ECS Fargate 服务发现
[英]ECS Fargate service discovery
问题描述
I am using AWS ECS Fargate, I am currently using service discovery to allow my tasks to communicate with eachother.
我正在使用 AWS ECS Fargate,我目前正在使用服务发现来允许我的任务相互通信。 I have an issue where my tasks can only communicate if I place this security group on them我有一个问题,我的任务只有在我将这个安全组放在它们上面时才能进行通信
resource "aws_security_group" "ecs_config_service" {
name = "staging-ecs-config-service"
description = "We need this so our services can communicate"
vpc_id = module.vpc.vpc_id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [
"0.0.0.0/0"
]
}
}
If I remove this security group and only allow traffic from my load balancer the containers can't communicate.如果我删除此安全组并且只允许来自负载均衡器的流量,则容器无法通信。 This feels like a bit of a security risk allowing traffic from anywhere but I'm not sure how else I can allow my tasks to communicate.这感觉有点像允许来自任何地方的流量的安全风险,但我不确定我还能如何让我的任务进行通信。
My ECS cluster sits within a private subnet in my VPC.我的 ECS 集群位于我的 VPC 的私有子网中。
Is there something I am missing with my setup?我的设置有什么遗漏吗?
1 个解决方案
解决方案1
1 已采纳 2020-12-08 14:07:20
Instead of whitelisting IP addresses, you should try whitelisting security groups.与其将 IP 地址列入白名单,不如尝试将安全组列入白名单。 For example if you have two separate services running in ECS, you could assign Security Group A to the first service, and Security Group B to the second service, and create a rule in Security Group A that allows ingress from Security Group B.例如,如果您在 ECS 中运行了两个单独的服务,您可以将安全组 A 分配给第一个服务,将安全组 B 分配给第二个服务,并在安全组 A 中创建一个允许从安全组 B 进入的规则。
Alternatively, you could at least restrict the IP range to the CIDR block of your VPC so that nothing outside the VPC would be able to access your services.或者,您至少可以将 IP 范围限制为您的 VPC 的 CIDR 块,以便 VPC 之外的任何内容都无法访问您的服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.