Securing AWS ECS Cluster
Question
We are trying to create an ECS Cluster however we noticed that the internal ECS Agent is unable to register. We unblocked TCP 443 (ACL and SG) however it still did not register. We then proceeded to open up everything All Traffic both TCP and UDP and then the agent was able to register.
We tried to investigate what is being used using FlowLogs but it seems that the agent is using a random port and a different IP each time which makes it almost impossible for us to secure our network due to the agent. We tried and searched a lot for documentation about how and what the ECS Agent needs to run properly to no avail.
What we would like to achieve is to secure our network while allowing the agent to function as needed. Perhaps a better question would be which ports is the ecs-agent trying to use exactly and to which IPs should we allow that traffic to come from/go to?
From just 1 hour the flow log shows IPs from all over the world trying to hit the servers it just doesn't make sense not to prioritize this matter.
1 answers
solution1
0 2018-04-04 03:03:59
The ECS agent needs outgoing internet access to register itself to the cluster.
Here are some steps to try:
- Check the security group on the EC2 instances to ensure they're allowing outbound traffic.
- Check your VPC config where the ECS instances are running and ensure they have internet access.
- VPC Route Tables to ensure it's routing destination 0.0.0.0/0 to your Internet Gateway.
- Check your ACLs rules and ensure your outbound rules match your inbound - which has bitten me a few times!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.