[英]AWS: ECS Service with Elastic IP
I've created a cluster, VPC, subnet and a Fargate service using the first run wizard of ECS on AWS console and uploaded the image on ECR and deployed successfully.我在 AWS 控制台上使用 ECS 的首次运行向导创建了一个集群、VPC、子网和 Fargate 服务,并将图像上传到 ECR 并成功部署。
Now I need the service to access a remote database.现在我需要该服务来访问远程数据库。 So, I need to add the IP in the firewall's whitelist.
所以,我需要在防火墙的白名单中添加 IP。 I allocated an Elastic IP, created a NAT Gateway and updated the router table following this tutorial .
我分配了一个弹性 IP,创建了一个 NAT 网关并按照本教程更新了路由器表。
I stopped the task and tried to run it again.我停止了任务并尝试再次运行它。 But then I could not pull the image from ECR to run a new task caused by the following error message:
但是后来我无法从 ECR 中提取图像来运行由以下错误消息引起的新任务:
CannotPullContainerError: Error response from daemon: Get https://account-id.dkr.ecr.sa-east-1.amazonaws.com/v2/ : net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
CannotPullContainerError:来自守护程序的错误响应:获取https://account-id.dkr.ecr.sa-east-1.amazonaws.com/v2/ :net/http:在等待连接时取消请求(等待连接时超出了 Client.Timeout标题)
My setup:我的设置:
Destination | Target
----------------|-------------
10.0.0.0/16 | local
0.0.0.0/0 | nat-<nat-id>
NAT Gateway, on VPC and subnets that were created on ECS Wizard and the Elastic IP I allocated. NAT 网关,位于在 ECS 向导和我分配的弹性 IP 上创建的 VPC 和子网上。
Currently, I'm allowing all traffic in both inbound and outbound rules:目前,我允许入站和出站规则中的所有流量:
Type | Protocol | Port range | Source | Description - optional
-----|----------|------------|---------|------------------------
All | All | All |0.0.0.0/0| -
What am I missing?我错过了什么? Is this the only way I can accomplish what I want?
这是我可以完成我想要的唯一方法吗? Is there a simpler way to achieve it?
有没有更简单的方法来实现它? I found in Stack Overflow another way to associate an Elastic IP by using Application Load Balancer or Network Load Balancer .
我在 Stack Overflow 中发现了另一种使用 Application Load Balancer 或 Network Load Balancer 关联 Elastic IP 的方法。 Is it a better approach?
这是更好的方法吗?
The ECS wizard creates a VPC with two public subnets 10.0.0.0/24
and 10.0.1.0/24
. ECS 向导创建一个具有两个公有子网
10.0.0.0/24
和10.0.1.0/24
的 VPC。 They both use a single RT which points to internet gateway (IGW).它们都使用指向互联网网关(IGW) 的单个 RT。 However, from your question it appears that you've modified it to use NAT.
但是,从您的问题看来,您已将其修改为使用 NAT。
Sadly, this will not work , as you've already experienced.遗憾的是,这行不通,正如您已经经历过的那样。 To rectify the issue, you could create a third subnet (or more if you need for HA).
要解决此问题,您可以创建第三个子网(如果需要 HA,可以创建更多子网)。 The subnet will be private with no internet connection.
子网将是私有的,没有互联网连接。 Instead it will have a new RT which will route internet traffic to NAT.
相反,它将有一个新的 RT 将互联网流量路由到 NAT。 Your Fargate tasks would be launched in the private subnet(s).
您的 Fargate 任务将在私有子网中启动。
The new RT of the new subnet(s) would be:新子网的新 RT 为:
Destination | Target
----------------|-------------
10.0.0.0/16 | local
0.0.0.0/0 | nat-<nat-id>
The RT of the two original public subnets, should be modified to route traffic to IGW, like it was originally done:应该修改两个原始公共子网的 RT 以将流量路由到 IGW,就像最初所做的那样:
Destination | Target
----------------|-------------
10.0.0.0/16 | local
0.0.0.0/0 | IGW
I thought of explaining this.我想解释一下。 you are getting the
CannotPullContainerError
error is because there is no route to the internet.您收到
CannotPullContainerError
错误是因为没有通往互联网的路线。 The traffic to the ECR go through the internet by default.默认情况下,通过 Internet 到 ECR go 的流量。
your Fargate service is running in a private subnet which does not have direct routes to the internet.您的 Fargate 服务在没有直接路由到 Internet 的私有子网中运行。 In order to get internet access, the private subnet where the Fargate task is running should have routes in its route table to route the traffic to the internet via the NatGateway (you have done this already).
为了获得 Internet 访问权限,运行 Fargate 任务的私有子网应该在其路由表中包含路由,以通过 NatGateway 将流量路由到 Internet(您已经这样做了)。 thereore
因此
Destination | Target
----------------|-------------
10.0.0.0/16 | local
0.0.0.0/0 | Natgateway
The NatGateway simply routes the traffic to the internet gateway. NatGateway 只是将流量路由到 Internet 网关。 The Nat gateway is deployed in the public subnet and it will have routes to internet via the internet gateway.
Nat 网关部署在公共子网中,它将通过互联网网关路由到互联网。 Therefore the subnet where the Nat Gateway is deployed should have the following route created.
因此,部署 Nat 网关的子网应创建以下路由。
Destination | Target
----------------|-------------
10.0.0.0/16 | local
0.0.0.0/0 | InternetGateway
Note: You can also talk to ECR privately without going through the internet by creating a Private ECR VPC end point.注意:您还可以通过创建私有 ECR VPC 端点与 ECR 私下交谈,而无需通过 Internet。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.