stackoom
  简体   繁体   中英

aws ecs docker container cannot reach the internet

 原文  2021-07-14 17:28:17       amazon-web-services/ amazon-ecs/ amazon-vpc/ nat

Question

I have an ECS cluster one container instance. I have an ECS service and corresponding task which deploys the REST API. For some reason, the internet is not reachable out of the container, but it is out from the container instance. As you can see from pic #4, the task is deployed in the subnet subnet-4e211127(Public Subnet 2) settings of which you may see in pic #8. It uses an internet gateway(igw). According to this SO , to make the ECS container reaching the internet, I need it should be deployed in the subject associated with nat.

So, when I edit Public Subnet 2 to use nat instead of igw I lost ssh connection to my container instance(ec2). Could it be the reason that my ec2 instance and ecs task use the same subnet and when I switch from igw to nat it affects ec2 ssh as well? You may find ec2 instance settings on pic #1.

Should I use different subnets for tasks and ec2 instances? You may it in pic #2.

It's not the case. I tried to use different subnets for ec2 and ECS tasks, the result is the same: the internet is not reachable out of the container, but ssh stayed working when I switched from igw to nat .

Security groups associated with the ec2 do not obligate any restriction on outgoing traffic.

I also tried some tricks with iptables on the host(not container) but it didn't help:

sudo iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT

Folks, could you please revise my current setup and give some hints about what I missed. Here are some details about my setup:

  1. Container Instance(EC2):

在此处输入图片说明

  1. Security Group(outbound rules):

在此处输入图片说明

  1. ECS Service

在此处输入图片说明

  1. ECS Task

在此处输入图片说明

  1. VPC configuration

在此处输入图片说明

  1. Private Subnet

在此处输入图片说明

  1. Public Subnet 1

在此处输入图片说明

  1. Public Subnet 2

在此处输入图片说明

  1. Roundtable rtb-7b352e13 / rt-nat

在此处输入图片说明

  1. Routetable rtb-08ae0e5d4eedfb60b / rt-igw

在此处输入图片说明

1 answers

solution1
 0  2021-11-04 11:24:34

There maybe different causes but base on your info I suggest

  • First make sure your ECS instance and aws-vpc Task stay in same subnet
  • Don't put ecs instance in public subnet. The statement that you can still do SSH to your instance mean your instance are in public subnet, and have a public IP. Everything in public subnet need a public IP to communicate with internet, simply put it in public subnet doesn't work. So you need to move ecs instance to private subnet where it can only access internet through NAT GW, then start your container on same subnet (normally ecs will start your container in same subnet with your ecs instance if you configure right "allowed subnets" in ECS service)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ECS container cannot reach database Showing docker container log in aws ECS cluster Docker data-only container on AWS ECS AWS ECS docker container RDS integration Connect to MongoDB in separate docker container (AWS ECS) ECS Fargate container cannot reach Route 53 URL Docker Container not working in AWS ECS using AWS ECR How do I get AWS credentials in the AWS ECS docker container? Docker container not running locally (Flask to AWS ECS - Part 8: Docker) AWS Elastic Beanstalk Vs EC2 Container Service (ECS) - Docker
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM