Menu
I created ECS service in AWS ECS cluster. My container uses the awsvpc network mode. The service has no load balancer.
But it cannot touch any public internet resources.
When I go to the ECS instance and ssh into docker container I cannot wget any public resources.
root@ip-10-3-1-23:/app# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 *^C
root@ip-10-3-1-23:/app# wget google.com
--2019-08-31 22:34:38-- http://google.com/
Resolving google.com (google.com)... 172.217.9.206, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|172.217.9.206|:80... ^C
root@ip-10-3-1-23:/app#
EC2 instance security group:
Inbound:
Type Protocol Port Range Source Description
All TCP TCP 0 - 65535 10.3.0.0/16
SSH TCP 22 sg-5c260123 (mgmt-bastion)
Custom TCP Rule TCP 51678 sg-0784b8f53ab37c234 (mgmt-jenkins-sg)
Outbound:
Type Protocol Port Range Source Description
All traffic All All 0.0.0.0/0
Service security group:
Inbound:
Type Protocol Port Range Source Description
All TCP TCP 0 - 65535 10.3.0.0/16
Outbound:
Type Protocol Port Range Source Description
All traffic All All 0.0.0.0/0
Could you help me debug it, how to allow for internet access, please?
535
To troubleshoot why your Amazon EC2 can't access the internet, do the following: Verify that the EC2 instance meets all prerequisites. Verify that the instance has a public IP address. Verify that a firewall isn't blocking the access.
Instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the Internet.
The instances in the public subnet can send outbound traffic directly to the internet, whereas the instances in the private subnet can't. Instead, the instances in the private subnet can access the internet by using a network address translation (NAT) gateway that resides in the public subnet.
From the AWS Documentation :
The awsvpc network mode does not provide task ENIs with public IP addresses for tasks that use the EC2 launch type. To access the internet, tasks that use the EC2 launch type must be launched in a private subnet that is configured to use a NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the private IP address or DNS hostname, or routed through a load balancer from within the VPC. Tasks launched within public subnets do not have outbound network access.
162
I fixed the issue by adding one entry in the Route table for subnet where the ECS task is created in.
Destination Target
10.3.0.0/16 local
0.0.0.0/0 nat-02dcc4c6b32bdae00
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With