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts b/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts
index 602bb0bb6c121..4d3f3de89a628 100644
--- a/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts
+++ b/packages/@aws-cdk/aws-ecs/lib/ec2/ec2-service.ts
@@ -33,7 +33,7 @@ export interface Ec2ServiceProps extends BaseServiceOptions {
    *
    * This property is only used for tasks that use the awsvpc network mode.
    *
-   * @default - Private subnets.
+   * @default - Public subnets if `assignPublicIp` is set, otherwise the first available one of Private, Isolated, Public, in that order.
    */
   readonly vpcSubnets?: ec2.SubnetSelection;
 
diff --git a/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts b/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts
index a69f14304f637..58d72a7c1ac04 100644
--- a/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts
+++ b/packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts
@@ -28,7 +28,7 @@ export interface FargateServiceProps extends BaseServiceOptions {
   /**
    * The subnets to associate with the service.
    *
-   * @default - Private subnets.
+   * @default - Public subnets if `assignPublicIp` is set, otherwise the first available one of Private, Isolated, Public, in that order.
    */
   readonly vpcSubnets?: ec2.SubnetSelection;
 
diff --git a/packages/@aws-cdk/aws-ecs/test/fargate/test.fargate-service.ts b/packages/@aws-cdk/aws-ecs/test/fargate/test.fargate-service.ts
index 2798e690bd9d6..7cbb4888e7766 100644
--- a/packages/@aws-cdk/aws-ecs/test/fargate/test.fargate-service.ts
+++ b/packages/@aws-cdk/aws-ecs/test/fargate/test.fargate-service.ts
@@ -82,6 +82,34 @@ export = {
       test.done();
     },
 
+    'can create service with default settings if VPC only has public subnets'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const vpc = new ec2.Vpc(stack, 'MyVpc', {
+        subnetConfiguration: [
+          {
+            cidrMask: 28,
+            name: 'public-only',
+            subnetType: ec2.SubnetType.PUBLIC
+          }
+        ]
+      });
+      const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
+      const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef');
+      taskDefinition.addContainer('web', {
+        image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+      });
+
+      // WHEN
+      new ecs.FargateService(stack, 'FargateService', {
+        cluster,
+        taskDefinition,
+      });
+
+      // THEN -- did not throw
+      test.done();
+    },
+
     'with custom cloudmap namespace'(test: Test) {
       // GIVEN
       const stack = new cdk.Stack();