aws ecs docker 容器无法访问互联网
[英]aws ecs docker container cannot reach the internet
问题描述
I have an ECS cluster one container instance.
我有一个 ECS 集群一个容器实例。 I have an ECS service and corresponding task which deploys the REST API.我有一个 ECS 服务和相应的任务来部署 REST API。 For some reason, the internet is not reachable out of the container, but it is out from the container instance.出于某种原因,容器外无法访问 Internet,但它从容器实例外访问。 As you can see from pic #4, the task is deployed in the subnet subnet-4e211127(Public Subnet 2) settings of which you may see in pic #8.正如您从 pic #4 中看到的,该任务部署在子网 subnet-4e211127(Public Subnet 2) 设置中,您可以在 pic #8 中看到该设置。 It uses an internet gateway(igw).它使用互联网网关(igw)。 According to this SO , to make the ECS container reaching the internet, I need it should be deployed in the subject associated with nat.根据这个SO ,为了使 ECS 容器到达互联网,我需要将它部署在与 nat 关联的主题中。
So, when I edit Public Subnet 2 to use nat instead of igw I lost ssh connection to my container instance(ec2).因此,当我编辑公共子网 2 以使用nat而不是igw 时,我失去了与容器实例 (ec2) 的 ssh 连接。 Could it be the reason that my ec2 instance and ecs task use the same subnet and when I switch from igw to nat it affects ec2 ssh as well?这可能是我的 ec2 实例和 ecs 任务使用相同子网的原因,当我从igw切换到nat 时,它也会影响 ec2 ssh 吗? You may find ec2 instance settings on pic #1.您可以在 pic #1 上找到 ec2 实例设置。
Should I use different subnets for tasks and ec2 instances?我应该为任务和 ec2 实例使用不同的子网吗? You may it in pic #2.你可以在图 #2 中。
It's not the case.事实并非如此。 I tried to use different subnets for ec2 and ECS tasks, the result is the same: the internet is not reachable out of the container, but ssh stayed working when I switched from igw to nat .我尝试为 ec2 和 ECS 任务使用不同的子网,结果是一样的:互联网无法从容器中访问,但是当我从igw切换到nat时 ssh 保持工作。
Security groups associated with the ec2 do not obligate any restriction on outgoing traffic.与 ec2 关联的安全组不对传出流量施加任何限制。
I also tried some tricks with iptables on the host(not container) but it didn't help:我还在主机(不是容器)上使用iptables尝试了一些技巧,但没有帮助:
sudo iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
Folks, could you please revise my current setup and give some hints about what I missed.伙计们,能否请您修改我当前的设置并就我遗漏的内容提供一些提示。 Here are some details about my setup:以下是有关我的设置的一些详细信息:
- Container Instance(EC2):容器实例(EC2):
- Security Group(outbound rules):安全组(出站规则):
- ECS Service ECS服务
- ECS Task ECS任务
- VPC configuration专有网络配置
- Private Subnet私有子网
- Public Subnet 1公共子网 1
- Public Subnet 2公共子网 2
- Roundtable rtb-7b352e13 / rt-nat圆桌会议 rtb-7b352e13 / rt-nat
- Routetable rtb-08ae0e5d4eedfb60b / rt-igw路由表 rtb-08ae0e5d4eedfb60b / rt-igw
1 个解决方案
解决方案1
0 2021-11-04 11:24:34
There maybe different causes but base on your info I suggest可能有不同的原因,但我建议根据您的信息
- First make sure your ECS instance and aws-vpc Task stay in same subnet首先确保您的 ECS 实例和 aws-vpc 任务保持在同一子网中
- Don't put ecs instance in public subnet.不要将 ecs 实例放在公共子网中。 The statement that you can still do SSH to your instance mean your instance are in public subnet, and have a public IP.您仍然可以对您的实例执行 SSH 的声明意味着您的实例位于公共子网中,并且具有公共 IP。 Everything in public subnet need a public IP to communicate with internet, simply put it in public subnet doesn't work.公共子网中的所有内容都需要一个公共 IP 才能与 Internet 通信,简单地将其放在公共子网中是行不通的。 So you need to move ecs instance to private subnet where it can only access internet through NAT GW, then start your container on same subnet (normally ecs will start your container in same subnet with your ecs instance if you configure right "allowed subnets" in ECS service)因此,您需要将 ecs 实例移动到只能通过 NAT GW 访问互联网的私有子网,然后在同一子网上启动您的容器(如果您在ECS服务)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.